0
/ Published in Brand, Immunity, Product

Agora Exploitation Pack for CANVAS

Agora Exploitation Pack for CANVAS. Due to the product continuous update in nature, so we prepare this post for those who interest to know what is include inside. Latest update will be show on the top, while older update will be auto show below. This post will keep update and the post date will follow the latest date, so it will show one post date, rather than multiple post for hassle free reading in one post. This post is about CANVAS Exploitation Pack (CEP) Agora, it need to be use with CANVAS Exploitation Testing Framework. Feel free to contact E-SPIN for product and related matter.

Agora Exploitation Pack for CANVAS Product Overview

The Agora Pack was released by GLEG research team in the beginning of 2008.
The Pack is a successor of Argeniss ultimate 0day pack, which was developed since 2006 and acquired by GLEG in 2008.

More than 50 database modules contained in Argeniss pack were redesigned and included to Agora.

The Pack is continuously enhanced and now contains more than 550 modules.
To keep exploit pack always actual, we provide monthly updates with 3-7 modules for most valuable fresh vulns.

Current updates are focused on Web related software and a value add: defense bypass + database modules.

The Agora Pack features:

  • Fresh & unpatched stuff each month – 3-7 modules
  • Modules for latest mainstream WEB related software
  • Value add: Modules to defeat the defense, hack the database etc.
  • New attack techniques

2020-Feb-29 Agora 2.98:
– Voyager 1.3.0 – Directory Traversal. public
– Online Book Store 1.0 – SQL Injection. public
– Online Book Store 1.0 – Unauthenticated Remote Code Execution. public
– Crystal Live HTTP Server 6.01 Directory Traversal. public

2019-Aug-10 2.82 ver. of Agora contains following addition:

– ag_cisco_small_business_sa500_lfi – Cisco Small Business SA500 Series – Local File Inclusion. public
– ag_Firefox_68_DoS – Firefox 68.0.1 – funny DoS.  public
– ag_Oracle_Business_Intelligence_DirTrav – Oracle Business Intelligence Directory Traversal. public
– ag_sysgauge_server_dos – SysGauge Server 3.6.18 – Denial of Service. CVE listed

2020-Jan-28 2.97 Agora updates:
– Roxy Fileman 1.4.5 For PHP Arbitrary file delete. public
– Roxy Fileman 1.4.5 For PHP Local File Inclusion. public
– Integard Pro NoJs 2.2.0.9026 – Remote Buffer Overflow. CVE-2019-16702
– rimbalinux AhadPOS 1.11 – SQL Injection. public

2019-Dec-31 Agora 2.96 :
– Freefloat FTP Server Denial of Service. public
– Image Viewer CP Gold SDK ActiveX Remote File Create Vulnerability. 1Day
– Jobberbase 2.0 CMS SQL injections. public
– MOVISTAR BHS_RTA ADSL Router Remote File Disclosure. public

2019-Sep-29 2.93 Agora:
– jc21 Nginx Proxy Manager. CVE-2019-15517
– Karenderia Multiple Restaurant System 5.3 – Local File Inclusion. public
– Sahi pro 8.x CVE-2019-13063
– pretty often used NCTAudioEditor ActiveX sploit

2019-Sep-1 2.92 Agora:
– Apache Tika 1.15 – 1.17 – Header Command Injection. [public] – Apache Tomcat 9 – Remote Code Execution. [public] – Flightpath – Local File Inclusion. [public] – Ahsay Backup 7.x – 8.1.1.50 – Authenticated Arbitrary File Upload / Remote Code Execution. [public]

2019-Jul-29 July updates: Agora 2.92
ag_cisco_small_business_sa500_lfi – Cisco Small Business SA500 Series – Local File Inclusion. public
ag_Firefox_68_DoS – Firefox 68.0.1 – funny DoS. public
+
ag_Oracle_Business_Intelligence_DirTrav
and DoS for SysGauge Server 3.6.18

2019-Jul-23 2.90 ver. of Agora contains 2 modules. List:

– KONE elevator groups controlling software Directory Traversal. CVE-2018-15486
– most of windows platforms Remote Desktop Denial of Service. public.

2019-Jun-3 2.89 ver. of Agora contains 3 modules. List:

– KKMServer 2.1.26.16 XSS. [1day] – KKMServer 2.1.26.16 Denial of Service. [1day] – KKMServer 2.1.26.16 Directory Traversal. [1day]

2019-May-21 2.88 ver. of Agora contains 4 modules. List:

– Nice registry editor weakness. edbid46533
– Microsoft Windows 10 scrrun.dll file creation weakness
– Mongoose Web Server 6.9 Denial Of Service. [1day]
– KKMServer 2.1.26.16 XSS
2019-Apr-2 2.87 ver. of Agora contains following update:
– Core FTP 2.0 build 653 Denial of Service [1day] – Embarcadero CodeGear Socket Server Denial Of Service [1day] – Ebrigade ERP 4.5 Error-based SQL Injection. CVE-2019-5893
– MarcomCentral FusionPro VDP Creator 9.x Directory Traversal. CVE-2019-7751
2019-Feb-28 2.86 ver. of Agora contains 3 modules. List:- SAS GRAPH Control Remote Arbitrary File Overwrite. [1day] – Blueimp’s JQuery Fileupload AFU. [CVE-2018-9206] – Adobe ColdFusion 2018. [CVE-2018-15961]

2019-Jan-27 2.85 ver. of Agora contains 4 modules. List:

– Conaito VoIP SIP Client SDK ActiveX RCE. [1day]
– Conaito VoIP Video SIP SDK ActiveX RCE. [1day]
– IceHRM Privilege Escalation. [public]
– PCViewer vt1000 Directory Traversal. [public]
2018-Dec-26 2.84 ver. of Agora contains 4 modules. List:
– AGG Software GPS Tracker Monitor Info Disclosure [1day]
– IceHRM Info Disclosure [1day]
– weonlydo ActiveX Remote Code Execution Vulnerability [1day]
– weonlydo wodSSH ActiveX Remote File Overwrite Vulnerability [1day]

2018-Nov-26 2.83 Agora:
– ServersCheck MonitoringDoS [1day] – Easewe FTP, Touch22 Software ActiveX Controls – 3 modules [1day]

2018-Oct-25 2.82 Agora:
– Navigate CMS 8.2 RCE. CVE 2018-17552, CVE 2018-17553
– Traq 3.7.1 SQL Injection. public
– Cybrotech CyBroHttpServer Directory Traversal. [1day] – Argus Surveillance DVR 4.0.0.0 devices info leak. CVE-2018-15745.

2018-Sep-26 2.81 Agora :
– Socomec UPS and low voltage monitoring software. LocalView Info Disclosure +
RemoteView PRO AFU RCE. two [1day] modules
– Solarwinds Kiwi Syslog Server Denial of Service [1day] – Dotclear 2.9.1 Shell Upload Vulnerability. [public]

2018-Aug-29 2.80 Agora contains 4 [1day] modules:
– Antamedia HotSpot WiFi management infoleak. [1day] – Antamedia Internet Cafe Denial of Service. [1day] – GrapeCity spreadcom ActiveX Control Remote Code Execution Vulnerability. [1day] – MiniWeb HTTP server Directory Traversal. [1day]

2018-Jul-30 2.79 Agora new 5 modules:

– Typesetter CMS File Upload & RCE [1day]
– App Builder info leak [1day] – Coredy CX-E120 Repeater
– RCE. [public] – PHP development server crashes. [public]
– Tiki Wiki 15.1 Unauthenticated File Upload Vulnerability. [public]

2018-Jun-25 2.78 Agora:
– Seagate Media Server in Seagate Personal Cloud has Path traversal vulnerability. public
– TerraMaster TOS 3.0.33 – Unauthenticated Remote Command Execution. public
– Typesetter CMS Arbitrary File Disclosure. [1day] – Typesetter CMS Directory Listing. [1day]

2018-May-28 2.77 Agora new modules:
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 – Remote Code Execution [CVE-2018-7600] CloudMe Sync <= v1.10.9 Remote Buffer Overflow [CVE-2018-6892] AxxonSoft Axxon Next – DirTrav [CVE-2018-7467] Wordpress Fastest Cache <= 0.8.7.4 Blind SQL Injection
2018-Apr-25 2.76 Agora:
– ManageEngine Applications Manager – Remote Command Execution
– Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 – Directory Traversal
– Softros Network Time System Server 2.3.4 – Denial of Service
2018-Mar-27 2.75 Agora:
– Trustwave Secure Web Gateway v.11.8.0.27 – Unauthorized Access [CVE-2017-18001] – Microsoft Word .RTF RCE [CVE-2017-0199] – phpCollab 2.5.1 – Unauthenticated File Upload / Remote Code Execution [CVE-2017-6090] – VideoIQ Camera – Local File Disclosure
2018-Feb-28 Agora 2.74 new modules:
– WordPress Core DoS CVE-2018-6389 + Smart Google Code plugin SQLi
– phpMyFAQ 2.9.9 RCE
– Netgear ReadyNAS Surveillance Unauth RCE
– Cisco Prime Collaboration Provisioning Auth Bypass / Remote Code Execution
2018-Jan-27 2.73 Agora:
– Apache Tomcat CVE-2017-12617
– Zoho ManageEngine Applications Manager 13 SQL Injection [CVE-2017-16543] – Unitrends UEB 9.1 – Unauthenticated Remote Code Execution [CVE-2017-12477] – Belkin NetCam F7D7601 – Remote Command Execution
Tagged under: , ,

What you can read next

Titania Nipper Studio
Titania Nipper Studio
VMware vCenter Product Overview by E-SPIN
VMware vCenter Server Product Overview by E-SPIN
Visiwave Traffic Product Overview by E-SPIN
Core Security Core Role Designer Product Overview by E-SPIN

Leave a Reply

Your email address will not be published. Required fields are marked *