Emad Shanab emadshanab

## VMSA-2024-0012.yaml
id: VMSA-2024-0012

info:
  name: VMware vCenter Server heap-overflow (potential RCE) and privilege escalation
  author: "@an0n_r0"
  severity: critical
  description: |
    CVE-2024-37079, CVE-2024-37080: vCenter Server multiple heap-overflow vulnerabilities
    CVE-2024-37081: vCenter Server local privilege escalation due to misconfiguration of sudo
  impact: |

## CVE-2024-50623.yaml
id: CVE-2024-50623

info:
  name: CVE-2024-50623
  author: rxerium
  severity: high
  description: |
    Unrestricted file upload and download vulnerability in Cleo Harmony, VLTrader, and LexiCom before version 5.8.0.21, leading to remote code execution
  reference:
    - https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory

## Shodan_scan
curl https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json |jq -r '.vulnerabilities[].cveID' > cves.txt

subfinder -d tesla.com -silent |dnsx -silent -a -resp-only |sort -u |xargs -n1 -P 1500 -I% curl -s http://networktools.nl/whois/$url% |grep "CIDR" |cut -d : -f2 |tr , "\n"| awk '{$1=$1};1' |sort -u |egrep -v "/8|/9|/10|/11|/12|/13|/14|/15|/16" |while read ip ;do whois -h whois.cymru.com " -v $ip" ;done |grep -v "BGP Prefix" |cut -d '|' -f3  |awk '{$1=$1};1' |sort -u |cidr2ip |sort -u |nrich - |grep -B4 -f cves.txt | tee shodan.txt; slackcat --channel bugbounty --filename shodan.txt

## suspicious-extensions-rce.yaml
id: suspicious-extensions-rce

info:
  name: Suspicious File Extensions - Potential RCE
  author: Nullenc0de
  severity: medium
  description: Detects files with potentially suspicious extensions that could be used for Remote Code Execution (RCE). Scan your AppData folder.

file:
  - extensions:

## config.yaml
id: sensitive-credential-files

info:
  name: Sensitive Credential File Discovery
  author: nullenc0de
  severity: high
  description: Discovers exposed files containing credentials, API keys, passwords, and other sensitive data
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5

## huge_config.yaml
id: sensitive-credential-files

info:
  name: Sensitive Credential File Discovery
  author: security-researcher
  severity: high
  description: Discovers exposed files containing credentials, API keys, passwords, and other sensitive data
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5

## exposed-pki-infrastructure.yaml
id: exposed-pki-infrastructure
info:
  name: Exposed Internal PKI Infrastructure Detection
  author: nullenc0de
  severity: critical
  description: Detects exposed internal PKI infrastructure including CRL distribution points and OCSP responders
  tags: pki,exposure,misconfig

requests:
  - method: GET

## CVE-2025-53833.yaml
id: CVE-2025-53833

info:
  name: LaRecipe is vulnerable to Server-Side Template Injection attacks
  author: sushicomabacate
  severity: critical
  description: |
    LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations. Attackers could execute arbitrary commands on the server, access sensitive environment variables, and/or escalate access depending on server configuration. Users are strongly advised to upgrade to version v2.8.1 or later to receive a patch.
  reference:
    - https://www.cve.org/CVERecord?id=CVE-2025-53833

## backupfiles.yaml
id: backupfiles

info:
  name: Compressed Backup File - Detect
  author: toufik-airane,dwisiswant0,ffffffff0x,pwnhxl,mastercho,PushkraJ99
  severity: medium
  description: Multiple compressed backup files were detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3

## aws.yaml
id: aws-iam-privilege-escalation

info:
  name: AWS IAM Privilege Escalation Vectors
  author: nullenc0de
  severity: critical
  description: |
    Detects AWS IAM policies, credentials, metadata, and configurations that allow privilege escalation paths.
    Covers exposed credentials, overly permissive IAM policies, misconfigured metadata services, vulnerable role assumptions, and user-data scripts.
  reference:
	id: VMSA-2024-0012

	info:
	name: VMware vCenter Server heap-overflow (potential RCE) and privilege escalation
	author: "@an0n_r0"
	severity: critical
	description: \|
	CVE-2024-37079, CVE-2024-37080: vCenter Server multiple heap-overflow vulnerabilities
	CVE-2024-37081: vCenter Server local privilege escalation due to misconfiguration of sudo
	impact: \|
	id: CVE-2024-50623

	info:
	name: CVE-2024-50623
	author: rxerium
	severity: high
	description: \|
	Unrestricted file upload and download vulnerability in Cleo Harmony, VLTrader, and LexiCom before version 5.8.0.21, leading to remote code execution
	reference:
	- https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory
	curl https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \|jq -r '.vulnerabilities[].cveID' > cves.txt

	subfinder -d tesla.com -silent \|dnsx -silent -a -resp-only \|sort -u \|xargs -n1 -P 1500 -I% curl -s http://networktools.nl/whois/$url% \|grep "CIDR" \|cut -d : -f2 \|tr , "\n"\| awk '{$1=$1};1' \|sort -u \|egrep -v "/8\|/9\|/10\|/11\|/12\|/13\|/14\|/15\|/16" \|while read ip ;do whois -h whois.cymru.com " -v $ip" ;done \|grep -v "BGP Prefix" \|cut -d '\|' -f3 \|awk '{$1=$1};1' \|sort -u \|cidr2ip \|sort -u \|nrich - \|grep -B4 -f cves.txt \| tee shodan.txt; slackcat --channel bugbounty --filename shodan.txt
	id: suspicious-extensions-rce

	info:
	name: Suspicious File Extensions - Potential RCE
	author: Nullenc0de
	severity: medium
	description: Detects files with potentially suspicious extensions that could be used for Remote Code Execution (RCE). Scan your AppData folder.

	file:
	- extensions:
	id: sensitive-credential-files

	info:
	name: Sensitive Credential File Discovery
	author: nullenc0de
	severity: high
	description: Discovers exposed files containing credentials, API keys, passwords, and other sensitive data
	classification:
	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
	cvss-score: 7.5
	id: exposed-pki-infrastructure
	info:
	name: Exposed Internal PKI Infrastructure Detection
	author: nullenc0de
	severity: critical
	description: Detects exposed internal PKI infrastructure including CRL distribution points and OCSP responders
	tags: pki,exposure,misconfig

	requests:
	- method: GET
	id: CVE-2025-53833

	info:
	name: LaRecipe is vulnerable to Server-Side Template Injection attacks
	author: sushicomabacate
	severity: critical
	description: \|
	LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations. Attackers could execute arbitrary commands on the server, access sensitive environment variables, and/or escalate access depending on server configuration. Users are strongly advised to upgrade to version v2.8.1 or later to receive a patch.
	reference:
	- https://www.cve.org/CVERecord?id=CVE-2025-53833
	id: backupfiles

	info:
	name: Compressed Backup File - Detect
	author: toufik-airane,dwisiswant0,ffffffff0x,pwnhxl,mastercho,PushkraJ99
	severity: medium
	description: Multiple compressed backup files were detected.
	classification:
	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
	cvss-score: 5.3
	id: aws-iam-privilege-escalation

	info:
	name: AWS IAM Privilege Escalation Vectors
	author: nullenc0de
	severity: critical
	description: \|
	Detects AWS IAM policies, credentials, metadata, and configurations that allow privilege escalation paths.
	Covers exposed credentials, overly permissive IAM policies, misconfigured metadata services, vulnerable role assumptions, and user-data scripts.
	reference: